BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP
In the case of a significant cyberthreat, financial entities may need to, where applicable, inform clients that are potentially affected of any appro - priate protection measures that they should con - sider taking. Financial entities may outsource their report - ing duties, but they remain fully responsible for ensuring compliance with their financial entity obligations under DORA. 3.4 Operational Resilience Enforcement The NBB and the FSMA are the primary financial services regulators in Belgium. They are also in charge of monitoring cybersecurity risks in the Belgian financial sector. Therefore, DORA com - pliance will be overseen primarily by the FSMA. To harmonise the supervision of ICT risks in the financial sector, DORA also brings together EU financial authorities, such as the European Banking Authority and the European Securities and Markets Authority, collectively referred to as the European Supervisory Authorities. DORA allows EU member state authorities com - petent to monitor the activities of financial enti - ties and ICTSPs to impose administrative fines (including in collaboration with other authorities, such as DPAs). For example, DORA leaves it to the discretion of these authorities to exam - ine whether a DORA violation was intentional or resulted from a financial entity’s or ICTSP’s negligence in determining the amounts of fines to be imposed. Furthermore, the EU legislators wanted to ensure appropriate oversight of critical ICTSPs, espe - cially because these companies also provide, in some cases, their services to financial enti - ties within the same group, which may lead to potential conflicts of interest and concentration
risks. To address this issue, DORA establishes a new oversight framework whereby one of the major EU financial authorities (eg the European Banking Authority or the European Securities and Markets Authority) is designated as a lead overseer (LO) to monitor the activities of critical ICT TPSPs. Critical ICT TPSPs are ICT TPSPs that the Euro - pean Supervisory Authorities have designated as “critical” for financial entities, following an assessment that takes into account the crite - ria specified in DORA. LOs will have the power to conduct investigations (ie, on-site and offsite inspections) and adopt decisions imposing a periodic penalty payment to compel critical ICT TPSPs to co-operate with the LO in the course of an investigation. 3.5 International Data Transfers Under DORA, financial entities are required to design, procure and implement ICT security poli - cies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integ - rity and confidentiality of data, whether at rest, in use or in transit. To achieve these objectives, financial entities are required to use ICT solu - tions and processes that, inter alia, ensure the security of the means of transfer of data. In addition, if the data includes personal data (as defined in the GDPR), restrictions imposed by the GDPR may apply to transfers of personal data to recipients in jurisdictions outside of the EU. 3.6 Threat-Led Penetration Testing DORA requires certain entities to conduct advanced threat-led penetration tests. This
48
CHAMBERS.COM
Powered by FlippingBook