Cybersecurity &

Digital Operational
Resilience

Regulatory Developments
at EU Level

Network and Information Security Directive

2 (NIS 2)

Digital Operational Resilience Act (DORA)

May 2023
Agenda

1. CSSF – Findings from the regulated financial market

2. NIS II vs. DORA

3. NIS II in a nutshell

4. DORA – Lex specialis for financial market participants (and their providers)

5. DORA – Operational view

NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 2
CSSF – Findings
from the regulated
financial market
Major ICT compliance findings observed by CSSF – before NIS 2 and DORA*

ICT governance ICT risk management Management of risk by third-party ICT

providers
Lack of IT Lack of policies & Incomplete and inappropriate
strategy procedures ICT risk management framework Inadequate outsourcing governance
(i.e. inventory and mapping of IT assets, risk (i.e. incomplete register, inadequate
assessment methodology and documentation) materiality assessment process, no formal
Insufficient monitoring of IT activities approval process)

Incomprehensive documentation of the IT Incomplete SLA & Ineffective outsourcing

application and system landscape monitoring
Low coverage of ICT risks
by the 2nd line of defense (i.e. lack of IT asset inventory, no mapping)

Management of cyber threats and remediation

Low coverage of IT activities of critical vulnerabilities
in internal audit plan and lack of relevant
ICT skills Inappropriate management of
privileged access rights
Inadequate and incomplete
user access review

Weak controls environments with regards to the

security of new IT development practices

Missing/Inadequate BCPs * CSSF already provided various market

Lack of testing participants (all sizes) with dedicated DORA
questionnaires regarding readiness.
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 4
NIS II vs. DORA
NIS 2 & DORA
Objectives, scope, timeline
Objectives
Measures that aim to achieve a high
NIS 2
common level of cybersecurity
across the Union
Achieve a high common level of
digital operational resilience via
DORA
uniform requirements concerning the
security of network and information
systems supporting the business
processes of financial entities
NIS II & DORA - Cybersecurity & digital operational resilience
PwC
Scope (simplified) Timeline
▪ Public or private entities that are at
least medium sized and referred to in
Annex I or II of NIS 2 ▪ In force as of 16 January 2023
▪ Various other entities regardless of
size such as providers of public
electronic communications networks or ▪ National application as of
services or disruption of services can 18 October 2024
have significant impact/risk on
public/sectors
Regulated financial entities such ▪ In force as of 16 January 2023
as credit institutions, AIFMs, central
counterparties and ICT third-party ▪ Application as of
service providers 17 January 2025
May 2023
6
NIS II – in a nutshell
NIS 2
Scope – Deep dive

SCOPE NIS 2 Annex 1 – Sectors of High Criticality

A. Size & sector related ▪ Energy ▪ Digital infrastructure (e.g. cloud
computing service providers, data
▪ Transportation
Public or private entities that centre service providers)
▪ Banking
▪ ICT service management (B2B)
▪ are referred to in Annex I or Annex II ▪ Financial market infrastructures (e.g. managed service / security
(see on the right), service providers)
▪ Health
▪ qualify at least as medium-sized entity (>50 employees and ▪ Public administration
▪ Drinking water
annual turnover/balance sheet > EUR 10 mil.), and
▪ Waste water ▪ Space
▪ and which provide their services or carry out their
activities within the Union.

B. Irrespective of size & sector (non exhaustive) Annex 2 – Other Critical Sectors

▪ Providers of public electronic communications networks or of ▪ Postal and courier services ▪ Manufacturing
publicly available electronic communications services
▪ Waste management ▪ Digital providers
▪ Trust service providers
▪ Manufacture, production and ▪ Research
distribution of chemicals
▪ Disruption of the service provided by the entity could have a
significant impact on public safety, public security or public ▪ Production, processing and
health distribution of food
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 8
NIS 2
Main requirements
1 2 3 4
Cybersecurity Risk-
Cooperation at EU
Coordinated Cybersecurity Management Measures to
and International Incident & Reporting
Frameworks protect network and
Level
information systems**

▪ National Cybersecurity ▪ Cooperation group ▪ Governance for cybersecurity risk- ▪ Notification requirements to
management measures → responsibility CSIRT/NCA and to clients in case
strategy (e.g. policies to address (biennal work programme; MS, EC,
at management body level services are significantly impacted**
cybersecurity in supply chain for ICT ENISA) → provide guidance to
products/services used by entities for their services; ▪ Cybersecurity risk-management ▪ Notification requirements to clients in
competent authorities)
cybersecurity requirements in public procurement) measures are based on an all-hazards case they are potentially affected by
▪ Single point of contact ▪ CSIRTs framework approach regarding risks posed to the significant cyber threats re any
(coordination and alignment between security of the network and information measures or remedies (potentially re
▪ National cyber crisis local CSIRTs, e.g. on incidents, near systems used for operations/provision the incident itself)**
misses, cyber threats, risks and of services → minimisation of impact
management framework for ▪ Defined reporting timelines
vulnerabilities) ▪ Minimum measures (non exhaustive) (as of becoming aware)
large-scale incidents and ▪ Policies on risk analysis, information
▪ EU cyber crisis liaison ▪ Early warning within 24 hours to
crisis security, effectiveness of measures CSIRT/NCA of become aware of a
▪ Computer security incident organisation network (EU- ▪ Incident handling significant incident

response teams (CSIRTs)* CyCLONe) ▪ BCP and DRP ▪ Significant incident notification
within 72 hours incl. severity and
▪ European vulnerability ▪ Peer reviews ▪ Supply chain security
impact and indicators of compromise
(voluntary participation of MS) ▪ Basic cyber hygiene practices
database ▪ One month after notification final report
▪ Authentication requirements

* e.g. monitoring and analysing cyber threats, vulnerabilities and incidents at national level; responding to incidents and providing assistance to the essential and important entities (e.g. proactive scanning of network and information systems)
** Relevant for essential and important entities as defined in article 3 (e.g. > 250 employees and annual turnover/annual balance sheet <= EUR 43 mil.)
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 9
DORA – Lex specialis
for financial market
participants (and their
providers)
Digital Operational Resilience Act
Resilience of financial services provided and regulatory compliance as the focus

Overview Topics Scope

Governance
DORA (Digital Operational Resilience Around 22,000 financial
Act) defines detailed and
comprehensive regulations for digital
ICT Risk Management companies in the EU,
operational resilience at EU level including credit institutions,
insurance companies,
“In order to maintain full control over ICT ICT Incident Reporting institutions for occupational
risk, financial entities need to have retirement provision, AIFMs,
comprehensive capabilities to enable a market infrastructures, etc., as
strong and effective ICT risk well as ICT service providers
management, as well as specific Digital Operational Resilience Testing
mechanisms and policies for handling all
ICT-related incidents and for reporting
major ICT-related incidents. Likewise, Management of risk by third-party
financial entities should have policies in
place for the testing of ICT systems, ICT providers
controls and processes, as well as for
managing ICT third-party risk. The
digital operational resilience baseline for Information Sharing
financial entities should be increased.”

NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 11
 DORA
Timeline
22.04.2022 16.01.2023 17 January 2024 – Finalised RTS/ITS 16.01.2025
▪ Publication of the CP RTS on risk management framework and
CSSF 22/806 DORA enters Enforcement of
enters into ICT policy (Art. 15)
into force DORA
force ▪ Simplified ICT risk management framework (Art. 16)
▪ Classification of major ICT incidents (Art. 18)
▪ Outsourcing (content of register, content of contracts) (Art. 28/9)
▪ Outsourcing (policy regarding ITC third party risk and multi-
vendor strategy/concentration risk) (Art. 28/2, 3)

2023 2024 2025

November 2023*
▪ Publication of the CP RTS ICT and 17 June 2024 – Finalised RTS/ITS
Mid June 2023* sub-outsourcing requirements ▪ Common guidelines on the estimation of aggregated annual
▪ Publication of the CP RTS on ▪ Publication of the CP RTS on costs and losses regarding response and recovery from major
risk management framework reporting of major ICT incidents ICT-related incidents (Art. 11/11)
and ICT policy
▪ Publication of the CP RTS on ▪ Harmonized reporting content (standard forms, templates and
▪ Publication of the CP RTS on threat-led penetration testing procedures) to report major IT-related incident and significant
classification of major ICT (TLPT) cyber threat (Art. 20)
incidents
▪ Common guidelines on the ▪ Threat-led penetration testing (qualification of testers,
▪ Publication of the CP ITS on estimation of aggregated annual requirements and governance for internal testers, testing
the register of information costs and losses regarding methodology, results, closure and remediation of testing) (Art
▪ Publication of the CP RTS ICT response and recovery from major 26/11)
outsourcing (content of ICT-related incidents ▪ Sub-outsourcing and further contractual arrangements and
register, content of contracts) requirements (Art. 30/5)
▪ Oversight of ESAs vs critical ICT 3rd party providers (Art. 41/2)
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 12
*Based on the presentation of the joint ESA on 6 February 2023 – these are drafts for consultation
DORA
Overview of requirements
ICT Governance
Management of
Digital Operational Information
ICT Risk Management ICT Incident Reporting risk by third-party
Resilience Testing Sharing
ICT providers

The ICT risk management

• Integration into ICT risk
framework must be detailed • Reporting of ICT-related • Annual testing of all critical • Sharing cyber threat
management framework
and aligned with the corporate incidents (and significant ICT systems intelligence and insight to
strategy and objectives cyber threats) • Assessment of ICT improve digital operational
• Advanced threat-led concentration risk and sub-
• A strategy for digital resilience
• Submission of initial, penetration testing every 3 outsourcing
resilience must be defined interim, and final reports years • Agreements on the
incl. definition of risk on serious ICT-related • Restricted use of third-party exchange of information (incl.
tolerance level • Involvement of ICT third- ICT providers in third
incidents (and significant conditions for participation)
party providers countries
• Enhance first line of cyber threats)
• Implementation of
defence capabilities, from • Conducting a root cause • Information register mechanisms to review and
threat detection to response, analysis after ICT-related take action on the
recovery, and • Reporting to CSSF
incidents information shared by the
communications, with • BEFORE: Due diligence & authorities
emphasis on - but not limited • Identification and reporting CoI
to: of required improvements
• AFTER: Rights of access &
❖ Threat scenario modelling inspection (incl. CSSF) AND
❖ Cyber protection and prevention audit
❖ Business continuity and disaster • Contractual agreements &
recovery Communication (e.g. SLA
with customers)

NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 13
 Managing of ICT third-party risk
Holistic management of ICT third party-risk through contractual & operational
mechanisms
Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. For critical or important
functions, ICT third-party service providers must apply the most up-to-date and highest quality information security standards.

What‘s new in DORA? ICT Risk Management Framework

Principles for monitoring risks Introduction of an ICT risk management framework that includes
arising for financial institutions
• Risk tolerance levels for ICT risks & impact tolerance in the event of disruption related to ICT services, incl. those managed by third parties
from ICT service providers, both
in terms of ICT procurement and • A holistic multi-vendor strategy for ICT/cyber services that identifies key dependencies on third parties for each entity, approved by the BoD
outsourcing arrangements.

Harmonization of essential Pre Contract Contract Contracting Post Contract

elements of ICT services and
relationships between financial
• Assessment of the criticality • Minimum contractual • Assess and monitor third party risk, • Existence of contractual
institutions and ICT third parties,
of the function that is requirements for all ICT taking into account ICT asset clauses for possible
incl. contractual aspects that allow outsourced services dependencies, contractual clauses and the termination cases
risk monitoring at all stages of the • Identification & assessment • Voluntary use of the standard principle of proportionality • Definition and implementation
third party management life-cycle. of all risks associated with the contractual clauses • Maintaining the information register for all of operational
Convergence of provided service, including established by EU ICT suppliers strategies/plans in case of
Supervisory approaches concentration risks and sub- Commission for ICT and • Monitoring SLAs and performance early termination of the
outsourcing, (esp. suppliers Cloud Computing management contract.
at European level by operating in 3rd countries) • Inclusion of information • Integration with management
establishing an unique • Due diligence on third party security requirements processes required for specific particular
Oversight framework at ICT service providers • Annual reporting to the supplier obligations, including
individual level for ICT • Identification and assessment Authority of all ICT service − Configuration & Asset Management
service providers of potential conflicts of contracts − Incident Management
designated as critical. interest − Digital Resilience Testing Program

NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 14
DORA – Operational
view
DORA
Operating chain as the basis for DORA implementation
Operating Chain

1 Services / Activities A
What services/activities are provided by
whom (corporate, fund, asset)?

Business / B What functions are involved?

2 Functions
Service Model

In house C What processes are required?

3 Processes

4
Data What collection of informaton
(Information Asset)* Delegated D (tangible/intagible) is worth protecting?

5
Technology Operational E What software and hardware is used?
(ICT Assets)* Model
What network and information systems are
Network &
F used?
6
Information Systems*
NIS II & DORA - Cybersecurity &*digital
Defined in DORA
operational resilience May 2023
PwC 16
DORA
Identification of operating chain applied – simplified
Main Services/ Activities

2 Product Design 5 Maintenance 8 ESG Services

Services/ 1 Client Onboarding 3 Portfolio Management 6 Fund Admin 9 Ancillary Services
Activities Layer
4 Risk Management 7 Transfer Agent 10 Client Maintenance

Step 1 Step 2 Step 3 Step 4 Step 5

Business Identification/ Assessment and

Process Layer Due Diligence/ KYC Offer Signing
RFP Response

DD Information
Information RFP Information Policies Executed
Contract
Assets* Client Information AML/ KYC Contract
Assessment

ICT Assets
Layer** Software Hardware

• Electronic Communications Network (Art. 2(1) 2018/1972)

Network + • Any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data (Art. 6(1)b 2022/2555)
Information
System Layer • Digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance (Art. 6(1)c 2022/2555)

• Until 17 April 2025 and upon request of the Commission, Member States may notify the Commission of the names of the essential and important entities referred to in paragraph 5, point b) (Art. 6(1)c 2022/2555)

* ‘information asset’ means a collection of information, either tangible or intangible, that is worth protecting ** ‘ICT asset’ means a software or hardware asset in the network and information systems used by the financial entity
NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 17
 Key Next Steps for Financial Entities
The Roadmap to DORA-Compliance and greater Operational Resilience
16.01.2023
DORA Entry into force Q1 2023 Q2/Q3 2023 Q3/Q4 2023 2023 - 2025

Phase 4: Remediation &

Phase 1: Preparation Phase 2: Maturity Assessment Phase 3: Resilience Roadmap
Implementation
Why: DORA is a complex regulation and Why: Understanding key gaps in your Why: Deriving a roadmap helps Why: with a 2-year “getting ready” period,
may overlap with other already applicable maturity assessment is important in achieving your desired resilience posture there is a lot that needs to be considered,
regulations in place. ensuring effective and strategic resilience while meeting DORA requirements. implemented and demonstrated.
planning. How:
How: How:
From strategic & operational
• Beginning with the identification of the How: • Prioritising gaps / recommendations
conceptualization to technical realization
activities of the company and the 1. Defining the project scope taking into based on experience in working with
mapping of the process steps, account compliance against existing regulators
software assets, data assets and regulation
• Developing a fit for purpose DORA
infrastructure (considering delegation
2. Bottom-up maturity assessment framework
at fund and entity level)
based on guided interviews &
• Mapping of outsourcing requirements • Considering potential to optimize and
document-based analysis
and register streamline processes
3. Top-down strategic resilience
planning to define the road ahead
PwC added
value

regular, close contact Joining regulatory strategic subject Inhouse tools and
with regulators dots together matter expertise technical solutions

NIS II & DORA - Cybersecurity & digital operational resilience May 2023
PwC 18
Thank you for your trust.

Name Name
2, rueP.O.
Gerhard Mercator
Box 9616 2, rueP.O.
Gerhard Mercator
Box 9616
L-1443 Luxembourg
1006 GC Amsterdam L-1443 Luxembourg
1006 GC Amsterdam
The Netherlands The Netherlands
Tel: T:+352
+31 (0)88 792 76 71
49 48 48 3612 Tel: T:+352
+31 (0)88 792 76 71
621 33 4132
F: +31 (0)88 792 76 71 F: +31 (0)88 792 76 71
Email:M:michael.h.horvath@pwc.lu
+31 (0)6 51 26 73 06 Email:M:vojtech.volf@pwc.lu
+31 (0)6 51 26 73 06
hans.borghouts@nl.pwc.com hans.borghouts@nl.pwc.com

Michael Horvath Vojtech Volf

Director Manager

www.pwc.lu

© 2023 PricewaterhouseCoopers, Société coopérative. All rights reserved.

In this document, “PwC” or “PwC Luxembourg” refers to PricewaterhouseCoopers, Société coopérative which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity. PwC IL cannot be held liable in any way for the acts or omissions of its member firms.