New EU cybersecurity laws take effect, but many banks are still not compliant
London: Tough new EU rules on cybersecurity for banks kicked in recently, but many banks are still scrambling to meet the requirements. The Digital Operational Resilience Act, or DORA, is all about making sure financial services can handle cyberattacks and other disruptions.
These new rules can hit banks hard with fines up to 2% of their global revenue if they don’t comply. Individual managers could also face hefty fines, which is a big deal. So, it’s no surprise that compliance rates are all over the place, according to Harvey Jang from Cisco.
He mentioned that while some banks are ahead of the game, others are still figuring things out. The complexity of the rules is a real challenge, and it’s not always clear what “compliance” even means. This confusion has led some banks to go above and beyond what’s required, just to be safe.
Under DORA, banks need to step up their IT risk management and reporting, test their operational resilience, and share info on cyber threats. They also have to keep a close eye on third-party risks, which is no small task.
A survey showed that 43% of UK financial institutions aren’t fully compliant yet. Even though the UK is no longer in the EU, DORA still applies to any financial entity operating in the EU, which complicates things for them.
Richard Lindsay from Orange Cyberdefense pointed out that managing third-party IT providers is a major hurdle for banks. The digital landscape is super complex, and ensuring compliance across the board is a big job.
As banks negotiate contracts with tech suppliers, they’re being extra careful due to DORA’s strict rules. Jang believes that while the principles of the law are sound, the specifics can be tricky.
Despite the hurdles, experts think banks will get compliant soon enough. Many already have solid governance and compliance systems in place, which should help them adapt to DORA.
IT suppliers are also in the hot seat under DORA, facing fines of up to 1% of their average daily revenue if they don’t comply. This is a strong motivator for them to take these regulations seriously.
Looking ahead, there’s a chance that banks might bring some of their security functions back in-house, which could simplify compliance. But they’ll need to update contracts to make sure compliance is part of the deal.
There are also other cybersecurity regulations on the horizon, like the NIS 2 Directive, which adds to the mix. As with any new rules, there will be a learning curve as organizations adjust to these new standards.
