The financial sector is a key part of the European economy. It is an industry that has relied almost exclusively on information and communication technology ("ICT") in recent years, and its dependence on fully automated processes continues to increase as well. According to The EU Agency for Cybersecurity ("ENISA"), a stable financial system is the foundation of overall economic stability in our region. The protection of this system is therefore in the interests of all, as confirmed by the actions of the European Commission ("EC"), which presented a new proposal aimed directly at managing and securing ICT systems in the financial sector. The unified EU framework governing the cybersecurity of financial institutions, also known as “DORA” (or Regulation on digital operational resilience for the financial sector), imposes new obligations on financial institutions and selected ICT service providers.

 According to the latest annual report of the National Office for Cyber ​​and Information Security (“NÚKIB”) for 2019, the financial sector is relatively secure, as evidenced by the absence of significant cyber incidents in 2019. It is the clients of financial institutions who often become the target of phishing attacks and are considered the weakest link in the cybersecurity chain.

 However, NÚKIB also points to the fact that there are still differences in the preparedness of individual financial institutions, which is also confirmed by the EC. At the same time, the EC points out that any regulatory measures that are entirely national in nature would not have the desired effect. Uncoordinated national initiatives would not be effective, especially for cross-border financial institutions. This is one of the reasons why DORA, imposing unified obligations on selected entities from the financial sector and their ICT suppliers across the EU, has been drafted.

 As DORA represents a possible fundamental change in the area of ​​compliance for a large number of institutions, we have decided to pay close attention to the obligations that will flow from DORA now. In the coming weeks, colleagues - experts from the PwC Legal and the PwC Cyber ​​& Security team will bring you an overview of the obliged entities and their responsibilities, and introduce you to topics such as “digital operational resilience testing” or “ICT risk management framework”. We believe that adherence to these rules represents sound business practice and can be useful regardless of DORA´s entry into force.

The next article will focus on the chapter II of DORA - ICT Risk Management Framework .***

Veronika Šípošová 

PwC Legal