Cyber resilience - an analysis of Art 9 para 1 and 2 EEA-DORA-DG

Type and Duration

FFF-Förderprojekt, July 2024 until December 2024

Coordinator

Economic Criminal Law, Compliance and Digitalization

Main Research

Business Law

Description

Information and communication technologies (ICT) play a crucial role in the availability and integrity of financial services. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience in the financial sector (DORA) aims to enable financial institutions to withstand cyberattacks and maintain operations even in the event of such an attack. The DORA came into force on 16 January 2023 and its requirements must be implemented by the affected financial intermediaries in the EU by 17 January 2025. According to Art. 2 DORA, the scope of application includes credit, payment and e-money institutions, providers of crypto services, investment firms, management companies, trade repositories and insurance companies. DORA contains standardised requirements for the risk management of ICT, the handling, classification and reporting of ICT-related incidents, the testing of digital operational resilience, the management of ICT third-party risk and the exchange of information. In Liechtenstein, the DORA applies directly following its incorporation into the EEA Agreement; however, some provisions required national implementation, for which the EEA DORA-DG was created. This is due to enter into force on 1 February 2025. The penal provisions are anchored in Art. 9 DORA-DG, with para. 1 in particular providing for an offence punishable by a court (misdemeanour) and para. 2 regulating several administrative offences sanctioned by the FMA; all penal provisions are so-called blanket penal provisions because they refer to provisions of the DORA and their unlawful content can only be recognised by reading them together with the corresponding so-called filling standards. The project analyses these two paragraphs and aims to draw attention to the new criminal liability risks in good time before the planned entry into force. The area of cybercrime, for whose defence cyber resilience is an essential strategy, is explained in advance.

Practical Application

As part of the project, a comprehensive analysis of the criminal liability risks arising from the EEA-DORA-Act will be conducted. The goal is to identify potential legal and regulatory challenges in the area of cyber resilience for financial institutions and their executives at an early stage. Special attention will be given to the specific penal provisions. In this context, both the relevant concepts of intent and negligence will be explained, and the issue of corporate liability will be examined.

Reference to Liechtenstein

DORA aims to raise awareness of ICT risks and highlight that the financial soundness of financial firms can be jeopardised by ICT incidents and insufficient operational resilience. Building the ICT capacity and overall resilience of financial firms, in particular to cope with operational failures, is crucial for maintaining the stability and integrity of the EEA single market for financial services and the financial markets in the EEA States. This helps to ensure a high level of protection for investors and consumers throughout the EEA. Liechtenstein, whose economy is strongly characterised by financial services, benefits in particular from the implementation of these regulations, especially as the application of DORA can strengthen the resilience of financial companies in the country. Analysing the criminal provisions helps to better understand potential liability risks and to formulate appropriate prevention strategies for financial companies. Based on this analysis, management bodies can develop practical recommendations for action in order to minimise liability risks and comply with legal requirements.