Financial Crime World

Fintech Companies Face New Cybersecurity Regulations: What You Need to Know

======================================================

As the fintech industry continues to grow and evolve, it’s becoming increasingly important for companies in this space to prioritize cybersecurity and compliance with new regulations.

NIS2 and DORA: What You Need to Know

NIS2 (Network and Information Security) directive and the Digital Operational Resilience Act (DORA) will come into force in the coming years, impacting fintech companies directly or indirectly. Here’s a brief overview of what you need to know:

  • NIS2: Expected to be implemented into Danish law by October 2024, NIS2 sets out a risk-based approach to managing cybersecurity risks.

    • Specific measures include:
      • Testing requirements
      • Notification obligations in case of cyber incidents
      • Supply chain security requirements

  • DORA: Entering into force on January 16, 2025, DORA provides additional guidance on how fintech companies should manage cybersecurity risks. Both NIS2 and DORA emphasize the importance of transparency and documentation in managing cybersecurity risks.

Implications for Fintech Companies

Fintech companies that constitute financial undertakings will be directly covered by these regulations. However, even those that do not provide financial services may still be impacted due to supply chain security obligations. Some key requirements to consider include:

  • Sufficient internal security protection and procedures
  • Security testing (including penetration tests) and audits
  • Sub-outsourcing: ensuring sub-contractors comply with agreed security policies
  • Security incident procedures and patch management processes

European Banking Authority Guidelines

The European Banking Authority (EBA) has also issued guidelines on how to manage and assess risks, introducing several procedures and processes to mitigate cybersecurity risks. These guidelines have become increasingly detailed over time, regulating not only governance processes but also specific activities.

Cross-Border Business

Denmark’s fintech hub, Copenhagen Fintech, is working to break down barriers for Danish fintechs through partnerships with foreign hubs and conferences like Nordic Fintech Week.

Conclusion

The new regulations will have a significant impact on fintech companies, requiring them to prioritize cybersecurity and compliance. Companies that do not comply with these requirements may face substantial fines.

It’s essential for fintech companies to understand the implications of NIS2, DORA, and the EBA guidelines and take steps to ensure they are meeting these new regulatory requirements.

Acknowledgments

The authors would like to acknowledge the contribution of their colleagues Mille Selbach Rasmussen, Sille S. Lauridsen, and Sebastian K. Hansen in writing this chapter.