The European DORA Directive, which is binding for the Czech Republic and all other Member States, aims to protect banks, other financial institutions and the accounts of millions of people. The EU is responding to the growing number of cyber attacks. It therefore sets clear rules for financial institutions on how they should protect themselves from digital risks and what they should do if they are actually hit by an attack. The change will be particularly important for supply chains and smaller financial institutions, which have not had to deal with this issue much until now. What will the European Directive bring in particular?
Financial institutions have a relatively short time to comply with regulatory requirements. The deadline starts on 16 January 2023, when the Digital Operational Resilience Act (DORA) came into force, and will last for two years.
The directive stipulates that all companies associated with the financial sector must be able to secure their information and communications systems against potential breaches and threats and respond immediately in the event of a problem. These strict standards will have to be respected not only by banks and other financial institutions, but also by third parties providing critical ICT-related services to the sector, such as cloud service providers. The directive will therefore affect up to thousands of companies.
The Directive aims to prevent cyber-attacks from compromising the digital protection of financial institutions or to reduce the impact of successful breach attempts. The Directive responds to the growing risks posed by the increased interconnectedness of the financial sector and the rise of digitalisation, while also aiming to unify the current relatively fragmented control system.
Smaller financial institutions in particular may have the greatest difficulty in preparing
Major banking institutions have already been supervised by supervisory authorities, so the new regulation will not be a major change for them. By contrast, smaller institutions in the financial sector will generally face a challenging preparation process. Mandated hacker-proofing on this scale will be new to most of them and they will have little time to comply with the regulation. At the same time, they can expect that the scale of the measures required will be directly proportional to their size and the range of financial services they provide.
All the institutions concerned will have to carry out a number of specified tasks on an ongoing basis. It is not only the technical aspects of security that are at stake; unlike some previous regulations, DORA also focuses on the operational aspects.
Resilience testing, risk detection and information sharing on threats and incidents will be essential
Specifically, under DORA, individual institutions will need to put in place appropriate risk management in the sense of identifying vulnerabilities and assessing all relevant risks associated with their digital operating systems and their interdependencies. Risk should be assessed on an ongoing basis, reviewed and updated regularly. In addition to risk mitigation efforts, institutions should continuously assess the status of risk in a transparent manner.
In the event of a cyber-attack, institutions should have a robust incident management and response plan, including a pre-assessed communication scheme with relevant stakeholders and tools to mitigate the impact of the incident. Furthermore, the primary focus should be on data protection and business continuity. The entire supply chain must also be integrated into the process, which DORA places considerably more emphasis on than previous regulations.
The second key task for financial institutions is to report incidents promptly to the relevant government authorities. The information should include the length of the incident, an overview of all organisations involved and the geographical scope of the incident, especially if it took place in more than two Member States. Alternatively, institutions should indicate whether the attack caused data loss or integrity breaches and how many transactions or how much was affected. They should also add whether the incident has caused a reputational impact and the economic impact in estimated direct and indirect costs and losses.
Further, DORA directs affected regulated entities to conduct regular resilience testing of their IT systems and processes to ensure their effectiveness and identify potential problems. Implementing effective security controls can be a challenge for organisations as they need to ensure that they are appropriate for the size, complexity and risk profile of their digital infrastructure and services. In addition, organisations must ensure that all security controls are regularly monitored and tested.
In addition, DORA implies mutual cooperation and information sharing. It mandates that financial institutions share information with other financial institutions and regulators in other countries, which can pose challenges in terms of data protection, confidentiality and regulatory requirements.
At the same time, some of the routine testing, data collection and data processing activities associated with reporting can be expected to be performed with minimal human involvement in the near future, replaced by machine learning and artificial intelligence, not least because firms will not have sufficient staff to deal with the evaluation of the increasing volume of data.
There will be a shortage of cybersecurity experts
It can also be expected that there will be a shortage of experts to deal with the actual implementation of regulation beforehand, as well as a shortage of inspectors of the set processes on the other side. Indeed, companies are already experiencing a shortage of experts.
Especially for smaller firms, it seems unrealistic that they would be able to assemble a permanent full-fledged team of cybersecurity experts. Therefore, greater involvement of external partners can be expected, or some form of shared service can be expected to provide some components of cybersecurity.
At the same time, the demand for cybersecurity experts will increase not only due to the upcoming DORA regulation, but also other cybersecurity-related directives such as NIS2.
The draft NIS2 directive is also the basis for the emerging Cybersecurity Act, which Czech legislation tentatively envisages will take effect in the second half of 2024 and will affect thousands of Czech companies. However, unlike DORA, it will apply to selected key entities across industries, while DORA will apply specifically to the financial sector. In the event of a conflict in the financial sector as to which directive to follow, DORA as a more specific regulation will always take precedence over NIS2.
Those who violate the regulation will face sanctions
The competent state authority may impose administrative sanctions and corrective measures in the event of any violation of the DORA regulation, but the amount has not yet been determined for financial institutions. However, critical information and communication service providers can be fined by the authorities up to 1% of their average daily worldwide turnover for the previous financial year for a maximum of six months, on a daily basis until compliance is achieved.
Both financial institutions and their suppliers should prepare for regulation now. The period they have to comply with the legal requirements is really not very long.