Banking Regulation 2025

GREECE Law and Practice Contributed by: Paris Tzoumas, Vivian Efthymiou and Dimitrios Mekakas, Zepos & Yannopoulos

adopted. DORA will apply from 17 January 2025, but credit institutions and other financial institu - tions falling within the scope of its application must be prepared in advance. Through the creation of a unified regulatory framework, DORA aims to boost credit and oth - er institutions’ resilience against cyber threats through the implementation of stringent cyber - security measures, regular risk assessments, the reporting of cyber incidents to the relevant authorities, and by addressing operational fail - ures and IT disruptions. The key pillars of DORA that should be observed by credit institutions include the following: • Governance credit institutions’ board of direc - tors will have the ultimate responsibility for managing ICT (Information and Communica - tion Technology) risk and adopting policies to maintain high standards of data availability, authenticity, integrity, and confidentiality. They will be responsible for defining roles and governance structures, and ensuring effective communication within ICT functions. They will approve the digital operational resilience strategy, including risk tolerance levels, and oversee ICT business continuity and recov - ery plans. Management bodies will review ICT audits, allocate the necessary budget for resilience needs, including staff training, and approve policies related to ICT third-party service providers. Finally, they will establish reporting channels to monitor changes or incidents. • ICT risk management credit institutions will need to implement a sound, comprehensive and well-documented ICT risk management framework. In this respect, they must adopt plans, policies, procedures, protocols and tools to identify any potential ICT threat, protect both their digital and physical infra -

structure, detect incidents in a timely man - ner, respond effectively, and recover without major disruptions. • Testing a digital operational resilience test - ing programme will be required as part of the ICT risk management framework to assess readiness for handling ICT-related incidents, and must include tests such as vulnerabil - ity assessments, penetration checks and scenario-based evaluations. These will be performed by independent parties, and identi - fied issues will be prioritised, remedied, and validated. Critical functions must be tested at least annually, while advanced testing must be conducted every three years, covering critical ICT functions, including outsourced services. • ICT-related incidents management and report- ing DORA further outlines the requirements for reporting major ICT-related incidents (which must be classified as per the criteria provided thereunder) by using the relevant templates. Credit institutions must report such incidents to the relevant competent authority. The reports of significant credit institutions must be immediately transmitted by the national competent authorities to the ECB. Outsourcing reporting will be allowed, but responsibility will remain with the financial institution. Voluntary notification of significant threats to cybersecurity will also be required. • ICT third-party risk management DORA also governs the management of ICT third-party risk, emphasising that credit institutions must integrate ICT third-party risk manage - ment into their overall ICT risk management framework. When outsourcing services to ICT third-party service providers, the institution will remain fully responsible for compliance with DORA requirements. In addition, credit institutions must maintain a register of all ICT contracts, assess risks before entering

229 CHAMBERS.COM

Powered by