Banking Regulation 2025

LIECHTENSTEIN Law and Practice Contributed by: Bernhard Rankl, Moritz Blasy and Nicolai Binkert, Schurti Partners Attorneys at Law Ltd

10. DORA 10.1 DORA Requirements

to ensure business continuity in the event of ICT disruptions. Risk management under DORA extends beyond internal systems and requires banks to consider risks from third-party service providers and cloud-based services. Banks must ensure that any external ICT services on which they rely meet the same standards of operational resilience. DORA also imposes requirements on banks for the reporting of ICT-related incidents. Any sig - nificant disruption or cyber-attack affecting the bank’s digital infrastructure must be reported to the relevant supervisory authority, in this case the FMA. ICT testing and resilience DORA requires banks to regularly test the resil - ience of their ICT systems to ensure they can withstand digital disruption. This includes: • Vulnerability assessments: Banks must regu - larly test their systems for potential vulnerabil - ities, such as outdated software, unpatched systems or poorly configured networks. • Penetration testing: Banks are required to conduct threat-led penetration tests (TLPT) at least every three years, using simulated attacks to identify and exploit vulnerabilities in their ICT systems. • Operational resilience testing: Banks must conduct stress tests that simulate extreme scenarios, such as large-scale cyber-attacks or ICT failures, to assess the operational impact and recovery capabilities. Information sharing Banks are encouraged to participate in infor - mation-sharing arrangements under DORA, particularly in the area of cybersecurity. Sharing information on emerging threats, cyber-attack methods and successful defences can help

Regulation (EU) 2022/2554 (Digital Operational Resilience Act; DORA) aims to strengthen the digital operational resilience of financial institu - tions, including banks, in the European Econom - ic Area (EEA), which includes Liechtenstein. In particular, DORA focuses on ensuring that banks and other financial institutions can withstand, respond to and recover from information and communications technology (ICT)-related dis - ruptions, which is critical in an era of increasing digital threats and cybersecurity risks. DORA introduces a consistent and compre - hensive framework for addressing digital risks in the financial sector, covering areas such as risk management, ICT incident reporting, test - ing, third-party risk management and informa - tion sharing. It aims to ensure that banks have robust systems and controls in place to protect their operations from technology failures, cyber- attacks and other digital threats. Key Pillars of DORA DORA focuses on several core areas that banks in Liechtenstein must address to ensure compli - ance and enhance their digital resilience. ICT risk management and reporting One of the key elements of DORA is the require - ment for banks to establish a robust ICT risk man - agement framework. Banks must adopt policies and procedures to identify, assess and mitigate the risks associated with the use of technology and digital services. This includes ensuring that ICT risks are integrated into the bank’s broader risk management strategy, that banks identify potential vulnerabilities and threats to their ICT systems, including cyber threats and system fail - ures, and that banks develop contingency plans

336 CHAMBERS.COM

Powered by