Cybersecurity has become a priority for the financial sector and authorities. The European regulator wants all entities (banks, insurers, managers, payment entities, etc.) to use their technical and human resources to manage technological risks, implementing processes, procedures and policies that guarantee their optimal and safe availability.

The EU established the obligations for the sector in the Digital Operational Resilience Regulation (Dora) that came into force on January 16, 2023, but left entities a period of two years to adapt and meet the requirements. The rule will therefore be applied starting this coming Friday the 17th and includes a strong regime of sanctions in case of infractions, with million-dollar penalties.

The Government homogenized the infractions for all operators (banking, securities and insurance) in the draft law on digitalization and modernization of the financial sector that it approved in December and where it establishes the punitive regime for all entities, except for banking, which is will be governed by their specific regulations.

Fines of up to 10 million

A bank that commits an infringement classified as very serious in the Dora Regulation is exposed to fines of up to 10% of the annual net turnover or up to 10 million if the first figure is lower, and even to the revocation of the authorization. to operate. It would be half in serious infractions, and 1% or a million in minor cases. Managers and directors could face individual fines of up to 5 million for the most serious non-compliance, with the risk of being suspended from office.

For insurance and securities firms, the new regime introduced by the draft sets the highest of the following penalties for cases of very serious infractions: 5 million euros, equivalent to 5% of their net turnover or “quintuple” of the profits obtained or the losses avoided by the infringement, if they can be determined”. If the offender is a person who has held administrative or management positions in the entity, the highest penalty would be between that same fivefold profit or loss or one million euros.

In the case of serious infractions, the alternative penalties fall to 2.5 million, 3% of the annual business volume and double those profits or losses in the case of entities, and this last variable or 500,000 euros for managers.

The regulations approved by the Government also leave room for supervisors (Bank of Spain, CNMV and General Directorate of Insurance) to apply other measures or additional measures if necessary.

The Dora regulation addresses cybersecurity with a comprehensive vision, understanding both the financial sector as a whole, the entire technological value chain and organizations as a whole. The ultimate responsibility for managing properly lies with the leadership and the board of directors, but it requires adopting policies and procedures that permeate a large part of the organizations and businesses.

The most significant violations would arise, for example, from a serious deficiency in the internal governance and control framework that guarantees effective and prudent management of all risks of digital technologies or information and communication, by a management framework of risk that is not solid, complete and well documented or for not establishing the appropriate tools, systems or protocols or not updating them appropriately.