EVERYONE should deal with the topic of cybersecurity and the associated risks on an ongoing basis. This applies to every individual for the protection of their data and every company. Companies that operate critical infrastructures - and financial service providers in particular - bear a special responsibility in our society.
Legislators continue to be active: despite all efforts, there are always spectacular cyber attacks (see Cyber security: financial service providers increasingly targeted by hackers) and are the reason for further legal regulations. The fight against cybercrime will enter a new, decisive round in 2024.
This is due to two areas of regulation that will take on a new urgency in 2024. Firstly, DORA, the directive aimed at companies with critical infrastructures, including financial service providers, must be implemented by the beginning of 2025. So there is still a lot to do for the companies concerned in 2024.
On the other hand, the NIS2 Directive ensures that many new sectors will have to comply with the legal provisions against cybercrime by October 2024. This includes a number of companies that are often not even aware that they are affected.
This article is intended to draw attention to the need for action - and also as a wake-up call.
DORA takes financial service providers to a higher security level
Who is the DORA Directive aimed at?
The EU Regulation 2022/2554 on digital operational resilience in the financial sector (Digital Operational Resilience Act) applies to all financial companies regulated at EU level. This includes financial institutions, financial market infrastructures such as trading platform operators, but also information and communication technology service providers and third parties that provide essential services to financial institutions, such as data processing.
Measures to strengthen digital operational resilience
The aim of DORA is to strengthen the digital operational resilience of the entire European financial sector.
One of the key aspects here is the risk management of information and communication technologies. Under DORA, financial services companies are obliged to set up a framework for managing ICT risks. This includes a regular risk analysis, the identification of critical ICT systems and the development of strategies to reduce these. Articles 17 to 23 of Chapter III regulate the handling, classification and reporting of ICT-related incidents.
Another important aspect is the testing of digital operational resilience, including penetration tests and emergency drills, which are described in the following chapter. Companies are required to test and review the effectiveness of their ICT security measures and procedures at regular intervals. These tests are intended to ensure that the systems remain functional even under extreme conditions.
The monitoring and control of ICT service providers also plays a central role. Companies must ensure that their service providers also implement robust security measures and carry out regular audits.
This presents financial services companies with new challenges that need to be overcome. Because if these high requirements are not met, there is a risk of sanctions.
Stricter sanctions for non-compliance with the guidelines
The sanctions and measures that can be applied in the event of non-compliance with the directives must be effective, proportionate and dissuasive. In addition to administrative sanctions, the authorities can also take action against companies under criminal law.
In accordance with Art. 35 Para. 8, penalty payments can be levied against ICT service providers for non-compliance with the directives. The amount is limited to one percent of the average worldwide daily turnover generated by a third-party ICT service provider in the last financial year.
If administrative sanctions are imposed, these must be published on the website of the competent authority.
Violations of the DORA guidelines can lead to increased monitoring measures and more frequent audits by the competent supervisory authorities, resulting in a higher administrative and financial burden for the company. In addition to the legal and financial consequences, there may also be reputational damage that has a lasting impact on the trust of customers, investors and business partners.
Creation of a uniform regulation with DORA
The introduction of DORA aims to ensure a specific, comprehensive and uniform regulation for digital operational resilience in the financial sector. Before DORA, there were various directives and regulations, such as the NIS2 Directive, PSD2, GDPR, BAIT and the EBA guidelines, which dealt with the topics of cyber security, the creation of a secure payment market and the protection of personal data. However, until then there was no regulation that dealt specifically and exclusively with the digital resilience of financial services companies. The existing directives will therefore be replaced (BAIT), supplemented or expanded by DORA in order to meet the special challenges of the digital age in the financial sector.
NIS2 covers a large number of new companies
Which companies fall within the scope of NIS2
Like DORA, the NIS2 Directive ("The Network and Information Security Directive") aims to strengthen resilience to digital threats. It was published in the Official Journal of the European Union L333 on 27.12.2022. Member states must transpose the directive into national law by October 2024.
While DORA focuses on the financial sector, NIS2 concentrates on critical infrastructures. The NIS2 Directive applies to companies from the 18 defined sectors that have more than 50 employees and an annual turnover of more than EUR 10 million. According to estimates, this affects between 25,000 and 40,000 companies in Germany. As companies will not receive any official notification as to whether they are affected by NIS2, they will have to decide for themselves whether the directive applies to them. In Germany, monitoring is the responsibility of the Federal Office for Information Security (BSI). Auditors will also provide relevant information.
Tightening of the existing rules with NIS2
NIS2 came into force in January 2023, replacing the NIS1 directive from 2016. NIS2 significantly expands and tightens the existing directive with the aim of further strengthening resilience and cybersecurity across the EU. Compared to NIS1, NIS2 covers more sectors. The reason for this is that the sectors have been classified as "essential", such as energy, transport and healthcare, and "important", such as postal services or waste management. This means that the 18 classified categories no longer only include obvious operators of critical infrastructure, but also food producers and retailers, online marketplaces and companies from the waste disposal sector. In addition to the increase in affected companies, NIS2 also brings other changes.
For example, compared to NIS1, NIS2 requires more detailed and stricter security requirements and tightens the reporting obligations in the event of a security incident. NIS2 requires the introduction or tightening of a range of protective measures such as risk analyses, measures to improve business continuity and other specific technical and organizational measures to reduce risk. However, the directive differentiates the minimum requirements based on the size of the company.
Furthermore, the reporting obligation is more strictly regulated in NIS2 than previously in NIS1. It now requires a larger number of companies to report security incidents in more detail and more quickly. These must be reported to the Federal Office for Information Security within 24 hours of being detected. An initial assessment must then be made within 72 hours and a detailed final report within one month.
Finally, comprehensive requirements are placed on risk management, which also explicitly take into account security in the supply chain. As a result, medium-sized and small companies must now also comply with the guidelines - precisely when they act as suppliers for the organizations directly affected. In order to protect the entire supply chain, they are forced to comply with and implement equally strict security measures.
What sanctions are there?
In NIS2, sanctions have now also been harmonized in order to strengthen enforcement. There are now clear specifications for fines and sanctions for breaches of the directives, which are explained in Articles 34, 35 and 36. Violations can be penalized with a maximum amount of at least EUR 10 million or 2% of global turnover for facilities in high criticality sectors. Entities in other critical sectors can be fined a maximum amount of at least EUR 7 million or 1.4% of their global turnover. The NIS2 Directive also makes management more responsible, as they can now be held personally liable for any damage caused by a breach of their monitoring duties.
Conclusion: potential risk is evident in any case
To summarize, here is an overview of why companies should address the issue of cyber security in 2024:
The DORA and NIS2 directives highlight the relevance of the resilience of important economic sectors to cyberattacks. The creation of uniform regulations aimed specifically at financial service providers and information and communication technology service providers highlights the importance of this sector, but also the threat to which it is exposed. The tightening of sanctions, the obligation of managing directors and the protective measures required of companies are intended to minimize risks and strengthen customer confidence. As a large number of other sectors are now also being confronted with these requirements, they must deal with this issue and also take the desired measures.
Are you one of those companies that want to improve their security standards and put them in the right hands? Then please contact us. Because NAVAX Software GmbH specializes in the provision of IT infrastructures for financial service providers and commercial enterprises and offers you the takeover of operations as software as a service in full compliance with the legal guidelines.
This is why we have been focusing on cybersecurity for years. State-of-the-art solutions (SIEM / Security Information and Event Management) and services (SOC / Security Operations Center) represent strong lines of defense against the rapidly growing criminal energies of today's digital age.
We look forward to hearing from you and will be happy to advise you on how to ensure your digital resilience.
