The Digital Operational Resilience Act (DORA) seeks to establish a framework for promoting stability and security in the financial sector's cyberspace 

The financial industry is facing increasing threats from cybercriminals, who, if successful, can compromise large amounts of sensitive financial and personal information. The potential impacts of such attacks can be significant. The European Commission is preparing a single legal framework to harmonize the fight against cyber-attacks. 

The objectives of DORA 

Although organizations in the financial sector (banks, insurance companies, brokerage firms) operate in a highly integrated and interdependent system, the legal framework for managing IT risks is not uniform across EU Member States and in many cases difficult to reconcile. The Commission therefore wants to regulate the rules for managing and responding to IT risks and threats at Community level. Hence, the Digital Operational Resilience (DRR) has been developed to measure the resilience of organizations to threats from cyberspace. 

DORA aims to increase transparency in regulation and decrease the compliance-related administrative and financial burden on financial institutions. However, DORA also introduces new informatics security requirements. Financial institutions will be required to regularly test their digital operational resilience using software solutions and will be responsible for monitoring the risk management of third parties that provide them with technology solutions or services.

How DORA works 

The final regulations are expected to be adopted in 2022, followed by a planned twelve-month transition period to allow stakeholders to prepare for the application of the rules. 

DORA would consist of two separate parts. The first would focus on financial institutions, while the second would focus on companies providing third-party technology services to financial institutions. It would take into account the size, activities and business profile of a financial institution and determine accordingly the IT risk management requirements to be met - said Zoltán Szöllősi, Director of Deloitte's IT Risk Advisory Group. 

The legislation will create a joint EU-level supervisory committee of member state supervisors, which will have the power to appoint a national authority. Third-party providers of technology services to financial institutions will have to provide the national authority with access to the information needed to carry out a compliance assessment. 

Fintech companies and DORA 

As the number and importance of fintech companies grows at an accelerating pace, the exposure of financial institutions to threats to the companies that provide services to them is increasing, i.e., financial institutions are increasingly exposed to cyber-attacks via some form of external service provider. 

DORA will significantly change the expectations of legislators towards fintech companies. Given their rapid growth, the DORA proportionality principle will be important, requiring regular review of compliance expectations – Zoltán Szöllősi added. 

In the European fintech market, regulatory compliance will be a key issue following the implementation of DORA, as financial firms will also be responsible for the compliance of the fintech firms that provide services to them. 

Download our DORA Leaflet (Hungarian version)

What is NIS2? 

NIS2 is an EU-wide cybersecurity directive designed to contribute to the uniform, high-level cybersecurity maturity of the member states. A further goal of the directive is to enhance the resilience and incident management capacity of public and private service providers in the critical sectors. 

The collection of requirements were endorsed in Directive (EU) 2022/2555, which entered into force in 2023. Please note that being a directive NIS2does not have a direct effect. Instead, each member state has first to incorporate it into their national legislation. Compliance with NIS2 requirements in Hungary is regulated by Act. LXIX. 2024 on Hungary’s cyber security. 

Scope 

The NIS2 Directive and Act. LXIX. 2024 on Hungary’s cyber security apply to a wide range of industries. The regulation applies to industries that have so far not had to focus on information security for compliance purposes. 

Affected organisations fall into two categories according to the level of criticality:

•  The „highly critical” category includes providers and businesses in the energy, transportation, health, drinking water, waste water, digital infrastructure, ICT service control (among businesses), public administration or space sectors. 
• The „critical” category includes providers and businesses in postal and courier services, waste management, chemicals production and sales, food production, processing and sales, manufacturing, digital services and research.

Major milestones 

The NIS2 Directive entered into force on 3 January 2023, while Act. LXIX. 2024 on Hungary’s cyber security was promulgated on 20 December 2024. 

28 October 2024 was the deadline to comply with Act XXIII of 2023. Inspection will be carried out and sanctions will be imposed in the event of non-compliance by the Regulated Activities Oversight Authority (SZFTH). 

• Pursuant to Decree no. 3/2023. (XII. 19.) SZTFH, organisations establishing that they are subject to the Cybersecurity Act will be required to register until 30 June 2024 at the latest. Registration is to be requested by completing the application form available on SZTFH’s website and submitting it through “Cégkapu” (electronic administration portal for businesses).
• Organisations must develop an efficient, risk proportionate information security management framework until 18 October 2024.
• Organisations must also have an agreement with an auditor until 18 October 2024 or within 120 days after registration.
• Businesses must complete the independent audit until 31 December 2025. 

Requirements 

NIS2 and the Cybersecurity Act basically include information security requirements for organisations. To put it simply, the law requires the development and operation of an efficient and risk proportionate information security management framework. Compliance with regulations is to be audited every two years by an independent auditor. Audit is mandatory even if the organisation concerned already has industry-specific certifications (e.g. TISAX, ISO27001) or other audits (e.g. SOC2). Although the audit is not replaceable, existing certifications will certainly be useful for preparations and future NIS2 audits. 

Why is compliance critical? 

The directive requires the sectors covered to take targeted measures to strengthen cybersecurity and improve information security. This will reduce the risks of cyber threats, attacks and digital crime and minimise the economic and social damage caused by disruption and attacks.

For organisations failing to comply, the NIS2 Directive and Act. LXIX. 2024 on Hungary’s cyber security also provide for penalties:

• For highly critical entities, up to EUR 10,000,000 or 2% of their total annual global turnover in the previous financial year
• For critical entities, up to EUR 7,000,000 or 1.4% of their total annual global turnover in the previous financial year 

In the event of non-compliance with these requirements, the fines imposed may be reimposed. The exact domestic penalty levels are not yet known in detail and are expected to be regulated by ministerial decree. 

How Deloitte can help you: 

Deloitte experts bring their broad industry and technical expertise to help organisations assess and improve cyber security resilience and ensure compliance. We provide a comprehensive service from gap analysis to implementation. We use proven tools and methodologies to help our clients meet NIS2 requirements:

• Gap analysis: Assessment of the Company’s current cybersecurity status and identification of deficiencies in compliance with the NIS directive. Subsequently, offering specific recommendations to help correct these deficiencies and increase cybersecurity. As the detailed rules (e.g. exact audit framework, obligatory controls of the IT system) are not yet known, the gap analysis is carried out based on our industry knowledge and international frameworks (e.g. ISO27001, NIST Cybersecurity Framework). 
• Information Security Management System (ISMS): The existence of an ISMS is critical, as it makes it possible for companies to formulate a comprehensive cybersecurity strategy, and it also helps manage cyberthreats and minimize potential damages and risks. Deloitte helps design a comprehensive and tailormade information security management system, including the establishment of cybersecurity regulations, roles, processes and procedures. 
• Risk assessment: Accurate risk identification and assessment is essential for information security. Risk analysis helps you understand the threats to your organisation's digital infrastructure and data, and supports the implementation of effective protection measures. We can help you analyse your organisation's digital infrastructure and data protection as well as identify and assess potential risks, so that you can effectively address information security challenges.
• Planning business continuity: Maintaining business continuity is critical during incidents and potential cyber attacks. Making business continuity plans ensures the smooth operation of business processes even in critical situations. Deloitte helps you design your business continuity plans and mechanisms, or review your existing plan, so that business can continue smoothly even in case of an unexpected incident or attack. 
• Incident response: One purpose of the NIS2 directive is the regulation of incident identification and reporting processes, as well as the alignment of incident reporting to authorities. Timely and effective reaction to unforeseen events is key. Our services support our clients in complying with incident reporting regulations under the NIS2 directive, and in aligning their reporting processes for efficient resource allocation.
• Penetration testing and vulnerability testing: In the ever-changing cyberspace, regular inspection is required to identify vulnerabilities and be able to respond to them appropriately. In addition, NIS2 emphasizes and expects proper testing of key systems and processes, including vulnerability testing and penetration testing. Deloitte has outstanding expertise at European level, technical background and human resources in this field. 
• Information security control and compliance monitoring: Development and implementation of control mechanisms to ensure compliance with the NIS2 regulations and standards.  
• Information security education and training: Proper training and education of staff in information security is essential to create an effective cybersecurity culture and increase user awareness.  Our comprehensive and up-to-date education programmes are effective in helping your staff understand the importance of information security and respond effectively to cyber threats. 

Download our NIS2 Leaflet (Hungarian version)

Regulatory and compliance pressures on financial institutions have been increased with the introduction of PSD2. Deloitte can assist its clients in carrying out the mandatory independent review in an efficient and value-creating manner.

Why is this important? 

The European Commission Delegated Regulation 2018/389 (PSD2) requires an annual review of security measures and PSD2 compliance by the payment service provider. In addition, the MNB Recommendation 18/2016 also requires the existence of an independent audit. Essentially the review should cover the whole of the PSD2 requirements. That is, the technological and procedural arrangements for strong customer authentication, the process for calculating and reporting fraud rates, and the practices for exception handling and operational risk analysis (if the exception handling is used by the financial institution).

How can Deloitte help? 

We conduct a compliance, fact-finding analysis based on the requirements of PSD2. Our review covers all systems and authentication solutions whereby a financial institution's customers may initiate a financial transaction. We provide best practices and practical action plans of industries to address non-compliances, whether process or deficiencies. Deloitte works closely with the PSD2 Knowledge Centre in the region on PSD2 compliance and advisory projects to support our clients.

Resilience to cyber-attacks 

In order to standardize the management of cyber security and operational risks, SWIFT has introduced the Customer Security Program (CSP), a framework that helps SWIFT users to establish and maintain an information security control environment for their SWIFT system. It covers control areas similar to those of well-known information security frameworks (e.g. ISO 27001, NIST CSF), but also includes controls related to key-links, back-office encryption or even employee due diligence.

Starting in 2021, self-audit will no longer be sufficient for demonstrating compliance with the requirements. Instead, an independent audit will be necessary to confirm that the necessary controls have been properly designed and implemented. 

What is an independent investigation? 

There are two main types of independent audits:

• By an external, independent party - Compliance can be verified by an independent, external party with appropriate information security experience and expertise, e.g. CISA qualification.
• An independent audit - compliance with SWIFT controls can be verified by the SWIFT user's second or third line of defense, e.g. the compliance department or audit team, if they have the appropriate information security expertise and are truly independent in terms of organization.

A risk assessment report of the independent review should be produced, listing the areas of controls that do not meet SWIFT CSP requirements and management's intended action in this regard. 

What happens if I do not carry out the independent review? 

If the independent review is not conducted and submitted to SWIFT by the end of 2022, SWIFT will report the noncompliance to the regulatory authority, the MNB in Hungary.

Embracing digitized ways of working has resulted in many organizations adopting rudimentary artificial agents to automate repetitive processes. In order to increase the breadth of coverage of these solutions, Artificial Intelligence (AI) is increasingly being employed. However, it brings new risks and governance challenges that continue to act as a barrier to scaling.

In order to navigate these risks, organizations must understand their current exposure, ensure AI outcomes are validated for both efficacy and ethics, put in place governance that supports the maintenance of these outcomes, and ensure they are ready for crises when they occur.

We can help you leverage the power and versatility of AI to reach new levels of organizational excellence. Starting with defining an AI strategy to develop new business models, and improve outcomes in key areas of your operations, we can help you along every step of the journey as you turn data into insights and apply them.

Our legal, risk and technology experts have experienced how cognitive technology is put into real-world action, working with you to design and implement trustworthy AI-driven products that put your business at the cutting-edge. Within the AI spectrum, we can perform AI risk assessments and gap analysis to identify those solutions that exhibit issues or shortcomings with respect to ethical values and principles.

Deloitte can assist in performing maturity and control assessments on processes and controls that guide organizational AI, and identify deficiencies that can lead to potential non-compliance. Our legal experts can offer comprehensive guidance on navigating the complexities of the AI Act, ensuring compliance with its regulations and requirements. They can also assist in developing robust strategies for digital compliance of AI systems, addressing issues such as data protection, transparency, accountability, and ethical considerations to mitigate legal risks and foster trust in AI technologies.

Deloitte experts assist their Clients in many aspects of data management, from creating a data management strategy, delivering data deletion solutions to implementing data migration projects.

Ultimately, we can help you reach AI insights and engagement by using Deloitte developed next-generation autonomous algorithms, generating insights from your data, and enabling more autonomous and explainable decision making.

Download our AI ACT Service leaflet

Beyond compliance

The regulatory compliance pressure is increasing year by year on the financial sector. From EU wide regulations (e.g. DORA, PSD2) through local legislations (MNB recommendations and regulations) to industry requirements (e.g. SWIFT) there are multiple areas and processes where compliance needs to be proven.

We help our clients not only with an effective compliance program but with practical recommendations and realistic action plans as well. We have worked together with almost every major player in the Hungarian market hence we have wide range of experience in (IT) compliance projects.

Managing the compliance risk is critical for every financial sector organization to avoid reputational and financial loss. Being compliant with these legislations and requirements also decreases cyber risk and helps companies to effectively protect their information’s and assets.

Download our FSI IT Compliance Services Leaflet (Hungarian version)