Many banks are not ready for the tough new EU cyber security law

Tough new EU rules requiring banks to strengthen their cyber security systems come into force on Friday – but many of the bloc’s financial services companies are not fully complying with the rules.

European Union Digital operational resistance lawor DORA, requires both financial services firms and their technology providers to strengthen their IT systems to ensure the industry is resilient in the event of a cyber attack or any other form of disruption. It came into effect on January 17.

Penalties for violating the new law can be substantial. Financial services firms that fall foul of the new rules could face fines of up to 2% of annual global revenue. Individual administrators can be held liable for violations and fined up to 1 million euros ($1 million).

So far, the pace at which financial services firms are adapting to the new regulations has been mixed, said Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco.

“I think we’ve seen a mixed bag,” Jang told CNBC in an interview. “Certainly mature stage companies are looking at this for at least a year – if not more.”

“We’re really trying to build this compliance program, but it’s very complex. I think that’s the challenge. We’ve seen this with GDPR and other broad laws related to interpretation – what exactly does compliance mean? It means different things to different people,” he said.

This lack of common understanding of what qualifies for strong DORA compliance has led many institutions to raise security standards to levels beyond the “basic” expectations of most companies, Jang added.

A A census of 200 UK Chief Information Security Officers by Orange Cyber ​​DefenderThe cyber security department of the French telecom company orangeIt revealed that 43% of financial institutions in Britain are not yet fully compliant with DORA.

That’s worrying because, even though the UK is now outside the EU, DORA applies to all financial entities operating within the EU’s jurisdiction – even if they’re based outside the EU.

“While it is clear that Dora has no legal reach in the UK, it does operate or provide services to entities based here and in the EU,” said Richard Lindsey, chief counsel at Orange Cyber ​​Defence.

He added that a major challenge for many financial institutions in achieving DORA compliance is managing their critical third-party IT providers.

“Financial institutions operate in a multi-layered and highly complex digital ecosystem,” said Lindsey. “Monitoring and ensuring that all parts of this system comply with the relevant elements of DORA will require new thinking, solutions and resources.”

Banks are adding higher levels of scrutiny to their contract negotiations with technology providers because of DORA’s stricter requirements, Jang said.

Cisco’s chief privacy officer told CNBC that he thinks there is alignment when it comes to the principles and spirit of the law. However, he added, “any law is a product of consensus, so the more they are ordered, the more challenging it becomes.”

“Principles we agree with, but any legislation is a by-product, and the more prescriptive they are, the more challenging it becomes.”

Still, despite the challenges, the widespread assumption among experts is that it won’t be long before banks and other financial institutions gain compliance.

“Banks in Europe are subject to significant regulations covering most of the areas that fall under DORA,” Fabio Colombo, head of EMEA financial services security at Accenture, told CNBC.

“As a result, financial services institutions already have mature governance and compliance capabilities, existing risk reporting processes and robust ICT risk frameworks.”

IT providers can also be penalized under DORA. The rules threaten to levy an average of 1 percent of global revenue per day for up to six months.

“These sanctions are necessary,” Brian Fox, chief technology officer of software supply chain management firm Sonatip, told CNBC. “They are powerful motivators, pushing leaders to take compliance and operational recovery more seriously than ever before.”

There is a long-standing concern that financial services firms will be able to move their critical security functions and services in-house, says Orange Cyber ​​Defender Lindsay.

“Advances in technology allow financial institutions to shift services in-house, simplifying this aspect and reducing the risk of non-compliance.”

“Either way, existing contracts need to be updated to ensure compliance is contractually mandated and monitored between the entity and suppliers,” Lindsay added.

Meanwhile, as of 2015, There are many other rules for organizations that focus on cyber security Network and Information Security Directive 2, or NIS 2, and the Cyber ​​Defender Act. The former was put into operation in October.