Author
Published
5 September 2024
Reading time
Required knowledge
On 14 December 2022, the European Parliament and the European Council adopted Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA). It entered into force on 17 January 2023 and will apply from 17 January 2025. The EU Commission presented the proposal for DORA on 24 September 2020 as part of a package on the digitalization of the financial sector, which also includes a legislative act on markets for crypto assets (MiCAR), a pilot project for DLT-based market infrastructures, and a strategy for digital financial systems.
DORA aims to protect the financial sector, which is highly dependent on information and communication technology (ICT), from ICT risks and sets out rules for their management, cyber incident reporting, operational resilience testing, and third-party monitoring. It harmonizes rules for 20 different types of financial institutions and third-party ICT service providers to ensure resilience against serious operational disruptions. As a “lex specialis”, DORA will replace all overlapping legal texts, such as the NIS Directive (Network and Information Security Directive), and serve as the primary point of reference for compliance by financial institutions.
Legal Effect for Liechtenstein and Indirect Effect for Switzerland
In order for DORA to have legal effect in the EEA member state Liechtenstein, a decision by the EEA Joint Committee and the associated incorporation into the EEA Agreement is required. DORA has not yet been incorporated into the EEA Agreement. However, it is expected to enter into force at the same time as the EU. As Switzerland is neither a member of the EU nor the EEA, it does not have to implement DORA directly – and the regulation is not directly applicable in Switzerland. However, Swiss ICT service providers wishing to provide services to financial institutions in the EU are indirectly affected. This applies regardless of whether they are independent third parties or group companies affiliated with an EU financial institution. DORA imposes additional obligations on EU financial institutions when working with ICT service providers outside the EU, including Switzerland.
Recommendations: Strategies and Requirements
Digital operational resilience is the ability of organizations to maintain their operational integrity in the face of ICT disruptions. Financial institutions must develop a robust program, appropriate to their size and business profile, to assess their resilience and identify vulnerabilities. This program must take into account the evolution of cyber threats and include annual testing of all critical ICT applications and systems by independent, qualified internal, or external entities. Testing should include vulnerability assessments, network security analysis, and other methods to ensure comprehensive coverage and continuous improvement. In addition, internal policies and procedures must determine which issues are prioritized for remediation, and assessment methodologies should ensure that all vulnerabilities are fully remediated.
Where financial institutions use the services of external critical service providers, they must be included in the resilience considerations. This means that financial institutions must regularly review the security measures and resilience strategies of their service providers and ensure that they meet their own standards.
Many of the requirements set out in DORA are already known from existing regulations such as the European Banking Authority guidelines. In some cases, however, they go further and require adaptations, including changes to IT systems.
Joining the Swiss FS-CSC
The rapid pace of technological development means that cyberattack methods and strategies are constantly changing. In the future, banks will need even more financial and human resources to ensure adequate protection against cyberattacks. This will exacerbate the existing shortage of cybersecurity specialists, making it all the more important to attract them to the country. Banks in Liechtenstein are aware of these risks and challenges and monitor them around the clock. They use both human resources and artificial intelligence to manage them efficiently.
Cybersecurity is also a high priority at the association level. The Liechtenstein Bankers Association joined the Swiss Financial Sector Cyber Security Center (Swiss FS-CSC) to strengthen cooperation with Switzerland and increase cyber resilience. The FS-CSC provides financial institutions and associations with additional resources and support to improve their resilience, a platform for the exchange of information and best practice, as well as specialized training and support in the development of security strategies.
Ivica Kuzmic Liechtenstein Bankers Association
Panorama
Switzerland has developed SCION, a secure network architecture that is used by ETH Zurich, the SNB and SIX. SCION is also used internationally and is being reviewed by the IETF for standardization. It offers routing control and protection against cyber attacks.
6 June 2024
Focus
The SNB is launching a pilot program for central bank digital currency (wCBDC) on the SIX Digital Exchange. Pilot banks can settle transactions in wCBDC to increase efficiency and security. The pilot program will run until mid-2024 and is designed to minimize settlement risks.
5 December 2023
Talk
According to Prof. Cornelia Stengel, the introduction of private token money in Switzerland presents legal challenges. Token money could reduce transaction costs and increase efficiency. It offers advantages for securities trading and requires a suitable infrastructure.
A smart banknote combines physical and digital money. It feels like a normal banknote, but can be transferred to a wallet by scanning a QR code. This hybrid form of money was developed by Orell Füssli and could offer an alternative to CBDCs.
Experts
Since Switzerland joined EBICS, the standard transport protocol has become established. Version 3.0 harmonizes dialects and replaces proprietary protocols. EBICS offers high stability, supports eBill and instant payments, and is used by many Swiss banks.
15 March 2023
Market infrastructures must move with the times. Cyber risks, cryptocurrencies, stablecoins and CBDCs are challenges that operators must constantly address. Change is part of the program. Interview with Dr. Ruth Wandhöfer, professor at the London Institute of Banking & Finance.
7 December 2022
PAY NEWSLETTER
Join our community and never miss an update!
Categories