31
Mon, Mar
46 New Articles

Czech Republic: Cybersecurity and Financial Institutions in Light of DORA and NIS2

Issue 11.12
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The DORA regulation (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector) is an essential piece of European legislation aiming to bolster cybersecurity within the EU.

In this effort, it joins the NIS2 directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union). While several types of financial institutions fall under the NIS2 directive, it is primarily DORA that aims specifically at enhancing the operational resilience of the financial sector while establishing a comprehensive framework to ensure that all financial entities regulated under DORA can withstand, respond to, and recover from disruptions and threats related to information and communications technology (ICT).

Supplementing other regulatory frameworks mandated by the EU, DORA (along with NIS2) introduces a unified set of standards for digital operational resilience that regulated financial entities must integrate into their risk management strategies following its applicable date of January 17, 2025.

To Whom Does the Regulation Apply?

To establish a high level of cybersecurity within the EU’s financial system, European legislators decided to include a wide range of financial institutions that will be required – to a greater or lesser extent – to apply the rules and standards introduced by DORA. The list of obliged entities under DORA includes, among others: credit institutions, investment firms, insurance and reinsurance undertakings, payment and electronic money institutions, managers of alternative investment funds, UCITS management companies, crypto-asset service providers, crowdfunding service providers, and ICT third-party service providers.

The entities subject to DORA are recognized as essential to the infrastructure and security of the EU’s financial system. As such, they are expected to maintain a high level of digital operational resilience to protect both the financial markets as well as their participants.

Obligations Under DORA

Entities subject to DORA are expected to comply with a range of requirements imposed by the regulation, including various technical, organizational, and legal measures. The core obligations to be implemented by the respective entities include: (a) ICT risk management, (b) reporting of cybersecurity incidents to competent authorities, including the establishment of communication channels, (c) regular testing of the digital operational resilience, (d) regular training of employees and managers, and (e) management of risks related to third-party service providers (including setting up key contractual provisions with such providers).

In addition to these core obligations, financial institutions may also (under certain conditions) enter into information-sharing arrangements on cyberthreat information and intelligence, which should further solidify security and cyberthreat awareness across the EU through the sharing of experience with various cyberattacks and their practical solutions.

Czech Implementation of the EU Cybersecurity Regulation

The upcoming Czech implementation of the EU’s cybersecurity regulation comprises several specifics. There is currently a new draft act on cybersecurity being discussed in the Czech Parliament that should implement NIS2 into the Czech legislation and replace the current Act on Cybersecurity that has been in force since 2014. On top of various additional requirements and obligations introduced specifically by the Czech legislator, the draft act also includes several financial institutions in addition to those that are already included under the NIS2, namely payment institutions and e-money institutions, provided they meet specific payment volume criteria.

In addition to the draft Act on Cybersecurity, a new draft Act on Digital Finance has also been introduced, aiming at implementing – or, more specifically, further expanding – the DORA regulation as well as the MICA regulation (Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets) into Czech law. The Act on Digital Finance establishes the Czech National Bank (CNB) as the supervisory authority in relation to the cybersecurity of financial institutions under DORA, with the power to impose remedial measures and fines on the institutions under its supervision. Furthermore, as the general supervisory authority responsible for cybersecurity-related matters will be the Czech National Cyber and Information Security Agency (NCISA), it may in practice pose certain supervisory issues, as several types of financial institutions may fall under the supervision of both the NCISA and the CNB.

By Ondrej Havlicek, Partner, and Martin Svoboda, Associate, Schoenherr

This article was originally published in Issue 11.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Czech Republic Knowledge Partner

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com

Our Latest Issue