Professional Documents
Culture Documents
PWC Fortinet NIS DORA Short 2023-05-21
PWC Fortinet NIS DORA Short 2023-05-21
Digital Operational
Resilience
Regulatory Developments
at EU Level
May 2023
Agenda
3. NIS II in a nutshell
4. DORA – Lex specialis for financial market participants (and their providers)
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 2
CSSF – Findings
from the regulated
financial market
Major ICT compliance findings observed by CSSF – before NIS 2 and DORA*
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 6
NIS II – in a nutshell
NIS 2
Scope – Deep dive
B. Irrespective of size & sector (non exhaustive) Annex 2 – Other Critical Sectors
▪ Providers of public electronic communications networks or of ▪ Postal and courier services ▪ Manufacturing
publicly available electronic communications services
▪ Waste management ▪ Digital providers
▪ Trust service providers
▪ Manufacture, production and ▪ Research
distribution of chemicals
▪ Disruption of the service provided by the entity could have a
significant impact on public safety, public security or public ▪ Production, processing and
health distribution of food
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 8
NIS 2
Main requirements
1 2 3 4
Cybersecurity Risk-
Cooperation at EU
Coordinated Cybersecurity Management Measures to
and International Incident & Reporting
Frameworks protect network and
Level
information systems**
▪ National Cybersecurity ▪ Cooperation group ▪ Governance for cybersecurity risk- ▪ Notification requirements to
management measures → responsibility CSIRT/NCA and to clients in case
strategy (e.g. policies to address (biennal work programme; MS, EC,
at management body level services are significantly impacted**
cybersecurity in supply chain for ICT ENISA) → provide guidance to
products/services used by entities for their services; ▪ Cybersecurity risk-management ▪ Notification requirements to clients in
competent authorities)
cybersecurity requirements in public procurement) measures are based on an all-hazards case they are potentially affected by
▪ Single point of contact ▪ CSIRTs framework approach regarding risks posed to the significant cyber threats re any
(coordination and alignment between security of the network and information measures or remedies (potentially re
▪ National cyber crisis local CSIRTs, e.g. on incidents, near systems used for operations/provision the incident itself)**
misses, cyber threats, risks and of services → minimisation of impact
management framework for ▪ Defined reporting timelines
vulnerabilities) ▪ Minimum measures (non exhaustive) (as of becoming aware)
large-scale incidents and ▪ Policies on risk analysis, information
▪ EU cyber crisis liaison ▪ Early warning within 24 hours to
crisis security, effectiveness of measures CSIRT/NCA of become aware of a
▪ Computer security incident organisation network (EU- ▪ Incident handling significant incident
response teams (CSIRTs)* CyCLONe) ▪ BCP and DRP ▪ Significant incident notification
within 72 hours incl. severity and
▪ European vulnerability ▪ Peer reviews ▪ Supply chain security
impact and indicators of compromise
(voluntary participation of MS) ▪ Basic cyber hygiene practices
database ▪ One month after notification final report
▪ Authentication requirements
* e.g. monitoring and analysing cyber threats, vulnerabilities and incidents at national level; responding to incidents and providing assistance to the essential and important entities (e.g. proactive scanning of network and information systems)
** Relevant for essential and important entities as defined in article 3 (e.g. > 250 employees and annual turnover/annual balance sheet <= EUR 43 mil.)
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 9
DORA – Lex specialis
for financial market
participants (and their
providers)
Digital Operational Resilience Act
Resilience of financial services provided and regulatory compliance as the focus
Governance
DORA (Digital Operational Resilience Around 22,000 financial
Act) defines detailed and
comprehensive regulations for digital
ICT Risk Management companies in the EU,
operational resilience at EU level including credit institutions,
insurance companies,
“In order to maintain full control over ICT ICT Incident Reporting institutions for occupational
risk, financial entities need to have retirement provision, AIFMs,
comprehensive capabilities to enable a market infrastructures, etc., as
strong and effective ICT risk well as ICT service providers
management, as well as specific Digital Operational Resilience Testing
mechanisms and policies for handling all
ICT-related incidents and for reporting
major ICT-related incidents. Likewise, Management of risk by third-party
financial entities should have policies in
place for the testing of ICT systems, ICT providers
controls and processes, as well as for
managing ICT third-party risk. The
digital operational resilience baseline for Information Sharing
financial entities should be increased.”
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 11
DORA
Timeline
22.04.2022 16.01.2023 17 January 2024 – Finalised RTS/ITS 16.01.2025
▪ Publication of the CP RTS on risk management framework and
CSSF 22/806 DORA enters Enforcement of
enters into ICT policy (Art. 15)
into force DORA
force ▪ Simplified ICT risk management framework (Art. 16)
▪ Classification of major ICT incidents (Art. 18)
▪ Outsourcing (content of register, content of contracts) (Art. 28/9)
▪ Outsourcing (policy regarding ITC third party risk and multi-
vendor strategy/concentration risk) (Art. 28/2, 3)
November 2023*
▪ Publication of the CP RTS ICT and 17 June 2024 – Finalised RTS/ITS
Mid June 2023* sub-outsourcing requirements ▪ Common guidelines on the estimation of aggregated annual
▪ Publication of the CP RTS on ▪ Publication of the CP RTS on costs and losses regarding response and recovery from major
risk management framework reporting of major ICT incidents ICT-related incidents (Art. 11/11)
and ICT policy
▪ Publication of the CP RTS on ▪ Harmonized reporting content (standard forms, templates and
▪ Publication of the CP RTS on threat-led penetration testing procedures) to report major IT-related incident and significant
classification of major ICT (TLPT) cyber threat (Art. 20)
incidents
▪ Common guidelines on the ▪ Threat-led penetration testing (qualification of testers,
▪ Publication of the CP ITS on estimation of aggregated annual requirements and governance for internal testers, testing
the register of information costs and losses regarding methodology, results, closure and remediation of testing) (Art
▪ Publication of the CP RTS ICT response and recovery from major 26/11)
outsourcing (content of ICT-related incidents ▪ Sub-outsourcing and further contractual arrangements and
register, content of contracts) requirements (Art. 30/5)
▪ Oversight of ESAs vs critical ICT 3rd party providers (Art. 41/2)
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 12
*Based on the presentation of the joint ESA on 6 February 2023 – these are drafts for consultation
DORA
Overview of requirements
ICT Governance
Management of
Digital Operational Information
ICT Risk Management ICT Incident Reporting risk by third-party
Resilience Testing Sharing
ICT providers
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 13
Managing of ICT third-party risk
Holistic management of ICT third party-risk through contractual & operational
mechanisms
Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. For critical or important
functions, ICT third-party service providers must apply the most up-to-date and highest quality information security standards.
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 14
DORA – Operational
view
DORA
Operating chain as the basis for DORA implementation
Operating Chain
1 Services / Activities A
What services/activities are provided by
whom (corporate, fund, asset)?
4
Data What collection of informaton
(Information Asset)* Delegated D (tangible/intagible) is worth protecting?
5
Technology Operational E What software and hardware is used?
(ICT Assets)* Model
What network and information systems are
Network &
F used?
6
Information Systems*
NIS II & DORA - Cybersecurity &*digital
Defined in DORA
operational resilience May 2023
PwC 16
DORA
Identification of operating chain applied – simplified
Main Services/ Activities
DD Information
Information RFP Information Policies Executed
Contract
Assets* Client Information AML/ KYC Contract
Assessment
ICT Assets
Layer** Software Hardware
Network + • Any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data (Art. 6(1)b 2022/2555)
Information
System Layer • Digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance (Art. 6(1)c 2022/2555)
• Until 17 April 2025 and upon request of the Commission, Member States may notify the Commission of the names of the essential and important entities referred to in paragraph 5, point b) (Art. 6(1)c 2022/2555)
* ‘information asset’ means a collection of information, either tangible or intangible, that is worth protecting ** ‘ICT asset’ means a software or hardware asset in the network and information systems used by the financial entity
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 17
Key Next Steps for Financial Entities
The Roadmap to DORA-Compliance and greater Operational Resilience
16.01.2023
DORA Entry into force Q1 2023 Q2/Q3 2023 Q3/Q4 2023 2023 - 2025
regular, close contact Joining regulatory strategic subject Inhouse tools and
with regulators dots together matter expertise technical solutions
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 18
Thank you for your trust.
Name Name
2, rueP.O.
Gerhard Mercator
Box 9616 2, rueP.O.
Gerhard Mercator
Box 9616
L-1443 Luxembourg
1006 GC Amsterdam L-1443 Luxembourg
1006 GC Amsterdam
The Netherlands The Netherlands
Tel: T:+352
+31 (0)88 792 76 71
49 48 48 3612 Tel: T:+352
+31 (0)88 792 76 71
621 33 4132
F: +31 (0)88 792 76 71 F: +31 (0)88 792 76 71
Email:M:michael.h.horvath@pwc.lu
+31 (0)6 51 26 73 06 Email:M:vojtech.volf@pwc.lu
+31 (0)6 51 26 73 06
hans.borghouts@nl.pwc.com hans.borghouts@nl.pwc.com
www.pwc.lu
In this document, “PwC” or “PwC Luxembourg” refers to PricewaterhouseCoopers, Société coopérative which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity. PwC IL cannot be held liable in any way for the acts or omissions of its member firms.