Source: European Parliament
Undersea communication cables operated by public telecommunication service providers, as the ones in question transporting financial sector data would be subject to cybersecurity measures under the directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)[1], which includes also their protection from physical threats.
The Commission is closely following the recent incidents affecting submarine cables. It is reflecting on possible measures to improve security and resilience of this critical infrastructure, in cooperation with Member States, in addition to the recent Recommendation (EU) 2024/779[2] on the topic.
The Commission is not aware of disruptions of a systemic nature in the provision of financial services as a result of the recent incidents affecting the submarine cables.
In addition to the NIS2 Directive, the Digital Operational Resilience Act (DORA)[3], referred to by the Honourable Member, is also relevant for enhancing the financial sector’s resilience against such kind of incidents.
Under DORA, EU regulated financial entities are required to put in place contingency measures and plans (e.g. business continuity, etc.) to counter such incidents affecting their systems and networks, as well as to perform third-party risk assessments on the providers of information and communication technology (ICT)-services, including of communication and data transmission solutions.
- [1] OJ L 333, 27.12.2022, p. 80-152, http://data.europa.eu/eli/dir/2022/2555/oj
- [2] C/2024/1181, OJ L, 2024/779, 8.3.2024.
- [3] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, OJ L 333, 27.12.2022, p. 1-79.