5 minute read
On 10 November 2022, the European Parliament approved two significant pieces of cybersecurity legislation:
Whilst the object of NIS2 is to impose requirements for additional security and reporting measures on a larger share of the EU economy, DORA focuses on the financial services sector. A key aspect of both pieces of legislation is that they bring a far greater number of entities under the supervision of sector-specific authorities in respect of cybersecurity requirements.
DORA applies to a broad range of financial entities, including investment firms, (re)insurance undertakings, investment firms, and electronic money organisations. It also extends to ‘critical ICT providers’, including cloud service providers who support financial organisations.
Some aspects of DORA’s requirements may be familiar to a sector already subject to onerous regulatory regimes. However, as we are seeing with the general approach to cybersecurity and data protection regulation, greater focus on documentation of technical and security measures is now being required, in addition to protection against third-party risk:
Under DORA, firms will be required to monitor and log IT incidents and report those serious incidents to the relevant financial regulator. Additional focus is placed on root cause analysis and incident containment, in addition to documenting them throughout the incident.
The potential penalties associated with DORA can be significant and, differently to GDPR and/or NIS(2), encourage the firm to comply by imposing fines on a daily basis. Those organisations deemed noncompliant by the relevant supervisory body may find themselves subject to a periodic penalty payment of 1% of the average daily global turnover in the preceding year, for up to six months, until compliance is achieved. It is unclear as to how compliance will be considered ‘achieved’, and it will be interesting to see how this penalty regime aligns with other financial compliance regimes such as PCI-DSS.
The supervisory body may also issue cease-and-desist orders, termination notices, additional pecuniary measures, and public notices.
At this stage, it is not clear whether the UK will attempt to mirror legislation adopted by the EU. However, whilst domestic UK businesses may be outside of the scope of DORA, those who operate on an international basis through EU entities or branches will be within the scope of DORA. As with other aspects of cybersecurity regulations, DORA outlines critical requirements that organisations should adhere to in order to maintain good cyber hygiene, especially in a sector that is regularly targeted by cyber criminals. The UK Treasury has released proposals for regulating critical third parties, including financial institutions; however, the progress of these proposals is subject to the passage of the Financial Services and Market Bill currently going through Parliament.
Organisations need to be clear whether either (or both) of NIS2 and DORA apply to their commercial operations. Those who fall within both regimes should be wary of the multiple reporting regimes that will be triggered in the event of a cybersecurity incident. This multiplicity of reporting requirements should be considered before an incident occurs to avoid falling foul of one or more of the regimes at a time of crisis.
Financial service providers will already have a number of information security measures in place that align with the requirements under DORA. Organisations should see these new pieces of legislation as opportunities to perform gap assessments, identifying those areas where they may not comply with the new regimes. For some organisations, this may result in a positive reminder that their cybersecurity practices are in strong shape; for others, there may be further considerations and adaptations required to bolster their cyber resilience.
The Orrick Cyber and Financial Regulatory teams regularly advise clients in the financial services and fintech sectors on their cybersecurity programs and help to ensure they have addressed critical cyber preparedness requirements.