The DORA Act Digital Operational Resilience Act) comes into force today in the European Union, forcing the entire financial sector to strengthen its protection against cyber attacks and establishing a common response framework for digital incidents that affect clients.
Why is it important. Cyberattacks on the financial sector have grown exponentially in recent years, putting the operations of banks and insurers at risk… and also the money and data of their clients.
The current situation. “It is a regulation that comes into force after a two-year adaptation period, during which financial institutions have had to prepare to meet all its requirements,” he explains to WorldOfSoftware Ingrid González, manager in the digital law and data protection area of the Ceca Magán law firm.
Although the entry into force was two years ago, on January 16, 2023, there was the usual two-year adaptation period. It ended yesterday, so today it becomes fully applicable.
The context. Banks and insurers completely depend on computer systems for their operations. A successful cyberattack not only cripples your services, it also compromises your customers’ money, personal data, and banking information.
In detail. The new regulations establish four pillars:
- It forces financial institutions to strengthen their protection systems.
- Establish strict notification protocols when an incident occurs.
- Requires routine attack resistance testing.
- Imposes controls on external technology providers.
Although the regulation does not specify direct compensation in the event of a cyber attack, it does establish a more protective framework.
“It will depend on what the real condition is for which an ordinary citizen can then initiate a procedure by which he or she will see compensation for the damages he or she may have suffered,” González points out.
The lawyer details that, in the event of an incident, the client will have different avenues depending on the type of attack suffered: “If we are talking about an incident that affects personal data, we will go to the data protection regulations. If it affects crypto assets, we will have have to go to the MICA regulation. If you have a focus on the traditional financial sector, we will go to all the financial sector regulations.
Between the lines. The new law does not establish a single compensation system, but it does force entities to be much more transparent when they suffer an attack.
“It is a regulation that establishes a norm of maximums. The guideline is indicated to what must be done, not so much to what happens in case it is not complied with,” explains González, who emphasizes that the framework of sanctions is “very broad” and includes everything from administrative sanctions to “civil claims” by those affected.
What does this mean in practice? The regulation requires banks:
- Inform your clients “without undue delay” when they suffer a cyber attack that affects their financial interests.
- Maintain a detailed record of all incidents, which can later be used as evidence in possible claims.
- Communicate any serious incident to the authorities within a deadline that will be established in the coming months.
Go deeper. The regulations not only affect traditional banks, but the entire financial sector: from insurers to investment platforms, including cryptocurrency companies.
According to a report from the ESRB (European Systemic Risk Board) that cites the regulation, a single successful cyberattack can quickly spread from any of the approximately 22,000 financial institutions in the Union to the entire financial system.
turning point. It is the first time that Europe has established such a concrete common framework to protect the financial sector – and by extension, its clients – from digital threats. And in addition, it establishes a system of sanctions for entities that do not comply.
In WorldOfSoftware | Little by little and silently, Madrid is filling up with AI cameras designed for one thing: recognizing your face
Featured image | Eduardo Soares on Unsplash
