Jailing negligent management boards? EU’s aggressive financial sector regulation goes into force

Financial entities in the European Union and their third-party suppliers are as of Friday required to report major IT incidents to their national regulators, as the bloc’s Digital Operational Resilience Act (DORA) enters into force.

The law intends to drive best practice across the financial sector and its supply chains, both in securing firms against cyberattacks and protecting them from other forms of business disruption, such as CrowdStrike’s faulty update last year. The reporting requirements also apply to third-party suppliers based internationally. 

It comes with significant penalties for noncompliance, including most notably potential criminal liability for negligent management board members of the regulated “financial entities” — a purposefully broad term covering banks and payment service providers through to investment companies and businesses working in the crypto asset space.

It requires the management boards of these entities to receive regular reports from senior IT staff to support their organisations’ resilience. 

If this access isn’t provided, EU member states have been directed to establish civil liability regimes for individual board members for negligence, with the possibility of criminal liability retained within the regulation.

“Personal accountability in any regulation tends to focus the mind,” said James Hughes, the enterprise chief technology officer at cyber resilience firm Rubrik, adding that the company’s survey of financial services firms found almost half had spent over $1 million preparing for the legislation.

Financial entities in breach of their obligations could be fined up to 2% of their global annual turnover, or €10 million ($10.3 million), whichever is higher. Third-party IT suppliers that fail to comply with the regulation can be struck with a penalty payment of up to 1% of their average daily worldwide turnover “on a daily basis until compliance is achieved and for no more than a period of six months.”

“If you have people in positions of responsibility, if they are personally accountable — and I think regulations have been moving in this direction for a few years now — I think that’s how you get things done,” said Hughes.