Guest blog: Proposal for a new EU regulation

New IT solutions and increased digitization entail an increased risk of being exposed to IT-related attacks. Digital resilience is therefore more important than ever. Lina Sandmark, a lawyer at Kompass Advokat, specialized in regulatory issues in the financial sector, reviews the proposed DORA Regulation, which aims to increase IT security in the financial sector.

The DORA Regulation

Old IT systems are being replaced by new and more connected solutions. As companies become more digital, the risk of cyber attacks and other IT-related risks increases. In the light of this, the European Commission has seen a need to produce a new regulation. On September 24, 2020, the Commission presented a package on the digitization of the financial sector, where the DORA Regulation (the Digital Operational Resilience Act) was part of the suggested package. The regulation aims to ensure that players in the financial sector take the necessary protective measures to counter cyber attacks and other IT-related risks.

The DORA Regulation applies to many different organizations in the financial sector. Credit institutions, payment institutions, central securities depositories, trading venues, fund companies, insurance companies, insurance intermediaries and auditing firms are examples of some of the entities that fall under the regulation's collective named "financial entities".

Four areas of focus

The DORA Regulation contains requirements that aim to prevent information and communication-related (ICT) disruptions and threats, e.g. cyberattacks. The DORA regulation can be divided into four areas; governance and risk management, reporting, testing and a completely new supervisory framework for ICT suppliers in the financial sector.

Governance and risk management is about regulations that place demands on management's responsibilities, organization and control over ICT risks. There will be new requirements for documentation and development of an ICT risk framework which, among other things, includes policies, strategies and security tools.

The reporting requirements are partly about introducing new reporting requirements for the organizations covered by the regulation, and partly about harmonizing the already existing reporting requirements in the NIS Directive and the PSD Directive in such a way that the entities do not have to report in accordance with all the regulations. The reporting requirements are also about developing appropriate processes and classifying ICT incidents based on various factors such as number of affected and duration.

Some financial entities will be subject to requirements for testing ICT security. The requirement is about how and to what extent entities need to test their systems in order to identify and prevent shortcomings.

The provisions regarding the supervisory framework for ICT providers aim to enable monitoring of the ICT providers in the financial sector that are considered critical. The supervision includes, among other things, whether the ICT provider has sufficiently comprehensive and efficient processes and mechanisms to be able to manage the ICT risks to which the financial entity may be exposed.

What now?

The DORA regulation has not yet been adopted, as the European Parliament and Council are still negotiating. The regulation must also be subject to consultation. At this point, it is difficult to assess when the regulation will enter into force, it will probably take at least a year plus maybe another six months to a year before it is to be applied.

Many of the requirements in the Regulation overlap with the requirements set out in the ICT guidelines developed by EBA and EIOPA. When working and implementing these guidelines, it may therefore be a good idea to look at the proposed requirements in the DORA Regulation at the same time. The EBA Guidelines came into force on June 30, 2020, while the EIOPA Guidelines will take effect on July 1, 2021.

Even if the applicability of the DORA Regulation is relatively far ahead, it may be good for entities covered by the Regulation to get ready for what is to come. A first step is to map the requirements and carry out a gap analysis to examine what measures need to be taken to meet the suggested requirements. This will also help companies to increase their digital resilience in general, and thus already reduce their operational risk.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	1 year
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	5 months 27 days	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_THG7SPKD18	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_84002038_1	1 minute	Set by Google to distinguish users.
_gat_UA-84002038-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. (en)
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
nQ_cookieId	1 year	Albacross sets this cookie to help identify companies for better lead generation and more effective ad targeting.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_hjSession_2735549	30 minutes
_hjSessionUser_2735549	1 year
AnalyticsSyncHistory	1 month
cookielawinfo-checkbox-advertisement	1 year
cookielawinfo-checkbox-necessary	1 year
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
li_gc	5 months 27 days
nQ_userVisitId	30 minutes
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
cookielawinfo-checkbox-advertisement	1 year
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.