Cybersecurity certification and compliance in financial services

Abstract

Security of assets and associated records has for centuries represented a very important agenda for providers of financial services. Thus, when cybersecurity became a matter of general societal and political interest, and subsequently of regulatory activity, large financial institutions were mostly ready. They generally did not have to develop entirely new cybersecurity measures, but only to adapt the existing ones, whilst new developments had to take place namely with respect to compliance procedures and associated documents. The chapter aims at two most significant cybersecurity statutes in the EU, i.e., the NIS Directive and the Cybersecurity Act. It discusses their regulatory logic as well as the ways in which financial institutions can adapt to it. The chapter also specifically analyses the new certification mechanism, as introduced by the Cybersecurity Act. Besides the ways in which the new certification schemes can be implemented by financial institutions into complex compliance solutions, the chapter also critically tackles their possible systemic and operational risks.