Cybersecurity for financial service provider: DORA on the way

The European Union is working on framework conditions for the digitalisation of the economic area in order to ensure the secure and uniform handling of data and systems. The EU-DSGVO or the NIS guidelines for the protection of critical infrastructure are already established examples. DORA (Digital Operation Resilience Act) is now to bring guidelines to the ICT systems of financial service providers and certain cooperating companies.[1]

The aim is to ensure that all participants in the financial system have the necessary security measures in place to minimise cyber risks.

Whom does DORA affect?

The current draft of the directive covers all financial companies as well as certain supplying information service providers. In addition to banks, investment advisors, insurance intermediaries and payment service providers are also affected. Currently, only providers of hardware components and pure electronic communication services are excluded. However, a general exemption of micro-enterprises, as it exists in the Network and Information Security Act, is missing. This is one of the points of criticism of the Austrian Economic Chamber.[2]

The Austrian Financial Market Authority has already set a focus on cybersecurity for 2022. This will focus on challenges such as resilience and stability, a clean financial centre, sustainability, digitalisation, collective consumer protection and new business models.[3]

Are there any significant changes?

Yes and no. The basis for stable IT security are–as usual–up-to-date precautions according to the state of the art. Besides, it is essential to control the service providers. These measures can already mitigate many incidents. A stable foundation is also a prerequisite for robustly mapping services based on it. This includes a combination of technical and organisational preventive measures as well as emergency and recovery plans.

In addition, an active cyclical review and evidence of the effectiveness of these precautions is required–at least once a year. According to the draft, financial service provider will have to fully simulate various threat scenarios in order to test whether the current measures are implemented sufficiently and without errors. This scenario is quite ambitious.

When will DORA become binding?

An exact date from which the DORA guidelines are to be implemented is not yet known. Insiders assume, however, that this directive will come into effect in the course of 2023. Significant IT security precautions and ongoing optimisations are (hopefully) already implemented and the order of the day in all organisations.

Worth reading:

IBM Data Breach Report 2021: the four main findings

Sources: