News

On 24th September, the European Commission published the draft Digital Operational Resilience Act (DORA) Regulations for the financial sector. This is an imminent standard that represents a before and after in the regulation of cyber security in the European Union. DORA represents a deepening of a path already started with the NIS Directive. It also represents compliance with one of the commitments made by the new European Commission and set out in the European Digital Strategy contained in the Communication Shaping Europe's Digital Future and the Next Generation Plan, as well as the Digital Finance Package.

It will involve the establishment of a single European framework of obligations, principles and requirements in the field of cybersecurity for one of the sectors considered strategic: the financial sector. It should also be stressed that DORA is the first step, as the Commission itself has included in its most recent documents the intention to extend the regulatory schemes included in this draft to the other strategic sectors, energy, water, transport and others.  

Among the most noteworthy developments are: a new risk-based approach to action; the attribution of direct responsibility in this area to the board of directors in relation to the establishment and compliance with appropriate strategies, policies and protocols; the new responsibilities of the CISO; the policies for identifying and classifying information; the obligatory nature of business continuity plans in the event of cyber-attacks; or the corresponding communication strategies. 

In this respect, it is important to highlight the depth and intensity of the new regulatory framework included by DORA, which goes far beyond what the EU has attempted up to now, establishing a wide variety of new regulatory compliance obligations around cybersecurity by means of regulations with direct effect. This entails the need to address internal change processes in the financial sector that establish complex models of cybersecurity governance based on the concept of defence in depth. Cybersecurity policy must focus on three fundamental parameters: technology, people and processes. In this sense, the draft standard, as published, imitates the approach in the General Data Protection Regulation and establishes as a priority a solid governance of cybersecurity as an aspect that must be an integral part of the organisation.

Another major innovation, which introduces new obligations, is that relating to the contracts of financial institutions with third party providers. DORA establishes a complete and exhaustive descriptive framework of these contractual relations, the purpose of which is precisely to empower financial institutions regarding the technology companies that provide them with services.

Supplier control is a fundamental aspect at DORA. Choosing a supplier outside the EU regulatory scope - if a supplier that does not comply with the Community agreement can be considered at risk -, in sectoral financial aspects, cyber security and by pure automatic extension of data protection, is a chosen risk and therefore the responsibility for the choice of the supplier and the dynamic monitoring of the risk itself lies with the financial institutions. There is therefore a convergence between regulations aimed at regulatory compliance and data security (whether personal or not). This trend of full connection with the General Regulation on Data Protection is reinforced if we consider the drafts of the forthcoming regulations to be approved (NIS 2), which also reinforce the sanctions (up to 2% of the global turnover of the potential offender).

Finally, the internal manager organically chosen to respond to the above is the CISO of the financial organisation. If the DPO was expected to have mastered the national and community regulations and was required to have knowledge of risk analysis, process consultancy, business and information security, the CISO is placed in a relevant position as it is responsible for the regulatory compliance of the suppliers and is liable to the public authorities for certain obligations with broad legal repercussions, including those of a punitive nature.

In short, a wide range of new principles and obligations that add to the complex and extensive regulatory framework for the activity of financial institutions. However, if we consider the rapid and intense process of digital transformation we are undergoing, and the exposure of financial institutions to cyber-attacks, it is coherent that the EU has decided to start regulating in depth. The financial sector is the most prepared and advanced in terms of network and system security. The large investments that financial institutions make every year to keep their organisations and business protected, as well as a strong culture of internal cyber security, make it more feasible to start with this sector because of the solid compliance standards from the regulatory framework that they are used to facing.

DORA is going to mean a substantial change in the way things are done, and above all in the way the cyber-security function is organised within the entities subject to the scope of this new regulation. However, both the CISO and the DPO are going to be required to have a Renaissance knowledge of the various matters that affect their function or, at least, to have a governance, support structure and policies that support the new responsibilities that are required.

 You can see the article in Expansion.