IT-Security Regulatory UpdatE | May 2022
Highlight from May 2022
EU Security Union Strategy – Is this what the future of IT security within Europe looks like?
In its fourth progress report on the Security Union, the EU Commission highlights, among other things, the impact of the conflict between Russia and Ukraine. In the context of IT security in particular, significant new risks have emerged in recent months, making the implementation and adoption of European legislation on IT security increasingly important.
The future of IT security in Europe
With the ongoing war between Russia and Ukraine, risk is increasing, but so is IT security awareness. In addition to various supervisory authorities, the EU Commission also takes this up in its fourth progress report on the implementation of the EU Security Union Strategy.
Increasingly, so-called “hacktivism” is taking place for and against both sides, on which the EU has already taken a stand. This results – besides the illegality of hacktivism – in possible spill over effects. These have led the EU to increase its efforts around coordination and preparedness in the context of IT risk. In addition, the risks derived from the conflict in general demonstrate the need for a culture of information and sharing of experience within the EU, its member states, and cybersecurity communities. In this way, the smooth functioning of the internal market can be ensured.
However, this also shows the necessity of implementing published legislative texts and adopting pending EU legislative initiatives. As a positive example, the Commission cites the NIS2 Directive (Network and Information Security Directive), where political agreement was reached. The NIS2 Directive is accompanied by other legal acts, such as the Directive on the resilience of critical entities (CER), Cybersecurity Regulation for EU Institutions, Bodies and Agencies, and the Information Security Regulation.
On the one hand, the NIS2 directive is intended to remedy the weaknesses of the preceding directive. On the other hand, it forms the baseline for risk management measures in the context of cyber risks. It will be used to set up the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will take care of the coordinated management of large-scale cybersecurity incidents. The deadline for transposition into national law is to be 21 months.
The progress report can be found here on the website of the Commission.
Source European Commission – ec.europa.eu
ICT risks require further efforts by the regulatory authorities
Every year, the European Banking Authority (EBA) looks at the convergence of supervisory practices in the EU. In the 2021 report, the EBA highlights that overall it is very satisfied with the implementation of the defined priorities in supervisory practice. At the same time, however, the report clarifies that further efforts are needed on various issues.
In 2021, the focus on the part of the EBA was placed on the management of capital and liabilities as well as asset quality and credit risk management. These focal points arose primarily against the backdrop of the pandemic, leaving little room for ICT (information and communications technology) and security risks, operational resilience, as well as profitability and business model. Accordingly, the EBA sees further potential here to promote supervisory convergence. Having said this, it is highlighting the following topics on the agenda for 2022 in its annual report:
- Cyber risks, including outsourcing and ICT requirements
- Digital transformation and its impact on the business model
- Feasibility of funding in the context of MREL (minimum requirement for own funds and eligible liabilities)
- Capital requirements
It is clear from the report that, despite good overall development, further supervisory activities are to be expected, especially in the areas of IT security, information and communications technology, and outsourcing.
You can find the report here on the website of the EBA.
Source: European Banking Authority – EBA, eba.europa.eu
BaFin looks back on the year 2021
In its 2021 annual report, the German Federal Financial Supervisory Authority (BaFin) looks at its supervisory activities and identifies IT security, among other things, as a recurring topic. In 2021, not only was the Data Intelligence Unit created as a link between the business units and IT, but IT oversight was also strengthened. This includes cyber risk prevention and monitoring of interconnected IT outsourcing providers. In addition, the amendment to BAIT (supervisory requirements for IT in financial institutions) and the new ZAIT (IT requirements for payment and E-money Institutions) were published. However, the focus on IT security and outsourcing is also reflected in audit practice: Last year, BaFin conducted 94 special audits at LSI (less significant institution) with a focus on §25a para. 1 German Banking Act.
You can find the annual report 2021 here on the BaFin website.
Recently, BaFin reached an agreement with the Federal Ministry of Finance on their new principles of cooperation. You can find this here on the BaFin website.
Finally, the English version of the Minimum Requirements for Risk Management was also published in May, which you can find here on the BaFin website.
Source: © German Federal Financial Supervisory Authority / www.bafin.de
IT security remains on the supervisory and legislative agenda. In addition to the NIS2 Directive and its implementation in national law, which are expected in the long term, further regulatory increase can be expected in the short or medium term and should be noted accordingly. At the same time, you should ensure that you have implemented current regulatory and legal requirements in an audit-proof manner.
We at ADWEKO are happy to assist you in this process.