IT Security Regulatory Update | April 2023

Focus: New European IT Security Requirements, Cyber Incident Reporting, RTS/ITS under DORA

Highlight from April 2023

New EU IT security and data protection requirements in progress

In April, the European Commission published three new initiatives in the context of IT, cybersecurity and data protection, which we take a closer look at.

Pia Streicher

“Stay up to date with our monthly regulatory update on IT Security Management!”

IT security, cybersecurity and data protection await update from EU

The European Commission recently presented drafts of a new legal act and two delegated acts dealing with the topics of IT or cybersecurity and data protection.

1st Cyber Solidarity Act Initiative

The proposed regulation addresses threats and vulnerabilities in the context of cybersecurity and aims to address risks and threats due to the increasing use of information and communication technologies (ICT). A major factor is the growing spill-over risks across national borders. Moreover, the use of cyber and hybrid components in acts of war is becoming increasingly likely, therefore legislative bodies must draw consequences. In view of this, the EU Commission considers the improvement of information exchange and the creation of collective capacities for adressing cyber threats to be a promising measure, which it would like to embed in the Cyber Solidarity Act.
The Commission is accepting comments on the initiative until June 29, 2023, which you can find
here
.

2nd Cyber Skills Proposal Amendment

In its Cyber Security Act of 2019, the EU acknowledged the possibility of having cybersecurity products and services certified. Three certification options have already been presented by the European Union Cybersecurity Agency (ENISA), the European Cybersecurity certification Scheme (EUCC), the Cybersecurity Certification Scheme for Cloud Services (EUCS) and the EU 5G Scheme for network devices and identification. In this proposal, the Commission also introduces certification for managed security services, as they are constantly gaining relevance, and thus a quality feature is to be introduced.
The Commission is accepting feedback on the proposal until June 29, 2023, which you can find
here
.

Against a blue background, the right side of the image features the yellow stars of the European flag around a yellow abstractly drawn castle. On the left side is a hand with an outstretched index finger tapping on a phone held out to it horizontally by another hand.

3rd Delegated Regulation on data access

With the Digital Services Act published in October 2022, the European legislator has, among other things, brought liability and security regulations for digital platforms, services and products into being. According to the Regulation, the EU Commission is required to prepare delegated acts in this regard and is venturing a push in the direction of data access. Specifically, it involves allowing vetted researchers access to data from very large online platforms and search engines. This is one of the key measures of the Digital Services Act to increase transparency and accountability of platforms.
Until May 23, 2023, the commission is accepting feedback on the exploratory survey, which you can provide here on the Commission’s website.

Source: European Commission – ec.europa.eu

FSB sets out recommendations for convergence in cyber incident reporting

As the number of cyber incidents increases, the interconnectedness within the financial industry also makes it more likely that an incident will affect multiple institutions. This also increases the likelihood of cross-border and cross-sector spillover effects. Against this backdrop, the G20 considers timely and accurate information on cyber incidents essential to address them appropriately and maintain financial stability. Based on this, the FSB consulted on a document on convergence in cyber incident reporting and is now publishing the final report.

In the report, the FSB addresses commonalities among the various reporting frameworks and presents practical challenges in gathering information around cyber incident reports and sharing information among financial regulators. To address these, the report makes 16 recommendations for action based on best practices. The recommendations are grouped into 4 categories: Approach to Reporting, Supervisory Activities and Cooperation among Supervisors, Financial Entity Involvement, and Competency Development.

You can find the report of the FSB
here
, on its website.

The FSB has updated its cyber lexicon as part of this push to increase convergence in cyber incident reporting. The definitions and taxonomies noted there are necessary for promoting cyber resilience and convergence in reporting.

The lexicon is intended to ensure a common understanding of terminology to facilitate the assessment and monitoring of financial stability risks in the context of cyber risk. It is also intended to facilitate information sharing and provide guidance to standard-setting agencies in the context of cybersecurity and resilience.

You can find the updated FSB lexicon here on its website.

As part of its work to increase convergence for cyber incident reporting, the FSB has also found that the information required by different regulators is largely congruent. Here, the FSB sees an opportunity to benefit from these similarities and define a common reporting format. This would make information gathering and sharing easier.

In its report, the FSB addresses feedback received on the Format for Incident Reporting Exchange (FIRE) and presents potential benefits, risks, and costs. It also addresses how FIRE development will be advanced.

You can find the FSB proposal here
on its website.

Source: Financial Stability Board, c/o Bank for International Settlements, Basel, Switzerland –
fsb.org

Update on DORA RTS and ITS by ESMA

In its overview of planned consultations in 2023, ESMA puts delegated and implementing acts under the Digital Operational Resilience Act (DORA) on a timeline, among other things. Accordingly, it has scheduled the first consultations on regulatory technical standards (RTS) and implementing technical standards (ITS) for Q2 2023, with the second consultations to follow in Q4 2023.

In this way, ESMA will hopefully soon facilitate the implementation of the DORA by affected institutions and ICT service providers by thus providing further details on individual aspects of the DORA.

You can find the ESMA overview here
on their website.

Source: European Security and Markets Authority – ESMA,
esma.europa.eu

With the help of our overview page about the DORA
we will be happy to keep you up to date.

With the three new (delegated) legal acts under consideration, the EU Commission is making a significant scrap forward in terms of cybersecurity and the use of ICT. Stay up to date with ADWEKO around the further development on this.

We will be happy to assist you with our expertise in checking your compliance maturity level and implementing IT security requirements and measures.

talk to
Pia Streicher!

Pia Streicher