Financial Firms’ Readiness in Question as New EU Cyber Rules Take Effect

EU cyber rules take effect on January 17, 2024. The new regulations require banks to strengthen their cybersecurity systems. However, According to CNBC, many companies that provide financial services in the European Union are yet to comply fully with the new stringent regulations.

DORA Requirements

The new Digital Operational Resilience Act (DORA) requires financial service providers and companies that support them technologically to bolster their IT systems. DORA compliance is aimed at ensuring that the financial industry across the EU remains resilient in the event of disruptions like cyberattacks.

Institutions that breach the new EU bank security rules could be slapped with high penalties. Fines for failing to comply with the new regulations could be equivalent to 2% of a banking entity’s annual global revenue. The new rules also provide for the liability of managers in financial service firms. This means that individual managers may be held responsible for breaches of the law. If found liable, managers could face sanctions as high as $1 million.

As part of complying with DORA, financial entities have to conduct rigorous IT risk assessment and incident management. They also have to assess their classification and reporting processes, test their operational resilience, and share information on cyber threats and vulnerabilities.

Financial firms are also expected to assess their concentration risk in relation to outsourcing important functions to third parties.

Mixed Compliance

But Cisco Deputy General Counsel and Chief Privacy Offer Harvey Jang, says DORA compliance in the EU has been mixed.

“I think we’ve seen a mixed bag. Of course, the more mature-stage companies are further along looking at this for at least a year, if not longer. We’re really trying to build this compliance program, but it’s so complex. I think that’s the challenge. We saw this too with GDPR and other broad legislation that is subject to interpretation – what does it actually mean to comply? It means different things to different people,” Jang said.

In the absence of common knowledge of what robust compliance with the EU’s new cyber rules entails, most financial institutions are forced to improve their security standards beyond the required levels.

A survey by Cyberdefence shows that 43% of financial entities in the UK have not complied fully with DORA. Although the UK is no longer part of the EU, these statistics are concerning because the new law applies to all financial institutions that operate within the EU.

“Whilst it is clear that DORA has no legal reach in the U.K., entities based here and operating or providing services to entities in the EU will be subject to the regulation,” Orange Cyberdefense Consultant Richard Lindsay said.

Despite these challenges, most financial experts feel it will not take long before financial institutions across Europe comply with the new rules.

“Banks in Europe already comply with significant regulations which cover the majority of the areas that fall under DORA,” Accenture EMEA Financial Service Security Lead Fabio Colombo said.

IT Supplier Regulation

DORA also provides for penalties for IT suppliers. The rules provide for levies equivalent to about 1% of the average daily global revenue for a period of 6 months.

“These sanctions are necessary. They are a powerful motivator, pushing leaders to take compliance and operational resilience more seriously than ever,” Sonatype CTO Brian Fox said.

But Linsay from Orange Cyberdefense says this poses long-term risks for financial entities that shift critical security services and functions in-house.

“Advances in technology may allow financial institutions to move services back in-house, simplifying this aspect and reducing the risk of non-compliance. Either way, existing contracts will need to be updated to ensure compliance is contractually mandated and monitored between entity and provider,” Lindsay added.