IT-Security Regulatory Update
| September 2022
Focus: Cyber Resilience
Highlight from September 2022
Cyber resilience regulation gathers momentum
The Commission has adopted the draft edited after the March consultation and is seeking feedback from market participants on the regulation. Products with digital components are affected, including SIEM systems, IAM systems, and smart cards.
EU Commission asks for feedback on cyber resilience
IT security and cyber resilience are more relevant than ever. This is reflected in various initiatives, regulatory advances and reports from regulators and legislators, on which we report regularly. The EU plans to develop strategically further in this direction and has presented a corresponding EU strategy for the Security Union. You can read more about this here in our update from May 2022.
In the course of these developments, a regulation for cyber resilience was consulted in March 2022 (you can read details here in our update). The public consultation has been completed and a revised draft has been adopted by the Commission, which is now seeking feedback by early December.
The reason for the proposed regulation is that hardware and software products are increasingly targets for cyberattacks. In this context, annual costs of several trillion euros are expected. The existing national requirements are not sufficient to provide an adequate level of protection, therefore a harmonized and overarching requirement is necessary. It aims to increase consumer confidence and make EU products with digital elements more attractive. It is also intended to establish a level playing field and increase legal certainty.
In terms of content, the current draft of the act covers various points. Basically, it affects all products with digital elements, for example identity management systems, SIEM systems and remote access systems, but also smartcards and firewalls.
On the one hand, it defines the conditions under which products with digital elements may be placed on the market in general. This is to ensure the cybersecurity of the products ex factory. Accordingly, it also includes basic requirements for product design, its development and production.
However, the proposal goes much further by also regulating how vulnerabilities are to be dealt with throughout the lifecycle of a product with digital components. It is furthermore aimed not only at the manufacturers of the products, but also at importers and sellers. The new requirements are to become applicable 24 months after their publication.
The current draft version including the annexes and impact assessments can be found
on the website of the European Commission.
Source: European Commission –
As can be seen from the above examples, these requirements affect the financial industry at least indirectly, as it is at least a beneficiary of some of these systems and products. Increased cybersecurity ex facorty and during the lifecycle results in advantages for use in the institute and the assurance of a high level of IT security. If institutes develop such systems themselves, the new requirements are applicable and must be observed.
7th MaRisk amendment in consultation
The BaFin published the consultation on the 7th MaRisk amendment on September 26 and is accepting comments until October 28, 2022. She had already announced this publication in January (details can be found here in our January update).
Once finalized, the published draft is intended to replace the currently valid MaRisk.
As announced in January, the amendment primarily addresses the implementation of the EBA Guidelines on loan origination and monitoring (here on the EBA website). Accordingly, thematic innovations can be found in particular in the inclusion of the specifications on loan origination and monitoring.
In addition, the draft of the circular deals with real estate transactions and business model analysis, where clarifications are mainly provided. The possibility of permanent trading in the home office is also taken up as a direct consequence of the Corona pandemic. The new draft also addresses sustainability risks, which must now be explicitly taken into account in the risk inventory and in risk management and controlling overall. Finally, BaFin has included when disproportionate regulations should apply to significant development banks.
The draft of the circular can be found here on the BaFin website.
Source: © German Federal Financial Supervisory Authority / www.bafin.de
DORA and MiCa 2023 in the focus of the EBA
The EBA’s supervisory priorities for 2023 can be found in its work program for the coming year. There, the banking authority took up six focus areas for the upcoming year.
It cites the finalization of the Basel framework as the first point in this regard. As a result, further implementation requirements around the contents of CRR and CRD can be expected in the course of 2023. Next, the EBA takes up pan-European stress testing as well as data aggregation and the sharing of data and information with stakeholders.
In addition, Digital Finance and the two legal acts DORA (Digital Operational Resilience Act, here on the website of the Publications Office of the European Union) and MiCA (Markets in Crypto-assets Act, here on the website of the Publications Office of the European Union). EBA is involved in the implementation of both projects and is directly affected by some of the specifications. Both legal acts are currently in their first reading in the European Parliament and are already eagerly awaited by the market. They both entail high implementation requirements, which market participants should actively address.
Finally, the topics of anti-money laundering and prevention of terrorist financing as well as the implementation of the ESG Roadmap 2023 will be on EBA’s agenda.
You can find the EBA work program for 2023 here on their website.
Source: European Banking Authority – EBA, eba.europa.eu
When adjustments are made around products with digital elements, there is bound to be an impact on the financial industry as well as its service providers and suppliers. Institutions should consider whether they are affected directly as manufacturers, sellers or importers, or indirectly as users of such products.
We at ADWEKO will be happy to assist you with our expertise in the assessment and the development as well as implementation of further steps.
The current regulatory developments can be found here.
European Parliament publishes briefing on regulation on measures for a high common level of cybersecurity in EUIBA
BSI addresses proper IT administration in the context of the IT-Grundschutz Compendium. To the BSI Community Draft. To the BSI cross-reference table.
BSI addresses general IT operations in the context of the IT-Grundschutz Compendium
ESAs warn of rising risks in their fall risk report
EIOPA publishes information on feedback on its recommendation on the management of non-affirmative cyber exposures
ESRB warns of weak points in the financial system
BSI publishes guidance on attack detection systems
BSI publishes updated version of community draft of standard 200-4
BSI publishes development status for BSI Standard 200-4
BSI publishes brochure on cyber security for SMEs
BSI shares sample test plan in MS Excel format
BSI addresses outsourcing offer in the context of the IT-Grundschutz compendium
BSI publishes finalized module OPS.2.3 Use of outsourcing.
To the 2023 edition.
To the KRT (cross-reference table).