Regulation DORA and the Financial Supervisory Commission: How do new EU regulations and supervisory actions affect the financial sector’s cybersecurity?

On April 30, 2024, the Office of the Financial Supervisory Commission took a significant step by addressing a sector letter to financial market players. What was its purpose? Well, in connection with the desire to take care of the operational digital resilience of the financial sector, the European Union decided to implement the Regulation DORA.

The regulation has a wide spectrum, covering critical aspects like ICT Third Party Risk Management, cyber risk management, and the management of information and communication technology (ICT) systems. This includes everything from cloud service providers to crypto asset service providers, and ICT third party service providers. Significant attention is also being given to critical third parties and how their services impact the overall operational resilience of the EU financial system.

The sector letter in question is thus aimed at a self-assessment by financial entities of their level of compliance with the said Regulation. Sound like the beginning of important changes in the financial sector? Let’s check it out!

Operational resilience act DORA- a revolution in the financial sector

The financial sector is at the verge of a digital revolution. In recent years, financial entities and other financial institutions have faced escalating cyber threats, with an alarming 6484 incidents of phishing reported in 2019 alone. As technology progresses, the criticality of information and communication technology (ICT) and its inherent ICT risks to the EU financial sector, can’t be overemphasized.

The legislature has responded to the emerging danger, and as a result, Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on the operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011, known as the DORA Regulation, will come into force at the beginning of 2025.

When do the DORA regulations come into effect?

It turns out that the harmonization of rules that directly relate to operational digital resilience and security of ICT services are, so to speak, the foundation of modern financial services. It is therefore gratifying that the DORA regulations will be applied as early as January 17, 2025, even though the implementation of the rules may not be the easiest at all.

Furthermore, DORA underscores the importance of third-party risk management and mandates stringent standards for critical ICT providers and third-party service providers. This involves major ICT related incidents reporting and tackling potentially significant cyber threats.

Through the Digital Finance Strategy, DORA introduces a new era of digital finance, offering a robust operational resilience act to protect the EU financial sector from severe operational disruption. It establishes guidelines for crypto asset service providers, electronic money institutions, and data analytics services, ensuring the security of critical assets.

New obligations for financial institutions under the magnifying glass of the Financial Supervision Commission

Adherence to the principles of the ‘Digital Operational Resilience Act’ (DORA) mandates entrusted supervision. In the EU member state of Poland, the supervision of financial entities falls under the Financial Supervision Commission, headed by Dr. Jacek Jastrzębski.

Under the leadership of the commission’s chairman, the Financial Supervision Commission issued a sector letter on April 30, 2024, to various entities including Small Payment Institutions, National Payment Institutions, and Cooperative Savings and Loan Banks.

This initiative compels the mentioned entities to conduct business impact analyses and self-assess their level of compliance with the Operational Resilience Act (DORA). These actions come as a central part of ICT risk management, highlighting the importance of handling ICT related incidents. The primary objective of this directive is to gradually align the FinTech market with the new provisions of the regulation.

Protection of the Financial Sector – A Joint Responsibility

The move by the Financial Supervision Commission is a nod to the discourse between the European Parliament and the European Council regarding the importance of ICT risk management in the financial sector. This discourse emphasizes the need for the development of technical standards to maintain operational resilience and manage cyber risks.

In addition, this sector letter is a part of a pivotal phase in the path towards digital operational resilience. With the accumulated data, the Commission will strive to develop regulatory technical standards. This final report, in turn, will act as a guide for credit institutions, investment firms, and other financial entities about how to maintain their operational resilience in the face of major ICT related incidents.

This commitment to digital operational resilience not only safeguards the stability of the financial services sector but also promises to improve the resilience of all entities involved in this ecosystem, thus benefiting the financial sector at large.

What do financial institutions have to face? Analysis of the FSC survey

As part of the survey, which aims to accurately self-assess compliance with the DORA Ordinance, the Financial Supervisory Commission has provided some 200 questions that cover key areas related to cybersecurity in the financial sector. They concern:

• ICT risk management,
• ICT incident management,
• testing operational digital resilience,
• risk management for which third-party ICT service providers are responsible,
• information sharing arrangements.

The designated entities are to include data in the survey that is consistent with the facts as of March 31, 2024. Responses are to be submitted by June 15, 2024 via a special application available on the Financial Supervisory Commission’s website.

This approach is aimed not only at assessing the readiness of entities to apply the new regulations, but also at enabling the FSC to effectively monitor and supervise digital risks in the financial market.

Also, it’s important to remember, that analysis of the FSC is not just about achieving operational resilience or managing ICT risk. It’s about fortifying the financial sector against possible threats that could compromise critical assets, or disrupt critical and significant functions. This necessitates a strong collaboration between financial institutions, ICT providers, and critical third party providers.

Together, they can safeguard the integrity of European Insurance and Securities, markets authority, asset management, and even crypto assets, from unprecedented threats.

How the digital operational resilience act will affect ICT risk management?

The DORA regulation requires financial entities to develop security policies and mechanisms for detecting irregularities, as well as communication plans for disclosing cyber incidents.

In addition, DORA requires that ICT systems be tested for potential scenarios, as well as that threat information and results from the analysis be shared with financial regulators.

These measures are expected to lead to the construction of a common system for countering cyber incidents. In this context, the survey released by the supervisory authorities serves to assess how closely the financial market is adapting to the new European Union requirements imposed by the regulation.

Don’t wait until the regulations come into force, start acting now! Our law firm offers comprehensive advice on compliance with cybersecurity regulations. Our team of experts will help you understand the requirements of the DORA Regulation.

Write to us at: [email protected].