The rise of digitalisation in financial services offers significant opportunities for modernisation and improved efficiency. However, everything comes with a price, as it also increases exposure to cyberattacks, presenting potential vulnerabilities that financial institutions must address to protect themselves and their clients. According to the European Union Agency for Cybersecurity (ENISA), the banking and financial sector is the fifth most targeted industry for cyber incidents across Europe, which highlights how critical this problem for financial service providers is.
Cyberattacks on financial institutions can lead to severe consequences which can then affect not only the institutions but also the broader financial system and customer trust. Key risks include:
- Disruption of financial services: attacks can compromise essential services, temporarily preventing clients from accessing their funds or completing transactions.
- Significant financial losses: financial institutions risk incurring substantial financial damage as a result of cyber incidents, mostly through direct loss and other costs associated with possible containment, recovery, and remediation.
- Data breaches resulting in sensitive information leaks: should attackers gain access to sensitive client information this might lead to the misuse of personal data, further putting both clients and financial entities at risk.
- Reputational damage and loss of credibility: beyond the immediate financial and operational impacts, a successful cyberattack can seriously harm the institution’s reputation, leading to a potential loss of client trust and decreased market confidence.
These and other serious risks are the reason why the European Union is paying increased attention to the protection of digitalisation, which is essential for the normal day-to-day functions of all financial entities.
DORA: a new era of cybersecurity oversight in financial services sector
The Regulation on digital operational resilience for the financial sector (DORA) is considered to be one of the most significant regulatory initiatives in the European Union. DORA will enter into force very shortly, on 17 January 2025, with relevant institutions required to have put in place all necessary measures by this date. Moreover, this regulation will considerably increase the responsibility of financial institutions in the area of cybersecurity, with accountability down to the senior management level of the companies concerned.
New obligations under DORA will require, primarily, a change in the approach of governing bodies of relevant financial institutions - these will be tasked with establishing and approving a digital operational resilience strategy which should strengthen the resistance of institutions to the digital threats that may be rapidly evolving and minimising the vulnerability of business models.
DORA also establishes the world's first framework that enables regulatory authorities to oversee third-party providers of critical information and communication services, including cloud service providers. The supervisory authorities' rights under DORA will be broad in scope and will include, for example:
- conducting on-site investigations
- interviewing entities
- providing access to any document/data stored in any form that the competent authority deems relevant or
- imposing financial penalties - in the case of the Czech Republic, under the current proposed legislation, fines can amount to up to CZK50 million (almost EUR2 million).
The scope of the Regulation is quite broad - DORA applies to various financial entities, including not only traditional financial service providers such as credit institutions, investment firms or insurance companies, but also providers of services related to crypto-assets or crowdfunding platforms, etc. In this respect, it is also worth mentioning that the principle of proportionality is to be applied in the application of the relevant rules under DORA, which should ensure an individual approach to each supervised entity. Consequently, small financial institutions with a low risk profile and complexity of services should be subject to less stringent oversight.
The Czech National Bank’s proactive approach to cybersecurity with TIBER-EU initiative
The Czech National Bank (CNB) has decided to properly focus on this matter and join other European countries in adopting the TIBER-EU framework (Threat Intelligence-based Ethical Red Teaming) to improve cybersecurity in the financial sector. TIBER-EU, which is developed by the European Central Bank (ECB), is an advanced framework for penetration testing specifically designed for financial entities. It provides a method for simulating real-life cyberattacks on critical systems, enabling institutions to test their resilience under authentic conditions. By joining the TIBER-EU system, the CNB sends a clear message to relevant financial institutions operating in the Czech Republic that it is ready to assume its supervisory authority in the area of cybersecurity.
What joining TIBER-EU means for the CNB and Czech banks
The decision to join TIBER-EU grants the CNB access to the latest cybersecurity techniques and guidelines. As a result, the CNB will be better able to monitor and enforce cybersecurity standards within the Czech financial sector. By joining TIBER-EU, the CNB hopes to ensure that banks and other financial institutions are adequately prepared to prevent, detect, and respond to cyberthreats, contributing to a more resilient financial environment for the Czech Republic.
New requirements and responsibilities for Czech financial institutions
DORA and TIBER-EU will introduce a number of new requirements and obligations for relevant financial institutions that are supervised by the CNB. This will include in particular:
- Mandatory penetration testing: under TIBER-EU, all relevant banks and financial institutions will be required to undergo penetration testing at least once every three years. Relevant institutions for advanced testing will be selected by CNB on a regular basis, at least once a year. This testing involves cybersecurity specialists trained to mimic the techniques and tactics used by actual cybercriminals. This approach simulates real-world cyberattacks, targeting critical systems to expose potential vulnerabilities under realistic scenarios.
- Continuous cybersecurity improvement: the introduction of the TIBER-EU standards will most probably require financial institutions to invest in upgrading their cybersecurity infrastructure or internal trainings of their personnel to meet increasingly rigorous standards.
- Specifically tailored contractual provisions: financial institutions will have to use a number of specific elements in their contractual arrangements with ICT providers. These should include eg the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed or provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.
Increased preparedness for cybersecurity demands
Joining TIBER-EU will undoubtedly place higher demands on the cybersecurity capabilities of Czech financial institutions. Ultimately, the CNB’s alignment with TIBER-EU will demand that Czech financial entities commit to a proactive, rigorous approach to cybersecurity. Consequently, this initiative further strengthens the CNB's supervisory powers. In this way, the CNB expects this approach to increase the digital resilience of the Czech financial sector and strengthen public confidence in the security and stability of banking and financial services.
Conclusion
As the effective day of DORA approaches, affected financial institutions have only a few weeks left to prepare for this important new regulation which introduces a series of new compliance standards that demand early planning, as adapting to these changes will require time, resources, and specialised support. By allocating the right resources and preparing ahead—including the preparations for cybersecurity frameworks like TIBER-EU—institutions can position themselves to meet DORA’s standards effectively and strengthen their resilience against future risks.
Find out more
To discuss the issues raised in this article in more detail, please contact a member of our Banking and Finance team in Prague
