ARTICLE
10 June 2025

Managing ICT Risks In The Financial Sector

K
Kinstellar

Contributor

Kinstellar acts as trusted legal counsel to leading investors across Emerging Europe and Central Asia. With offices in 11 jurisdictions and over 350 local and international lawyers, we deliver consistent, joined-up legal advice and assistance across diverse regional markets – together with the know-how and experience to champion your interests while minimising exposure to risk.
Information and communication technology ("ICT") is integral to the functioning of the financial sector of modern economies.
Worldwide Technology

Information and communication technology ("ICT") is integral to the functioning of the financial sector of modern economies. In recent decades, ICT has become a critical aspect of the daily functions and operations of financial entities. Such high degree of dependence on ICT systems constitutes a systemic vulnerability, due to the interconnected nature of the global economy. Recognising this risk, international regulatory organisations have worked to equip competent authorities and market participants with the necessary tools to strengthen the resilience of their financial systems. These circumstances highlight the need for governments to take appropriate measures to address ICT-related risks through special legislation, even at the expense of additional administrative burdens to private entities. This newsletter presents the measures taken to address these risks across Kinstellar's jurisdictions.

BULGARIA

01 Main legislation regulating operational resilience for the financial sector

The primary legal instrument regulating ICT risks in the financial sector in the EU is Regulation (EU) 2022/2554 of the European Parliament and of the Council ("DORA" or the "Regulation"). It was officially adopted in 2022 and is applicable as of 17 January 2025. DORA applies directly in all Member States, and its provisions will be additionally implemented in Bulgaria through amendments to national legislation.

Two proposed draft bills will make the necessary changes to existing legislation. Upon their entry into force, the operational resilience of the financial sector in Bulgaria will be regulated by several acts, including the Markets in Crypto Assets Act; the Payment Services and Payment Systems Act; the Credit Institutions Act; the Bulgarian National Bank ("BNB") Act; the Financial Supervision Commission ("FSC") Act; the Public Offering of Securities Act; the Collective Investment Schemes and Other Undertakings for Collective Investments Act; the Social Insurance Code; the Insurance Code; the Recovery and Resolution of Credit Institutions and Investment Firms Act, and the Markets in Financial Instruments Act.

The list of applicable national instruments may be further expanded by future amendments to different legislative and administrative acts.

02 Who needs to comply?

The obligations related to the operational resilience of the financial sector apply to finance-related institutions and financial entities, which can be grouped as follows:

  • credit institutions, payment institutions, crypto-asset service providers, and electronic money institutions;
  • central securities depositories, securitisation repositories, central counterparties, trading venues, trade repositories, data reporting service providers, and account information service providers;
  • managers of alternative investment funds, credit rating agencies, crowdfunding service providers, institutions for occupational retirement provisions, management companies; and
  • ICT third-party service providers.

03 Who are the responsible regulators?

According to the proposed draft bills, the responsible regulators will be the BNB and the FSC. Each body will have separate regulatory competences.

The BNB will be competent in relation to credit institutions, payment institutions, and administrators of critical benchmarks. The FSC will be competent in relation to investment firms, crypto-asset providers, central securities depositories, insurers, institutions for occupational retirement provision, and others.

The BNB will also appoint a member of its staff to be a high-level representative in the Oversight Forum, which assists in EU-wide control.

04 What are the key requirements?

DORA identifies ICT risk management, incident reporting, operational resilience testing, third-party risk management, and cyber-threat intelligence sharing as the main pillars of the operational resilience framework.

Financial entities need to deploy appropriate strategies, policies, procedures, protocols, and tools in relation to ICT-risk management. The functions and roles related to ICT should be identified, classified, and adequately documented. Sources of ICT risk should be reviewed on a regular (at least yearly) basis. Major changes to network and information system infrastructure should always be performed after prior risk-exposure assessment.

Overall, the risk-management framework is centred around protection and prevention, detection, response and recovery, and learning and evolving.

The Regulation's requirements related to incident reporting obliges financial entities to manage and notify ICT-related incidents. Such incidents are classified based on certain criteria and reported to the competent authorities. A unified reporting format will be created by the European Supervisory Authorities.

The digital operational resilience of financial entities will be tested (at least yearly), so as to assess its preparedness. The testing program will include a range of assessments, tests, methodologies, practices, and tools. The appropriate tests can take the form of vulnerability assessments and scans, open-source analyses, network security assessments, and scenario-based tests, among others. Critical financial firms must conduct Threat-Led Penetration Testing at least every three years.

Before financial entities enter into a contractual arrangement with external ICT service providers, they should perform certain mandatory compliance checks. There are also mandatory contract clauses (e.g., that the contract may be terminated in case of a significant breach of applicable laws by the service providers). The European Supervisory Authorities will designate certain external ICT providers as critical.

Financial entities are encouraged to exchange cyber-threat information and intelligence among themselves. Such information sharing should be aimed at raising awareness within trusted communities of financial entities.

05 What steps and actions should be undertaken?

The first step towards meeting the requirements described in the previous answer is conducting a gap analysis to assess current practices and identify the potential areas for improvement.

Financial entities should strengthen their internal governance structures by assigning clear roles and responsibilities for ICT risk management.

Risks arising from third-party relations should be addressed by reviewing vendor contracts and establishing mandatory security requirements. Protocols for incident reporting should be developed to ensure timely and accurate responses.

A cyber intelligence-sharing mechanism for ensuring collaboration with government bodies and industry peers should be established.

An ongoing step is educating employees and management of the regulatory requirements and best cybersecurity practices to improve organisational awareness.

06 What are the sanctions?

Financial entities that violate the requirements will be sanctioned by the BNB or FSC in the amount of BGN 20,000 to BGN 40,000 (approx. EUR 10,000 to EUR 20,000). In second cases of violations, the sanctions are increased to BGN 40,000 to BGN 100,000 (approx. EUR 20,000 to EUR 50,000).

Representatives of financial entities (i.e., natural persons) can be fined by the BNB or FSC in their personal capacity if they violate the requirements or allow such a violation. The fines range from BGN 10,000 to BGN 20,000 (approx. EUR 5,000 to EUR 10,000). Second cases of violations can lead to fines in the range of BGN 20,000 to BGN 40,000 (approx. EUR 10,000 to EUR 20,000).

1635200a.jpg

CROATIA

01 Main legislation regulating operational resilience for the financial sector

The main legislation governing operational resilience for the financial sector is the EU's Digital Operational Resilience Act ("DORA"), established by Regulation 2022/2554/EU on digital operational resilience.

The Regulation is complemented by various implementing and delegated acts that provide further guidance and details on specific aspects of the Regulation. A full list of these implementing and delegated acts can be found here.

In addition to EU legislation, national legislation has been adopted in Croatia to implement DORA into Croatian law. i.e., the Act on the Implementation of Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector ("DORA Implementing Act").

02 Who needs to comply?

DORA applies to a broad spectrum of financial entities as well as to certain ICT third-party service providers. Specifically, it directly covers financial entities including:

  • banks and other credit institutions;
  • insurance and reinsurance firms;
  • investment firms;
  • payment service providers;
  • crypto-asset service providers.

In addition to these entities, DORA also has implications for ICT third-party service providers— such as cloud computing or data analytics providers—if they offer services to financial entities.

Notably, ICT third-party service providers that are deemed critical may be formally designated as such by the European Supervisory Authorities (EBA, ESMA, or EIOPA). Once designated, these ICT third-party service providers fall under direct supervision within the DORA framework.

DORA does not apply to credit unions or to Croatian Bank for Reconstruction and Development.

03 Who are the responsible regulators?

The Croatian National Bank ("HNB") and Croatian Agency for the Supervision of Financial Services ("HANFA") are the competent authorities under the DORA Implementing Act.

HNB is the competent authority for:

  • credit institutions;
  • payment institutions;
  • account information service providers;
  • electronic money institutions;
  • issuers of asset-referenced tokens.

For other entities, the competent authority is HANFA.

04 What are the key requirements?

DORA is structured around five key pillars:

  1. ICT Risk Management – Businesses must implement strong cybersecurity measures, conduct regular security testing, and involve senior management in ICT risk governance.
  2. Incident Reporting – Companies must detect, classify, and report significant ICT-related incidents promptly using a standardised format. The European Supervisory Authorities will create a unified reporting format.
  3. Digital Operational Resilience Testing – Companies must conduct regular penetration testing, vulnerability assessments, and scenario-based exercises. Critical financial firms must conduct Threat-Led Penetration Testing at least every three years.
  4. ICT Third-Party Risk Management – Enhanced oversight of external ICT service providers, including mandatory contractual obligations and compliance checks. The European Supervisory Authorities will designate certain ICT providers as critical.
  5. Cyber Threat Intelligence Sharing – Encourages collaboration across the financial sector to improve cybersecurity defenses.IV. ICT Third-Party Risk Management – Enhanced

05 What steps and actions should be undertaken?

  1. Conduct a gap analysis to assess current ICT risk management practices and identify areas for improvement.
  2. Strengthen governance structures by assigning clear roles and responsibilities for ICT risk management.
  3. Strengthen third-party risk management by reviewing vendor contracts and establishing mandatory security requirements.
  4. Develop an incident reporting protocol aligned with DORA's reporting requirements to ensure timely and accurate reporting.
  5. Implement regular cybersecurity testing, including penetration testing, scenario-based exercises, and operational resilience drills.
  6. Establish cyber intelligence sharing mechanisms to collaborate with industry peers and regulators on emerging threats.
  7. Educate employees and management on DORA's requirements and cybersecurity best practices to improve organisational awareness.

06 What are the sanctions?

CNB and HANFA can issue supervisory measures as follows:

  • order supervised entities and responsible persons to cease and desist from behaviour that violates DORA;
  • request a temporary or permanent cessation of actions or behaviour deemed contrary to DORA and prevent their recurrence;
  • impose or determine measures in accordance with DORA and file charges to ensure supervised entities comply with these regulations;
  • request existing telecommunication operator records on data traffic;
  • issue public announcements.

Companies may face significant sanctions for breaching obligations under DORA. The DORA Implementing Act provides for administrative fines of up to 3% of total annual turnover, including at the consolidated level. Responsible individuals and management members of companies can also be fined up to EUR 15,000.

Additionally, sanctions decisions are publishable on CNB's or HANFA's websites.

1635200b.jpg

To view the full article click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More