ICT security and cyber risks

According to the European Union Agency for Cybersecurity (ENISA; see Threat Landscape — ENISA), these are the prime cyber threats with a potential to pose risks also to financial market participants:

• threats against availability (Denial of Service or DDoS) and ransomware remain amongst the top threat types also in 2024;
• Living Off Trusted Sites (LOTS): threat actors extend their stealth techniques into the cloud platforms, using trusted sites and legitimate services to avoid detection and disguising their activities as ordinary network data traffic or innocuous messages on platforms like Slack and Telegram;
• geopolitics continues to be a strong driver of cybercrime;
• business e-mail compromise (BEC) incidence is rising rapidly;
• extortion by weaponising disclosure requirements: companies are pushed to fulfil extortion demands ahead of the required reporting deadline;.
• AI tools: cyber criminals use tools like FraudGPT and large language models to create scam e-mails and generate malicious PowerShell scripts;
• hacktivists overlapping their activities with state-sponsored cybercriminal groups: there is an increasing similarity between both groups;
• a surge in mobile banking malware coupled with an increase in the complexity of their attack vectors;
• malware-as-a-Service (MaaS) offerings continue to be a significant and rapidly evolving threat, particularly since mid-2023;
• third-party compromises through social engineering are becoming increasingly wide-spread;
• data compromise has increased in 2024, and it shows signs of maintaining this momentum;
• DDoS-for-Hire allows large-scale attacks to be launched by unskilled users;
• information manipulation continues to be the key element of Russia’s war of aggression against Ukraine. An effort to further localise content while simultaneously globalising its presence;
• the threat of AI-enabled information manipulation has grown, for example, some experiments with AI for information manipulation to assess the potential use of technologies.

• credit institutions;
• insurance corporations;
• investment management companies;
• investment firms;
• insurance brokers which are large companies;
• payment institutions;
• electronic money institutions;
• alternative investment fund managers (with exceptions);
• crowdfunding platforms;
• central securities depositories;
• central counterparties;
• data reporting service providers;
• crowdfunding service providers;
• account information service providers;
• credit rating agencies;
• securitisation repositories;
• private pension funds (with exceptions);
• crypto-asset service providers;
• issuers of asset-referenced tokens;
• ICT third-party service providers.

The exact definitions of the scope of DORA will be set out in the Law on the Digital Operational Resilience of the Financial Market (see the Draft Legislation website).

Each financial entity identifies and categorises its own ICT service providers in compliance with the implementing technical standards, for example:

• cloud computing service providers;
• software suppliers, developers and software support;
• ICT project management and advice;
• ICT security, risk and operational management;
• ICT infrastructure, hardware equipment, premises, data storage platforms;
• communications service providers, systems and networks;
• data analytics service providers;
• providers of data centres services;
• participants in the payment services ecosystem, providing payment-processing activities or operating payment infrastructures;
• financial entities providing ICT services to other financial entities;
• undertakings that are part of a financial group and provide ICT services to their parent undertaking, subsidiaries or branches of their parent undertaking.

Financial entities subject to the requirements laid down by Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA), in accordance with Article 19 of this Regulation, report major ICT-related incidents and significant cyber threats to Latvijas Banka.

The content of reports and templates is stipulated in the technical and implementing standards (RTS/ITS). Different templates can be used for reporting incidents and cyber threats:

• according to Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing DORA with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
• according to Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of DORA with regard to standard templates and procedures intended for reporting major incidents and significant cyber threats.

Financial entities report major ICT-related incidents and significant cyber threats to Latvijas Banka in XLSX (Microsoft Excel Open XML) file format according to the XLSX file templates published on Latvijas Banka's website (without altering the worksheet order and table placement in both templates).

Financial entities send reports of incidents and significant cyber threats to the official e-address of Latvijas Banka.

Credit institutions classified as significant submit reports using Latvijas Banka's file exchange service (FAS).

The deadline for submitting the initial notification is 4 hours after the incident classification and 24 hours after the incident detection, 72 hours are allocated for the intermediate reporting and 1 month – for the submission of the final report.

After collecting, analysing, and classifying incident information using templates (Excel file), financial entities prepare an initial notification followed by an intermediate report and a final report, and submit them to Latvijas Banka according to the specified deadlines.

When submitting an intermediate report or a final report, the template retains the information previously provided in the initial notification or the intermediate report. If necessary, the previously submitted information in the relevant tables is revised.

File templates for reports can be downloaded here:

• Template for a major incident report
• Template for a significant cyber threat report

The file name format is aaa_v_nn_yyyymmdd.xlsx xls, where:

aaa – file name prefix:

"DORA_IR" – for major incident reports;

"DORA_CYB" – for significant cyber threat reports;

v – version number of the submitted incident report (for cyber threat reports, only "1" is used), where:

"1" – initial notification;

"2" – intermediate report;

"3" – final report;

nn – report sequence number, if there is more than one report on the submission day (consists of two digits, such as 01, 02, etc.);

yyyymmdd – date of submission of the initial notification of the incident, where:

yyyy – year;

mm – month;

dd – day.

Financial entities can fill in the incident report template in Latvian or English.

The availability of the contact points or employees indicated in the report must be ensured throughout the incident handling cycle.

If the financial entity has also sent the incident report to the National Cyber Security Centre or consulted it about incident containment solutions, the initial notification must include the relevant information.

If a financial entity plans to delegate or has delegated the reporting obligation to a third party or an ICT service provider, it must notify Latvijas Banka through the general communication procedure.

DORA is directly applicable, but in order to provide a legal basis for supervision and to define the supervisory authorities and their responsibilities, the Ministry of Finance is drafting the Law on the Digital Operational Resilience of the Financial Market (see Legislation | Ministry of Finance (fm.gov.lv); the Draft Legislation

Latvijas Banka's Regulation No 360 "Regulation on Information Technology and Security Risk Management" of 2 December 2024 applies until 17 January 2025. The new ICT security requirements have been set out under the DORA framework. Financial entities falling outside the scope of DORA will have to ensure compliance with the digital operational resilience requirements as of 2025 based on simplified ICT risk management rules. Latvijas Banka intends to issue the respective Regulation after receiving the relevant delegation.

Latvijas Banka's Regulation No 361 "Regulation on Major Incident Reporting Related to Payment Services" of 2 December 2024 applies until 17 January 2025. After 17 January 2025, incident reporting and management will have to comply with the DORA requirements.

The Financial and Capital Market Commission's Regulation No 84 "Regulations on Outsourcing Arrangements" of 6 July 2021 was reissued as Latvijas Banka's Regulation No 374 "Regulation on Outsourcing Arrangements for Credit Institutions, Payment Institutions and Electronic Money Institutions" of 16 December 2024. ICT third-party service providers are excluded from the outsourcing regulation, as the management requirements and the requirements for ICT contractual arrangements are set out in DORA.

Three European Supervisory Authorities – the European Banking Authority, the European Securities Market Authority and the European Insurance and Occupational Pensions Authority – are compiling questions and answers to support consistent and effective application of the European Union regulation in the area of financial services. The database of questions and answers regarding DORA is available on the website of the European Insurance and Occupational Pensions Authority (see Joint Q&As - EIOPA) and can be navigated by selecting appropriate filters.

The questions published there are the ones that market participants have most often found confusing. If you cannot find an answer to your question via the resources of the European Supervisory Authorities or Latvijas Banka, you can e-mail it to This email address is being protected from spambots. You need JavaScript enabled to view it. or submit your question via the EIOPA's web resource Joint Q&As – EIOPA.

Question. In what cases and how does Latvijas Banka intend to exercise its right to request financial institutions to conduct threat-led penetration testing (TLPT)?
Answer. DORA provides that the supervisor may request that testing is conducted by a wide range of financial entities, but the competent authority may apply exceptions based on the principle of proportionality. TLPT subjects will be selected by evaluating the maturity of their ICT governance and processes and criticality for the overall financial system, with a primary focus on systemically important market participants. The management of the entity will be notified well in advance of being selected to take part in the testing exercise, so that it can start the planning process and setting up test management teams.

Question. How will the branches of financial entities registered in Latvia be supervised?
Answer. The competent authority ensuring the supervision of branches is the financial market supervisor of the Member State where the parent financial entity is established.

Question. Do we understand correctly that, with DORA becoming applicable, we will no longer have to report incidents to the European Central Bank but will instead report them to Latvijas Banka?
Answer. Financial entities that previously reported major incidents to the European Central Bank will now report them to Latvijas Banka.

Question. To what extent are the DORA requirements for ICT third-party service providers applicable to software licence distributors? We believe that several requirements are not really applicable, as a distributor does not process any financial institution data, and also the existence or non-existence of a distributor does not affect the operation of the software itself.
Answer. The implementing technical standards for the register of information outline requirements regarding the contractual arrangements to be registered in the register of ICT third-party service providers. They are based on the need for information to identify critical ICT providers and ensure their supervision at the European Union level. The register of information must contain information about software licences. In order to answer the question whether a distributor of licences is an ICT third-party service provider, one has to analyse the commitments outlined in the respective supply contract. An explanation by the European Securities and Markets Authority is available here: ESMA_QA_2103.

Question. In the context of further improving the Law on the Digital Operational Resilience of the Financial Market, are there any plans to review the list of financial entities subject to simplified digital operational resilience requirements to align the requirements across the Baltic States, i.e. to avoid imposing stricter requirements on certain financial entities?
Answer. The proposal is to apply simplified digital operational resilience requirements to financial entities that fall outside the scope of DORA. At the national level, the scope of DORA can only be extended or narrowed with regard to specific categories of market participants, such as credit unions. This is not an option for other market segments.

Question. Is it true that non-bank lenders (instant loans) fall outside the scope of both DORA and NIS2 (National Cyber Security Law)?
Answer. Non-bank lenders are licensed and supervised by the Consumer Rights Protection Centre. In order to find out the status with regard to the requirements of the National Cyber Security Law, one can use the interactive tool NKDL tests.

Question. Please confirm that we have understood correctly: only the existing ICT service contracts that support critical or important functions should be renewed (amended), i.e. not all existing ICT service contracts, but only those that support critical or important functions.
Answer. The ICT contractual arrangements supporting critical and important functions have to include mandatory provisions based on the requirements set out by Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers, and an adequate management policy must be developed and implemented. Evaluating and renewing such contacts is a priority to ensure compliance.

As to other ICT contractual arrangements, their compliance with the management principles of third-party related ICT risks and associated risks must be evaluated (Article 28 of DORA). If necessary, these contractual arrangements must also be amended to provide for auditing rights, consent to cooperation with the competent authorities and the requirements referred to in Articles 30(1) and 30(2) of DORA regarding key contractual provisions.

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework

Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers

Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents

Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities

Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information

Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid

ESAs Decision of 8 November 2024 concerning the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third-party service providers in accordance with the Digital Operational Resilience Act (DORA)

The second batch of draft regulatory standards and guidelines is available on the website of the European Insurance and Occupational Pensions Authority.

RTS and ITS on content, format, templates and time frame for reporting major ICT incidents and notifying significant cyber threats

RTS on threat-led penetration testing (TLPT)

RTS on harmonisation of conditions enabling the conduct of the oversight activities

RTS on the criteria to establish the Joint Examination Teams

Guidelines on oversight cooperation

Guidelines on the estimation of aggregated costs and losses caused by major ICT-related incidents

Digital transformation of the financial market and digitalisation processes inevitably entail challenges related to:

• the organisation's ability to manage a sizeable portfolio of ICT projects;
• testing of emerging and unconfirmed technologies;
• insufficient staff experience and expertise;
• managing the life cycle of outdated technologies;
• cross-border cooperation with suppliers.

When embarking on ambitious digitalisation projects, the management body of an organisation should have such a risk management culture in place that includes development based on cutting-edge and innovative technologies, for example, the artificial intelligence.

The cornerstone of this risk culture is effective communication across all organisational levels involved in digital transformation projects. This includes clear accountability for risks, their management and monitoring based on pre-defined criteria, while at the same time allowing for the testing of digital transformation initiatives.

The risk management culture can be enhanced by implementing targeted programmes, such as innovation laboratories, where participants can directly assess the opportunities and risks associated with technologies.

With financial market services becoming increasingly digitalised, the level of potential threats and damage arising from cyberattacks is rising. Having an effective risk management framework and an adequate risk appetite can help to strike balance between development and limiting the potential losses.