Cybersecurity and digital resilience in financial services: final rules approved by EU lawmakers

On 10 November 2022, the European Parliament approved two pieces of legislation that will define the new framework for digital resilience and cybersecurity in EU financial services and more broadly. At a time when digital finance, data and technologies such as cloud computing present huge opportunities for financial services and fintech, the “NIS2 Directive” (a horizontal cybersecurity framework) and the “DORA” ( a vertical resilience regime for financial services) will have far-reaching implications for technology providers and users in the EU.

This briefing provides a quick introduction to the new legislation, the timeline for implementation and the businesses that will be affected.

DORA: digital resilience requirements for EU financial services firms and their ICT service providers (critical)

The “Digital Operational Resilience Act”, known as “DORA”, is a new EU regulation for a common set of rules and standards to mitigate ICT-related risks in the financial services sector (FS) of the EU, harmonizing the existing fragmented rules and raising the bar for ICT risk management. Originally proposed in September 2020, DORA will have significant implications for EU financial services firms and their ICT suppliers (see our previous briefings here). Key points to know:

  • Wide scope of application. A wide range of EU “financial entities” are affected, including credit institutions, payment institutions, account information service providers (AISPs), electronic money institutions, investment companies, crypto-asset service providers and issuers of asset-referenced tokens, certain financial market infrastructure (MFI) providers, AIF managers, certain insurance companies and intermediaries and others companies subject to EU financial services legislation. There are a few exceptions and exclusions, including for small and medium-sized businesses.
  • Many requirements imposed on companies. Relevant financial entities will be required to address cybersecurity vulnerabilities, including by implementing ICT risk management frameworks, procedures for identifying, classifying and reporting certain ICT incidents, and enhanced testing (including advanced threat-focused penetration testing for certain entities). DORA also focuses on internal governance arrangements. See our previous briefing, here.
  • Third Party ICT Risk. Third party ICT risk management is an important part of DORA, building on many of the requirements of existing guidelines such as the EBA Guidelines on outsourcing and placing these requirements on a legislative basis, including including the contractual conditions.
  • “Critical” ICT providers. For ICT providers in the EU FS sector (including providers of software, data analytics and cloud computing services), DORA could be even more important. In addition to addressing the increasing demands of their FS customers to enable compliance with DORA (such as contractual conditions, testing and incident reporting), DORA empowers EU FS authorities to designate certain ICT service providers as “critical third-party ICT providers”. These companies would then be directly supervised by EU SF authorities for the first time, with significant implications in terms of oversight and possible enforcement action. See our separate briefing here.

NIS2: a revised horizontal cybersecurity regime

Cybersecurity concerns are not limited to the FS sector. Faced with the increase in cyber threats and sophisticated cyber attacks, the NIS2 Directive updates the existing Directive (EU) 2016/1148 on network and information security (NIS) in order to define stricter cybersecurity obligations for cyber risk management, incident reporting and information sharing across a wider range of sectors. Key points to know:

  • Stricter requirements: NIS2 requirements are stricter than under the 2016 regime and include areas such as incident response, supply chain security, encryption, vulnerability management, and enforcement appropriate technical, operational and organizational measures.
  • Wider application: NIS2 will apply to a wider range of entities, capturing some “core” entities (in energy, transport banks and MFIs, healthcare, drinking water, wastewater, l digital infrastructure, management of B2B ICT services, public administration and space under Annex I), and “important” entities in other critical sectors (including postal services, chemicals, waste, food, certain manufacturing industries, research and other digital providers, including marketplaces and social media platforms referred to in Annex II). The “essential” and “significant” entities that fall within the scope are determined by the relevant thresholds, with less discretion left to individual member states than under the original NIS regime.
  • Interaction with DORA: Financial entities that fall under DORA will also not need to comply with NIS2 cybersecurity requirements. However, some critical third-party ICT vendors under DORA (e.g. cloud computing vendors designated under DORA) could be subject to both DORA and NIS2, although legislators have sought to minimize the impact of inconsistencies and duplicates between the two regimes.
  • Supervisory Jurisdiction: Entities within scope will generally fall under the jurisdiction of the Member State in which they are established and will therefore need to know how the NIS2 Directive is implemented in that jurisdiction(s). Given the cross-border nature of some digital infrastructure providers (including cloud computing providers, managed service providers and providers of online marketplaces, search engines and social media platforms) , jurisdiction will be determined by the location of their “main establishment”, normally where decisions on cybersecurity risk management measures are “primarily” made. In some cases, providers that are not established in the EU but provide services there may need to appoint a local representative (see our separate briefing here).
  • Collaboration and standardization: The NIS2 directive also includes mechanisms to foster greater collaboration and standardization around cybersecurity in the EU, including cooperation between authorities, the use of technical standards and specifications, certification and registries for certain service providers (including cloud computing, data centers, and content delivery network providers).

For more information on the scope and application of NIS2, see our separate briefing here.

Implementation schedule

DORA and NIS2 are now awaiting EU Council approval before going through the formal adoption process. DORA and NIS2 will enter into force after their publication in the Official Journal of the EU, after which the implementation deadlines are as follows:

  • DORA Regulation: 24-month implementation period for financial entities and for the regime relating to third-party providers of critical services.
  • NIS2 Directive: Member States will have 21 months to adopt and publish the relevant implementing measures, by which time the new rules will become binding on businesses.

However, affected organizations should not wait until then to implement operational requirements and changes. Under DORA, for example, many requirements such as Threat Driven Penetration Testing (TLPT) will require significant resources to build on existing capabilities, and other aspects such as governance arrangements will take time to develop. integrate into companies and groups. Organizations that are slow to prepare could struggle to achieve compliance in time, while missing out on the increased security and resiliency benefits in the meantime.

Note that DORA and the NIS2 directive require additional legislation to be passed to flesh out many details of how the requirements apply.

Supply chain security and indirect impact on service providers

DORA and NIS2 aim to increase the resilience and cybersecurity of the entire supply chain and include specific requirements regarding supply chains and outsourcing. Therefore, even companies that are not directly affected by DORA or NIS2 could indirectly feel the impact, as affected customers request relevant contractual terms or security compliance requirements.

Managed technology and service providers that are ahead of requirements could therefore gain a competitive advantage over their competitors, reducing friction for their customers who must comply.

Perspectives: Regulating “resilience”

Where historically organizations’ digital endeavors have primarily focused on data protection compliance, the regulation of ‘resilience’ is likely to play an important role in the future. For example, more broadly, the European Commission has also published its proposed Cyber ​​Resilience Act, which would introduce cybersecurity requirements for a wide range of products containing digital elements (see our briefing here).

We will follow these developments closely to help our customers prepare their businesses for the changes ahead.


Add Comment