Cyber security as a basis for strengthening the resilience of every company in the digital world, with a particular focus on the NIS2 Directive and Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), was the main topic of the expert meeting of the business daily Poslovni dnevnik "Cyber Threats and Security - Defend Tech & Insurance", held on Thursday, 18 April, at the Zonar Hotel in Zagreb.

"The DORA Regulation (Digital Operational Resilience Act) imposes extensive requirements on financial service providers in terms of information and communication technology (ICT) risk management, ICT incident reporting, security testing and supervision of key ICT service providers," said Slaven Smojver from the CNB's Information Systems Supervision Department in "Interview 1 to 1: DORA – a Festival or a Regulation?". Smojver spoke about the role of the CNB in supervising the application of DORA, which will start to apply on 17 January 2025 to the financial sector, but also to companies providing ICT services. He stressed in particular that DORA imposes a number of obligations on almost all financial service providers, including banks, insurance companies and investment firms, as well as large technology providers of particular importance for the EU financial sector, such as – for example – key cloud computing providers. In addition to credit institutions, the supervision and oversight of the CNB also includes payment institutions and electronic money institutions.

"Financial institutions must fulfil the obligations imposed by DORA, but the principle of proportionality applies in the fulfilment of those obligations as well as in their supervision. The principle of proportionality ensures that regulation is applied in a manner that is proportionate to the size, business complexity and specific risks of an institution. Nevertheless, DORA also imposes certain minimum requirements that all institutions (not explicitly excluded from the scope) must meet," Smojver said.

According to him, the DORA Regulation and the NIS2 Directive complement each other – while NIS2 covers a wider range of sectors and focuses on general cybersecurity and risk management, DORA specifically targets the financial sector, highlighting digital operational resilience and ICT risk management. According to Smojver, the DORA Regulation imposes requirements on financial institutions to establish and implement robust ICT risk management mechanisms and to regularly test the security of their systems. In addition, DORA also establishes a framework for supervision and cooperation between competent authorities within the EU, to ensure a coordinated response to cross-border cyber threats and incidents. "It should be noted that it is the obligation of financial institutions to document, monitor and supervise all ICT service providers, especially those supporting the provision of critical services, and these obligations also apply to subcontractors (supervision of the chain of service providers)," concluded Smojver.