The EU implements new requirements for the operational security of digital systems, for protection against cyber-attacks and critical infrastructure, and for greater transparency in the event of threats. Starting in 2024/2025, new minimum requirements for risk management, for reporting serious incidents, for outsourcing, and for exchange of information on cyber threats and vulnerabilities will gradually be phased in.
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. It will go into effect from 17 January 2025. The associated implementing directive 2022/2557/EU already applies as of 18 October 2024, following adoption by EU member states into local law.
The DORA addresses the financial and insurance industry, asset managers, and certain service providers, such as rating agencies, administrators of critical benchmarks as well as securitization repositories. Crypto-asset service providers, issuers of asset-referenced crypto-assets, and information and communication technology (ICT) service providers working for financial entities are also within scope of the DORA.
In order to achieve a high common level of digital operational resilience, the DORA sets forth requirements for financial entities in the following areas:
- ICT risk management, covering a sound, comprehensive and well-documented ICT risk management framework, appropriate and reliable ICT systems, protocols and tools, means for identifying ICT risks, protection and prevention as well as a response and recovery framework.
- Reporting of major ICT-related incidents, major operational or security payment-related incidents, and notifying, on a voluntary basis, significant cyber threats.
- Digital operational resilience testing, incl. vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and threat-led penetration testing.
- Information and intelligence sharing in relation to cyber threats and vulnerabilities.
- Measures for the sound management of ICT third-party risk for ICT services, in particular (sub-)outsourcing risks. ICT services are digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services, excluding traditional analogue telephone services.
Exemptions apply inter alia for small and non-interconnected investment firms as well as microenterprises.
The DORA requires the management body of a financial entity to take an active role in steering the ICT risk management framework, establishing an overarching principle of management involvement and the need to assign clear roles and responsibilities for all ICT-related functions.
Financial entities shall manage ICT third-party risk as an integral component within their ICT risk management framework. Key principles apply and key provisions need to be embedded in contractual agreements for ICT services. Those provisions cover a clear and complete description of all functions and ICT services, locations where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, clear notice periods and reporting obligations, as well as a full-service level description, including precise quantitative and qualitative performance targets, and exit scenarios.
The DORA also establishes an oversight framework for critical ICT third party service providers. Those service providers shall have in place comprehensive, sound and effective rules, procedures, mechanisms as well as arrangements to manage the ICT risk which it may pose to financial entities.
The European Supervisory Authorities (ESA) shall designate the ICT third-party service providers that are critical for financial entities. Financial entities providing ICT services only to other financial entities or ICT intra-group service providers may e.g. not be qualified critical.
Financial entities shall only make use of the services of an ICT third-party service provider established in a third country which has been designated as critical, if the latter has established a subsidiary in the Union within 12 months following designation as critical. When oversight objectives cannot be attained by means of interacting with such subsidiary, measures may also be taken on any premises located in a third-country which is owned, or used in any way, for the purposes of providing services to EU financial entities.
Directive (EU) 2022/2555 lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market (NIS 2). Measures shall apply from 18 October 2024, following adoption by EU member states into local laws. The directive repeals the prior NIS directive 2016/1148/EU dated 18 October 2018.
This directive requires member states to adopt national cybersecurity strategies and to e.g. designate or establish competent authorities. Essential and important entities are required to establish cybersecurity risk-management measures, and comply with reporting obligations. The provisions partially apply to third party service providers.
As a sector-specific legal act, the DORA prevails over the NIS 2 directive.
Directive (EU) 2022/2557 addresses the resilience of critical facilities (CER Directive). Measures shall apply from 18 October 2024, following adoption by EU member states into local laws.
The directive is intended to strengthen the (physical) resilience of critical infrastructures against threats such as natural hazards, terrorist attacks, or a pandemic.
It lays down obligations for critical entities aimed at enhancing their resilience and ability to provide services, establishes rules on the supervision of critical entities, and common procedures for cooperation and reporting on the application of this directive. Critical entities need to carry out a risk assessment to assess all relevant risks that could disrupt the provision of their essential services. Certain employees are subject to background checks. Rules on incident reporting apply.
The CER Directive applies to entities within the scope of the DORA or the NIS 2 directive to a limited extent.