IT-Security Regulatory Update | June 2024
Focus: DORA information register, IDW amendments to the NIS-2 Implementation and Cybersecurity Strengthening Act, Insurance Europe annual report
Highlight from June 2024
On June 20 and 21, 2024, the financial supervisory authority BaFin informed financial companies about the requirements for an information register
Among other things, the following questions were answered:
What data must be included in the information registers? To what level of detail should the data on the ICT services used be kept? How are the information registers submitted to the supervisory authority?
How can it be ensured that the data is submitted in the correct format (“machine-readable”)?
Presentation DORA Information Register
BaFin’s presentation on the DORA information register explains the requirements and principles for maintaining information registers for financial companies that use third-party ICT service providers. Financial companies must keep an information register that includes all contractual agreements with ICT third-party service providers. These registers are used both for internal risk management and to provide information for supervisory authorities. It is important to check the data regularly and correct any errors immediately. The data must be stored for at least five years after the end of the contract. The identification of business functions and their criticality is a key point. Companies need to identify all operational and business functions and assess which ones are critical or important.
Similarly, all ICT services provided by third-party providers that support these critical functions must be recorded in the register. DORA places particular emphasis on distinguishing between critical and important functions, the failure of which could have a significant negative impact on financial performance or regulatory compliance. Subcontractors who support ICT services must also be documented in the register. The EU monitoring framework provides standardized templates that contain details on the contractual agreements and the service providers involved. Companies must register themselves on the reporting and publication platform (MVP ), which will be activated by BaFin from January 2025.
to the BaFin presentation | Source: © Federal Financial Supervisory Authority / www.bafin.de
IDW amendments to the NIS-2 Implementation and Cybersecurity Strengthening Act
The Institute of Public Auditors in Germany (IDW) has commented on the draft bill of the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) and proposed further measures to the Federal Ministry of the Interior and for Home Affairs (BMI) for external quality assurance and to strengthen cyber resilience. The IDW criticizes the fact that the obligation to provide evidence of safety measures is only intended for operators of critical systems. In view of the increased cyber threat situation, the IDW is calling for this obligation to provide evidence to be extended to particularly important institutions in order to ensure additional quality assurance by independent third parties through external security audits, inspections or certifications. Furthermore, the IDW rejects the planned extension of the verification period in the draft from two to at least three years. Due to the dynamic threat situation in the area of cyber security, in particular as a result of the Russian war of aggression against Ukraine, the IDW considers a two-year verification period to be more appropriate in order to identify and eliminate risks in good time. The IDW therefore advocates leaving the verification period for operators of critical systems at two years.
Statement by the IDW | Source: Institute of Public Auditors in Germany / www.idw.de
Annual Report Insurance Europe
Insurance Europe publishes its 2023 – 2024 report and also addresses the issue of cyber security : The increasing digitalization of the economy increases the risk of cyber attacks. With the NIS1 Directive of 2016, the EU introduced cybersecurity and reporting obligations for operators of essential services for the first time. However, this created inequalities in the insurance sector, as some countries included insurance companies and others did not. In 2020, the EU proposed the NIS2 Directive and the Digital Operational Resilience Act (DORA), which was adopted in 2022. DORA standardizes cybersecurity practices in the financial sector and replaces NIS1 for insurers. The development of the “level 2 measures” is underway and the insurance sector is working intensively on compliance with DORA by January 2025. These measures include technical standards and risk management requirements. There are challenges when it comes to reporting security incidents and drafting contracts with third-party providers. The sector welcomes DORA and is actively working to implement the regulations and strengthen cybersecurity.
to the Insurance Europe report | Source: Insurance Europe / www.insuranceeurope.eu
At ADWEKO, we keep an eye on national, European and international regulations for you and support you in their implementation.
- Insurance Europe publishes annual report –
Insurance Europe Annual Report 2023-2024
- Terms and conditions of use of the regulations – Certification and Recognition Mark Regulations and IT Security Marks, Version 2.5
- Supplements of the IDW to the NIS-2 Implementation and Cybersecurity Strengthening Act –
IDW on the draft of the NIS-2 Implementation and Cybersecurity Strengthening Act
- IDW issues audit guidance on the treatment of the use of IT –
IDW audit guidance on the treatment of the use of IT in the audit of financial statements
- Webinar by PwC – The New Generation of ESG Risk Assessment Methods –
PwC webinar – The New Generation of ESG Risk Assessment Methods
- IT-Grundschutz-compliant documentation –
IT-Grundschutz-compliant documentation – FAQ and introduction
- BSI Magazine 2024/01 – With security – BSI magazine published: Cybernation Germany in focus
- Presentation DORA Information Register – Presentation DORA Information Register