Cybersecurity and digital resilience in financial services: Final rules adopted by EU lawmakers

On 28 November 2022, two pieces of EU legislation that will set the new framework for digital resilience and cybersecurity across EU financial services and more broadly were adopted. At a time when digital finance, data and technology such as cloud computing present huge opportunities for financial services and FinTech, the 'NIS2 Directive' (a horizontal cybersecurity framework) and 'DORA' (a vertical resilience regime for financial services) will have significant implications for technology providers and users in the EU.

This briefing provides a quick introduction of the new legislation, implementation timeframe, and which businesses will be affected. 

DORA: Digital resilience requirements for EU financial services firms and their (critical) ICT service providers

The 'Digital Operational Resilience Act', known as 'DORA', is a new EU regulation for a common set of rules and standards to mitigate ICT risk across the EU financial services (FS) sector, by harmonising existing fragmented rules and raising the bar for ICT risk management. DORA will have significant implications for EU FS firms and their ICT service providers (see our earlier briefings here). Key points to be aware of:

• Broad scope of application. A wide range of EU "financial entities" are in-scope, including credit institutions, payment institutions, account information service providers (AISPs), e-money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, certain financial market infrastructure (FMI) providers, managers of AIFs, certain insurance undertakings and intermediaries, and other firms subject to EU financial services legislation. There are some exceptions and carve-outs, including for small and medium sized enterprises. 
• Extensive requirements on firms. In-scope financial entities will be required to address cybersecurity vulnerabilities, including by implementing ICT risk management frameworks, procedures for the identification, classification and reporting of certain ICT-related incidents, and enhanced testing (including advanced threat-led penetration testing for certain entities). DORA also focuses on internal governance arrangements. See our earlier briefing, here.
• Third party ICT risk. Management of third party ICT risk is an important part of DORA, building on many of the requirements under existing guidelines such as the EBA Outsourcing Guidelines and putting these requirements onto a legislative footing, including contractual terms.
• "Critical" ICT providers. For ICT providers to the EU FS sector (including providers of software, data analytics and cloud computing services), DORA could be even more significant. As well as dealing with increasing requests from their FS customers to enable compliance with DORA (such as contractual terms, testing and incident reporting), DORA empowers EU FS authorities to designate certain ICT service providers as "critical ICT third party providers". These businesses would then be directly overseen by EU FS authorities for the first time, with significant implications in terms of oversight and potential enforcement action. See our separate briefing here.

NIS2: A revised horizontal cyber security regime 

Cybersecurity concerns are not limited to the FS sector. In the face of increasing cyber threats and sophisticated cyberattacks, the NIS2 Directive updates the existing Network and Information Security (NIS) Directive (EU) 2016/1148, to set tighter cyber-security obligations for cyber risk management, incident reporting and information sharing across a broader range of sectors. Key points to be aware of:

• More stringent requirements: The NIS2 requirements are more stringent than under the 2016 regime, and  include areas such as incident response, supply chain security, encryption, vulnerability management, and implementation of appropriate technical, operational and organisational measures. 
• Wider application: NIS2 will apply to a wider range of entities, capturing certain "essential" entities (across energy, transport banking and FMIs, health, drinking water, waste water, digital infrastructure, B2B ICT service management, public administration and space under Annex I), and "important" entities in other critical sectors (including postal services, chemicals, waste, food, certain manufacturing, research, and other digital providers including marketplaces and social networking platforms under Annex II). Which "essential" and "important" entities are in-scope is determined by the relevant thresholds, with less discretion left to individual Member States than under the original NIS regime.
• Interaction with DORA: Financial entities that are in-scope of DORA will not need to comply with the NIS2 cybersecurity requirements as well.  However certain critical ICT third party providers under DORA (e.g. cloud computing providers designated under DORA) could be subject to both DORA and NIS2, although legislators have sought to minimise the impact of inconsistencies and duplications between the two regimes. 
• Jurisdiction of oversight: In-scope entities will generally fall under the jurisdiction of the Member State in which they are established, and will therefore need to be aware of how the NIS2 Directive is implemented in those jurisdiction(s). 
  Given the cross-border nature of certain digital infrastructure providers (including cloud computing providers, managed service providers and providers of online marketplaces, search engines and social networking platforms), jurisdiction will be determined by the location of their "main establishment", normally where decisions relating to cybersecurity risk-management measures are "predominantly" taken.  In some cases, providers that are not established in the EU but provide services there may need to designate a local representative (see our separate briefing here).
• Collaboration and standardisation: The NIS2 Directive also includes mechanisms to foster greater collaboration and standardisation around cybersecurity in the EU, including cooperation between authorities, use of standards and technical specifications, certification schemes, and registries for certain service providers (including cloud computing, data centre, and content delivery network providers). 

For further information on the scope and application of NIS2, see our separate briefing here. 

Timeline to implementation

Both DORA and NIS2 have now been approved by the European co-legislators. They will both enter into force on the twentieth day following publication in the Official Journal of the EU, after which the implementation timeframes are as follows:

• DORA Regulation: 24 month implementation period for financial entities and for the regime on critical third party service providers.
• NIS2 Directive: Member States will have 21 months to adopt and publish the relevant implementing measures, at which point the new rules will become binding on businesses.

However, in-scope organisations should not wait until then to implement the requirements and operational changes. Under DORA for example, many of the requirements such as threat-led penetration testing (TLPT) will require significant resources to scale up existing capabilities, and other aspects such as governance arrangements will take time to integrate across businesses and groups. Firms that delay preparing could struggle to achieve compliance in time, as well as missing out on the enhanced security and resilience benefits in the meantime.

Note that both DORA and the NIS2 Directive require further legislation and regulatory technical standards to be adopted to flesh out many of the details of how the requirements apply. 

Supply chain security and indirect impact on service providers

Both DORA and NIS2 aim to increase the resilience and cybersecurity of the entire supply chain, and include specific requirements around supply chains and subcontracting. As a result, even those businesses that are not directly in-scope of DORA or NIS2 could indirectly feel the impact, as in-scope customers request relevant contractual terms or security compliance requirements. 

Technology and managed services providers that get ahead of the requirements could therefore gain competitive advantage over their competitors, by reducing friction for their customers that need to comply. 

Outlook: Regulating 'resilience'

Where historically organisations' digital projects have predominantly focussed on data protection compliance, regulation of 'resilience' is likely to play an important role going forward. For example, more widely, the European Commission has also published its proposed Cyber Resilience Act, which would introduce cybersecurity requirements for a broad scope of products with digital elements (see our briefing here). 

We will be following these developments closely to help clients prepare their businesses for the changes ahead.