David Dumont, Partner at Hunton
Cybersecurity is continuously becoming more important for organizations in the financial sector as it is a growing concern for customers that engage with these organizations. The number of cyber incidents is exploding and the impact of such incidents is getting more and more substantial. Organizations in the financial sector face heightened risks as they are often targeted by attacks and the consequences of such attacks can be particularly severe (including, for example, due to reputational damage). Society’s reliance on digital financial services is also growing, requiring organizations in the financial sector to ensure that they are resilient not only against cyber incidents with a malicious nature, but also incidents resulting from human error or non-malicious third-party intervention, such as supply chain failures.
Recognizing this increased risk landscape, the EU legislator has adopted a number of new digital laws that impose robust cybersecurity requirements on organizations. For the financial sector, the key piece of cybersecurity legislation is the Digital Operational Resilience Act (“DORA”).
DORA has a broad scope, applying not only to traditional financial organizations, such as banks, investment firms, insurers, and credit institutions, but also non-traditional entities, like crypto-asset service providers and crowdfunding platforms. In addition, DORA imposes obligations on third-party service providers that supply financial firms with IT systems and services— e.g. cloud service providers and data centres.
Traditional financial organizations, such as banks, are experienced in doing business in a highly regulated environment and typically have a robust cybersecurity program in place. This puts them in a good position to comply with DORA’s strict cybersecurity obligations, requiring measures with respect to (i) cybersecurity risk management; (ii) third party risk management; (iii) incident management and reporting; and (iv) resilience testing. Less traditional financial organizations, however, may require greater efforts to align their cybersecurity measures with DORA’s requirements.
DORA became fully applicable on January 17, 2025. Since DORA is an EU Regulation it is directly applicable in all EU Member States and does not require country-level transposition.
Financial organizations in the banking and market infrastructure sectors will, in addition to DORA, be subject to the new Directive on measures for a high common level of cybersecurity (the “NIS2 Directive”) under the most stringent threshold of “essential entities”. The NIS2 Directive requires the implementation of a cybersecurity culture within the organization supported by a robust cybersecurity and incident management measures. If both the NIS2 Directive and DORA regulate the same matter, financial organizations subject to both laws will only be required to comply with DORA. This is challenging as it requires financial organizations identify the common points and deviations between the legal instruments to set up their compliance programs accordingly. Further regulator guidance on the interplay between DORA and the NIS2 Directive would be helpful for financial organizations to streamline their compliance journey with the new digital laws.
The deadline for EU Member States to transpose the NIS2 Directive into their national law has expired on October 17, 2024. However, a significant number of Member States have missed the transposition deadline. Most Member States that have not adopted their NIS2 transposition law to date are expected to do so shortly, as they are under significant pressure from the European Commission.
As the EU and global legal landscape with respect to cyber security is constantly evolving, it is important that financial organizations build cybersecurity compliance programs in a way that they are flexible, principle-based, taking into consideration internationally recognized cyber security standards. They should continuously monitor developments in the legal and the threat landscape and adjust their programs accordingly.
