In the European Union, financial institutions must adhere to a set of cybersecurity regulations defined by several key legislations. The General Data Protection Regulation (GDPR) stipulates the need for personal data protection and enforces strict reporting guidelines in the event of data breaches . Additionally, the Network and Information Systems (NIS) Directive establishes robust security standards for providers of vital services, such as banks, with the aim of mitigating network disturbances and improving overall cybersecurity .Further, the European Banking Authority (EBA) offers directives on ICT and security risk management. These guidelines are obligatory for financial institutions to follow, ensuring the integrity and safety of their information systems . Moreover, these institutions fall under the purview of the Digital Operational Resilience Act (DORA) . This regulation obliges financial institutions to carry out frequent risk assessments, gauging their ability to withstand cyber threats and other operational risks .
Navigating the ICT and Cybersecurity Landscape in Europe's Financial Sector
Over the past decade, significant strides have been made towards solidifying information and communications technology (ICT) and cybersecurity legislation within the financial sector across the European Union. Various financial institutions, which play critical roles in the economy, are now subject to some degree of ICT and cybersecurity regulation. However, a number of gaps remain within the regulatory landscape, coupled with a multitude of standards, which can lead to confusion. To further enhance these regulatory measures, European decisionmakers are called upon to refine existing legislation.
In the face of a rapidly digitalizing world, the European Commission (EC) is steadfastly focused on seizing the opportunities presented by digitalization. However, it also understands the importance of doing so within safe and ethical boundaries. This principle formed a significant part of the EC’s political guidelines for the years 2019–2024. Additionally, the EC introduced the FinTech Action Plan on March 8, 2018, which was a comprehensive strategic initiative designed to improve cybersecurity across the EU. It involved calling upon the European Supervisory Authorities (ESAs) for their joint technical advice on a range of crucial issues. These issues spanned the existing regulation and supervisory practices in the area of ICT risks and cybersecurity, as well as the potential benefits of developing a coherent cyber resilience testing framework for significant market participants and infrastructures within the EU’s financial sector.
Armed with the recommendations of the ESAs, which covered aspects like requirements on ICT security and risk management, sectoral cyber incident reporting requirements, direct oversight and supervision of third-party providers, and a cyber resilience testing framework, the EC started working on tangible action. The goal was to ensure that financial institutions would have the tools and framework necessary to defend against the mounting threats in the digital space.
DORA: Digital Resilience of the EU's Financial Sector
In response to the ESAs' advice and subsequent public consultations, the EC adopted a comprehensive digital finance package in September 2020. This package was designed to support the potential of digital finance in terms of innovation and competition, while also mitigating the risks associated with it. At the heart of this package was a legislative proposal on digital resilience for the European financial sector, called the Digital Operational Resilience Act (DORA).
DORA was conceived with the aim of introducing a harmonized and comprehensive framework on digital operational resilience for European financial institutions. This move was in direct response to the conclusions reached by the ESAs in their joint technical advice. The draft legislation of DORA is currently awaiting review and adoption by the European Parliament and the Council of Ministers. At this stage, these legislative groups can still introduce additional amendments to the final version of the legislation.
The international perspective on cybersecurity has significantly shifted towards an emphasis on operational resilience. With the world of finance increasingly moving online, cyber risks have become an omnipresent reality, no longer confined to the realm of IT and systems. In fact, with the accelerated pace of digital transformation, cyber risks now permeate all functions, products, and services of financial institutions.
Given this new reality, financial institutions need to fundamentally change their approach to managing these risks and their potential impact on business. A broader strategic perspective is required, with cyber risk management incorporated into the overall operational resilience framework. This should ideally start at the executive board level of financial institutions and extend throughout the organization, allowing institutions to better defend against the complex threat landscape externally, and manage the risks associated with digital innovations internally.
Addressing Fragmentation and Ensuring Harmonization
In their “Joint Advice of the European Supervisory Authorities,” the ESAs presented a somewhat scattered picture of European ICT and cybersecurity regulation. Despite the presence of operational risk requirements in the sectoral legislation, there is typically a lack of explicit references to ICT and cyber security risk, which has resulted in a fragmented regulatory and supervisory landscape. This fragmentation, the ESAs pointed out, could lead to non-convergent practices across Europe and endanger the level-playing field. To rectify this, the ESAs advised that every relevant entity should be subject to general requirements on governance of ICT, including cybersecurity. A move in this direction would promote greater ICT security and cybersecurity across Europe, creating a harmonized landscape.
The ESAs also provided different proposals for each financial subsector: banking and payments, insurance and reinsurance, and securities markets, which varied based on their individual maturity levels. For instance, in banking and payments, the recommendations of the ESAs are already fulfilled by the European Banking Authority's Guidelines on ICT and Security Risk Management. On the other hand, for insurance and reinsurance companies, the European Insurance and Occupational Pensions Authority (EIOPA) has released draft Guidelines on ICT for Consultation. These guidelines have been drafted based on the previously mentioned EBA Guidelines to ensure consistency across subsectors. However, the European Securities and Markets Authority (ESMA) sees the greatest need for legislative improvements in the area of Financial Market Infrastructures (FMIs).
With DORA, the EC has directly responded to the ESAs' recommendations. This proposal acknowledges the risks that can arise from the lack of detailed and comprehensive rules in this field and has a broad application covering almost all financial institutions from all three subsectors, in addition to ICT third-party providers. This proposed legislation introduces specific requirements in respect to governance and ICT risk management, as well as contractual arrangements between ICT third-party service providers and financial entities.
Grand Answer: Your AI Partner
Designed to support compliance officers, legal counsels, and other professionals responsible for adhering to regulatory standards, Grand Answer aims to facilitate an efficient and straightforward compliance process.
Grand is Live
Check out our GPT4 powered GRC Platform