Europe’s risk managers need to act as EU ramps up cyber resilience rules

Europe’s risk managers will need to become more involved in their organisations’ cyber security strategies as the EC steps up its legislative programme designed to ensure that the EU is more cyber-resilient. 16 January saw the official publication of the Digital Operational Resilience Act (DORA), which applies specifically to the financial sector, including insurers. It has now entered into force, alongside the NIS2 Directive (NIS2D) that was finally adopted at the end of last year, and applies to the wider business community and government bodies. DORA aims to provide a robust system to enhance digital risk management, and line it up with financial institutions’ business practices. The act is part of the EU’s Digital Finance package, a range of policies intended to maximise the value of digital finance in terms of growth and competitiveness, while minimising the risks. Brussels-based public affairs, consulting and communications firm Dr2 specialises in advising firms on how cope with EU legislation. It explained the implications of the new rules for financial firms. “DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector, as well as critical third parties that provide ICT-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states,” it said. Now that the DORA legislation is formally published, aspects requiring national transposition will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs) – such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (Eiopa) – will develop technical standards for all financial services institutions to abide by, from banking to insurance and asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary once it applies from 17 January 2025, explained Dr2. Dublin-based corporate law firm William Fry said that DORA aligns with broader measures for common cybersecurity levels across the the European Union to improve the public and private sectors' resilience and incident response capacities. “The NIS Directive (EU 2016/1148) was the first piece of EU-wide legislation on cybersecurity. Its expanded version, the recently adopted NIS2 Directive (NIS2D), relates to the resilience of a broad category of entities, including financial entities identified as operators of essential services. While NIS2 will enhance existing cybersecurity risk management measures and reporting obligations for multiple sectors and member state governments, DORA is financial sector-specific legislation. The DORA Amending Directive will amend other Directives to align with DORA, including CRD IV, Solvency II, MiFID II, PSD2, UCITS and AIFMD,” said the law firm. William Fry lists the key elements of DORA as: - Governance and control DORA sets out requirements for financial entities relating to governance structures, systems and controls. The management of financial entities will have to define, approve, oversee and be accountable for the firm's information and communication technology (ICT) risk management framework. - ICT risk management framework The ICT risk management framework must be “sound, comprehensive and well-documented”. It must be reviewed and should outline: How it fits within the firm's overall risk management framework. How it supports the firm's business strategy and objectives. Clear roles and responsibilities for ICT-related functions. A communication strategy for ICT-related events. The firm's tolerance level for ICT risk. Firm's information security objectives. The firm's information and ICT assets. A map of ICT asset configuration and interdependencies. Critical ICT processes. - ICT security ICT security must be monitored and reviewed. Firms must identify ICT-related issues and employ mechanisms to detect potential ICT threats or problems. - ICT incident management, classification and reporting DORA promotes a consistent and integrated process to detect, manage and notify ICT-related incidents. Standardised reporting templates must be used, and relevant incidents must be reported to the competent authority within prescribed timeframes. Contact with service users or customers may be necessary, depending on the circumstances. - Testing DORA requires comprehensive digital operational resilience testing of ICT tools, systems, methodologies, practices and processes. Independent parties must test financial entity ICT. Critical ICT systems and applications should be tested by in-scope firms at least every 12 months. Some financial entities will be required to complete threat-led penetration testing no less than every three years. - Sharing information DORA will oblige financial entities to share cyber-threat-related information and intelligence. - ICT third-party risk management ICT third-party risk is a key part of the ICT risk management framework. Under DORA, ICT third-party service providers designated as "critical" will be subject to oversight by an ESA. Third-country critical ICT third-party providers must establish an EU subsidiary within 12 months of a "critical" designation to continue providing services within the EU. Contractual arrangements with ICT third parties will be important in this context. The Irish law firm also provided some very useful advice to risk managers and their c-suite bosses on what NIS2 requires. It explained that The NIS2D updates and expands the scope of the pre-existing framework, the NIS Directive, to include medium and large businesses from more critical sectors. This includes manufacturers of critical products, such as medical device manufacturers, postal and courier services, public administration and digital services. The NIS2D will also place cybersecurity and breach reporting obligations on operators of essential services and digital service providers such as online marketplaces, search engines and cloud services. The key changes according to the experts at William Fry are as follows. Broader Scope: NIS2D will apply to a broader scope of sectors and entities, excluding micro and small enterprise). The following sectors will be under the scope of the NIS2D. - Essential Entities: energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure; public administration; space. - Important Entities: postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers (such as providers of online marketplaces, online search engines and social networking services platforms). Management body oversight and accountability: NIS2D will impose direct obligations on "management bodies" to implement and supervise their organisation's compliance with the legislation, leading to potential fines and temporary suspensions from discharging managerial functions including at c-suite level. NIS2D specifically provides that the c-suite must follow "specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity". It also grants wide supervisory powers to the competent authority for entities that fall under the scope of NIS2D. Cyber risk management measures: NIS2D requires covered entities to implement cyber risk management measures that are "appropriate and proportionate… to manage the risks posed to the security of network and information systems which those entities use in the provision of their services”. This includes security policies, incident handling, business continuity and crisis management, supply chain security, policies and procedures to test the effectiveness of cyber risk management procedures and the use of cryptography and encryption. Amended incident reporting requirements: NIS2D imposes notification obligations in phases, including an initial notification within 24 hours of becoming aware of any incidents having a significant impact on the provision of the company's services or any significant cyber threat that those entities identify that could have potentially resulted in a significant incident. Previously the NIS Directive only required notification without "undue delay" followed by “intermediate” and “final” reporting obligations. Fines and penalties: EU member states are granted discretion to set out “effective, proportionate and dissuasive” penalties for breaches of NIS2D, as well as administrative fines for certain breaches of up to €10m or 2% of total worldwide turnover, whichever is higher. GDPR and NIS2D: Where the competent authority under NIS2D becomes aware of an infringement by an entity of its obligations under Article 18 (risk management measures) or Article 20 (reporting obligations) of NIS2D that entails a personal data breach, the competent authority shall notify the relevant data protection commissioner within a reasonable time. William Fry advised organisations that fall within the scope of the NIS2D to notify the European Union Agency for Cybersecurity (Enisa) of their name and up-to-date contact details within 12 months on the rules coming into force. Covered organisations will need to conduct a “fulsome review” of their technical and organisational measures to ensure compliance with NIS2D, and ensure they have proper breach-reporting measures in place so they can comply with the short notification window if and when a breach occurs, said William Fry.

Europe’s risk managers need to act as EU ramps up cyber resilience rules

DORA and NIS2D demand intensified cyber risk management

Want to read this article?

Read Next

Zurich sees highest profit since 2007 as commercial delivers ‘exceptional’ results

Mapfre Global Risks posts ‘spectacular’ 2022 result

Turkey’s port fire to bring $679m in trade losses: Russell Group

Talanx reports 2022 premium growth and lifts targets

First ever trade secrets insurance policy launched by Chaucer and Crown Jewel

Zurich sees highest profit since 2007 as commercial delivers ‘exceptional’ results

Mapfre Global Risks posts ‘spectacular’ 2022 result

Turkey’s port fire to bring $679m in trade losses: Russell Group

Talanx reports 2022 premium growth and lifts targets

First ever trade secrets insurance policy launched by Chaucer and Crown Jewel

This website uses cookies to improve your experience. You can review our Cookie Policy here.

Want to read this article?

Read Next

Zurich sees highest profit since 2007 as commercial delivers ‘exceptional’ results

Mapfre Global Risks posts ‘spectacular’ 2022 result

Turkey’s port fire to bring $679m in trade losses: Russell Group

Talanx reports 2022 premium growth and lifts targets

First ever trade secrets insurance policy launched by Chaucer and Crown Jewel

Related Articles

This website uses cookies to improve your experience. You can review our Cookie Policy here.