Iran's Cyber Warfare: Legal Implications for Financial Institutions Under DORA
Iran's Cyber Warfare: Legal Implications for Financial Institutions Under DORA
War creates legal ambiguity. Cyber war creates more. When kinetic military operations against Iran escalated in early March 2026, the parallel cyber dimension introduced a set of legal questions that financial institutions and their legal counsel are still working to answer.
On March 17, Kennedys Law published an analysis examining the legal implications of Iran's cyber operations for commercial businesses. On March 12, Just Security assessed the international law framework governing cyber operations conducted alongside kinetic warfare. Together, these analyses paint a picture of a legal landscape where the responsibilities of financial institutions under DORA collide with the realities of state-sponsored cyber warfare.
The core question is deceptively simple: when an Iranian state-sponsored group compromises your financial institution's systems, are you a victim of war or a non-compliant regulated entity?
The Cyber Threat Landscape: Iran's Capabilities
Iran has maintained sophisticated cyber warfare capabilities for over a decade. The 2026 conflict has not created new capabilities — it has provided new motivation and new targets.
According to Kennedys Law, the primary threat vectors from Iranian state-sponsored groups against financial institutions include:
| Threat Vector | Iranian APT Groups | Financial Sector Targeting | DORA Relevance |
|---|---|---|---|
| Destructive wiper malware | APT33 (Elfin), APT35 (Charming Kitten) | Bank systems, payment networks | Art. 17: Major incident classification |
| Ransomware (state-sponsored) | MuddyWater, DEV-0270 | Data encryption for disruption | Art. 19: Incident reporting obligation |
| Supply chain compromise | Seedworm | Third-party software providers | Art. 28: Third-party risk |
| DDoS campaigns | Cyber Av3ngers | Customer-facing banking portals | Art. 11: Business continuity |
| Data exfiltration | APT42 | Customer records, financial data | Art. 17: Data breach classification |
The distinction between these groups' peacetime espionage activities and their wartime operational posture is significant. As Just Security noted, the escalation from intelligence gathering to destructive operations represents a qualitative change in threat level that financial institutions must account for in their risk assessments.
The Legal Intersection: International Law Meets DORA
The legal framework governing state-sponsored cyberattacks during armed conflict operates at multiple levels, and each level creates different implications for financial institutions.
International Humanitarian Law (IHL) and Cyber Operations
IHL — the Geneva Conventions and their protocols — applies to cyber operations conducted during armed conflict. The Tallinn Manual 2.0, the most comprehensive academic treatment of international law as applied to cyber operations, establishes several relevant principles:
- Distinction: Cyber operations must distinguish between military and civilian objects. A state-sponsored attack on a civilian bank's systems would violate this principle — but proving attribution and enforcing IHL in cyberspace remains practically impossible.
- Proportionality: Even if a bank's systems are deemed to contribute to the enemy's war effort (e.g., by processing military-related transactions), attacks must be proportionate.
- Neutral state obligations: Financial institutions in neutral EU states should theoretically be protected. However, if their infrastructure processes transactions for parties to the conflict, their neutrality becomes legally ambiguous.
The DORA Obligation: Regardless of Attribution
Here is the critical point for financial institutions: DORA does not care who attacked you. The regulation's requirements apply regardless of whether the threat actor is a criminal gang, a hacktivist collective, or a nation-state military unit.
Under Article 17, financial entities must classify, manage, and report ICT-related incidents. The classification criteria — impact on customers, data integrity, service availability — do not include a carve-out for state-sponsored attacks. A destructive wiper deployed by an Iranian APT group triggers exactly the same incident management obligations as ransomware from a criminal enterprise.
Under Article 19, major ICT incidents must be reported to the competent authority. The 4-hour initial notification, 72-hour intermediate report, and 1-month final report timelines apply regardless of the attacker's identity or motivation.
The Insurance Coverage Gap
Kennedys Law highlighted a critical practical issue: most cyber insurance policies contain war exclusion clauses. The standard Lloyd's Market Association (LMA) cyber war exclusions, updated in 2023, exclude losses arising from "cyber operations by or on behalf of a state" during armed conflict.
This creates a double bind for financial institutions:
| Scenario | Cyber Insurance | War/Political Violence Insurance | Coverage Gap |
|---|---|---|---|
| Criminal ransomware | Covered | Not applicable | None |
| State-sponsored cyber during peacetime | Coverage disputed | Not applicable | Partial |
| State-sponsored cyber during armed conflict | Excluded (war clause) | Physical damage only | Complete |
| Collateral cyber damage from military cyber ops | Excluded (war clause) | Typically physical only | Complete |
For DORA-regulated entities, the insurance gap means that the financial impact of a state-sponsored cyberattack during the Iran conflict would be borne entirely by the institution. This has implications for ICT risk management — risk assessments that relied on insurance transfer for cyber risk are now materially incomplete.
Practical Legal Implications for DORA-Regulated Entities
1. Enhanced Duty of Care
The Just Security analysis argued that when a state of armed conflict exists and cyber operations are a known component of hostilities, financial institutions have a heightened duty of care. Failure to implement enhanced monitoring, additional access controls, and accelerated patching in response to a known state-sponsored threat could be construed as a failure to meet DORA's ICT risk management requirements.
The European Banking Authority has not issued specific guidance on wartime cyber hygiene, but the general principle under DORA Article 6 is that ICT risk management must be proportionate to the threat landscape. When the threat landscape includes active state-sponsored cyber warfare, the proportionate response is significantly higher.
2. Third-Party Exposure Amplification
DORA Articles 28-30 require financial entities to manage ICT third-party risk. During the Iran conflict, this requirement becomes more complex because:
- Third-party providers may themselves be targeted by state-sponsored groups (as the Seedworm campaign demonstrated)
- The supply chain for third-party services may traverse conflict-affected infrastructure
- Third-party providers in the Gulf region may be unable to maintain SLAs due to kinetic disruption
Financial institutions must assess whether their third-party providers have adequate defenses against state-sponsored threats and whether their contractual provisions address scenarios where the provider is compromised by a state actor.
3. Regulatory Reporting Complexity
When a financial institution is hit by a state-sponsored cyberattack during armed conflict, the reporting obligations multiply:
The challenge is that attribution — confirming the attack is state-sponsored — takes time. The DORA reporting timelines begin when the incident is detected, not when attribution is complete. Financial institutions must report the incident as a major ICT incident while the attribution investigation is ongoing, then update the report as more information becomes available.
4. Data Breach Dimensions
If a state-sponsored group exfiltrates customer data from a European financial institution, the GDPR reporting obligations layer on top of DORA requirements. The GDPR's 72-hour notification window to the Data Protection Authority runs concurrently with DORA's reporting timeline, but the content requirements differ.
Moreover, if the exfiltrated data is used for intelligence purposes by a foreign state, the institution faces an unprecedented data breach scenario: the data may be impossible to recover, the scope of exposure may be unknowable, and the remediation options may be limited by the ongoing conflict.
The State Actor Defense: Does It Exist?
Financial institutions may be tempted to argue that a state-sponsored cyberattack constitutes force majeure — an extraordinary event beyond their control that excuses non-compliance with DORA obligations. This argument is legally fragile for several reasons.
First, DORA's risk management framework explicitly requires financial entities to consider the full threat landscape, including state-sponsored threats. Article 5 mandates an "effective and prudent" ICT risk management framework that accounts for "the full range of ICT risks."
Second, state-sponsored cyber threats are not unforeseeable. ENISA has published threat landscape reports identifying state actors as a primary threat to the financial sector for years. A risk that was foreseeable and documented is not force majeure.
Third, the regulatory expectation is not that financial institutions prevent all state-sponsored attacks — that would be unreasonable. The expectation is that they have proportionate defenses, can detect intrusions promptly, can contain damage, and can report and recover within defined timeframes. Failure to meet these expectations cannot be excused by the attacker's identity.
| Defense Argument | Legal Viability | Regulatory View |
|---|---|---|
| "It was a state actor — force majeure" | Weak — threat was foreseeable | DORA requires planning for full threat spectrum |
| "No commercial defense can stop a state military" | Partially valid | Proportionate defense expected, not perfect defense |
| "We relied on government to protect us" | Very weak | DORA places responsibility on the financial entity |
| "Our insurance excluded it" | Irrelevant to DORA | Insurance is not a substitute for resilience |
Recommendations
For DORA-regulated entities navigating the legal complexities of state-sponsored cyber threats during the Iran conflict:
- Elevate your threat model immediately. Integrate state-sponsored APT tactics, techniques, and procedures (TTPs) into your ICT risk assessment. The FS-ISAC has published indicators specific to Iranian state-sponsored groups.
- Review your insurance coverage. Understand exactly where the war exclusion applies and what residual exposure exists. Consider supplementary political violence coverage.
- Prepare your incident response for dual-track reporting. Build playbooks that simultaneously address DORA, GDPR, NIS2, and national intelligence notification requirements.
- Document everything. Your defense against regulatory criticism is not that you prevented the attack, but that you managed it in accordance with your DORA-compliant ICT risk framework. Documentation is evidence of diligence.
- Engage with sector information sharing. DORA Article 45 encourages information sharing arrangements. The intelligence shared through FS-ISAC and similar bodies is your best source of early warning for state-sponsored campaigns.
The Iran conflict has made clear that cyber warfare and kinetic warfare are now inseparable. For financial institutions, the legal implications are profound: you are simultaneously a potential target of military operations and a regulated entity with non-negotiable compliance obligations. The law does not pause for war.
Voir aussi: Data Centers Are Now Military Targets | US Banks on High Alert | Seedworm Inside U.S. Bank Networks
Resume en francais
Le conflit iranien de 2026 a cree un paysage juridique complexe pour les institutions financieres confrontees aux cyberattaques etatiques. L'analyse de Kennedys Law (17 mars) et de Just Security (12 mars) montre que le droit humanitaire international protege theoriquement les infrastructures civiles, mais l'application est pratiquement impossible dans le cyberespace. Pour les entites DORA, l'obligation reglementaire s'applique independamment de l'identite de l'attaquant : la classification des incidents (Art. 17), le signalement (Art. 19) et la gestion des risques (Art. 5-6) n'ont pas de derogation pour les acteurs etatiques. La couverture d'assurance cyber presente un vide critique car les clauses d'exclusion de guerre s'appliquent aux operations cyber etatiques pendant un conflit arme. L'argument de force majeure est juridiquement fragile car DORA exige la prise en compte de l'ensemble du spectre des menaces, y compris les acteurs etatiques.