The EU’s Digital Operational Resilience Act (DORA) aims to promote, improve and ensure operational resilience within the financial services sector. It requires financial institutions to comply with a number of obligations designed to ensure that their business lines remain operationally resilient against various risks. Being “operationally resilient” means being able to resist, recover from and adapt to adverse effects that can disrupt or prevent the provision of services. DORA will also place specific obligations on certain ICT service providers that are deemed to be “critical” – these providers will fall within the scope of a new direct regulatory oversight regime.
- Impact on Financial Institutions
- Critical Third-Party Oversight Regime
- Indirect impact on ICT providers
- Next Steps
DORA was published in the Official Journal of the European Union on 27 December 2022 and enters into force on 16 January 2023. A landmark piece of legislation imposing robust new obligations on both financial institutions and critical third-party providers, DORA will require new systems and controls, risk management frameworks, policies and contractual provisions to be included in ICT-focused outsourcing arrangements. In recognition of the time it will take for firms to be DORA-compliant, the regulation includes a two-year implementation window with the new rules taking effect on 17 January 2025.
Impact on Financial Institutions
DORA will have a significant impact on financial institutions. Firstly, it will require financial institutions to have a fully comprehensive ICT risk management framework. This should enable financial institutions to address ICT risks quickly, efficiently and comprehensively. Broadly, this will require firms to have various ICT policies, procedures and tools that enable firms to identify risks, protect ICT systems and mitigate the risk of cybersecurity incidents, detect anomalous activities, recover from adverse events, and have back-up and other recovery methods in place. The framework will also require firms to assess the risks relating to third-party services, and to have policies which ensure that only appropriate third-party services are used. To ensure resilience against digital risk across the whole of the financial services sector, DORA applies to a very broad range of financial institutions; these include, for example, banks and investment firms, markets infrastructure entities like central counterparties and trading venues, fund managers, insurance undertakings, payments and e-money institutions, and other financial entities such as credit rating agencies.
Overall responsibility for this framework, and other governance obligations imposed by DORA, will rest on the firm’s management, which will be responsible for reviewing, approving, implementing and updating the risk management framework. This will require the management team to have full awareness and understanding of the financial institution’s ICT usage, services and risk profile. Firms may wish to revisit the manner in which reporting lines from their ICT teams into senior management function in practice.
Secondly, DORA will require financial institutions to regularly test their operational resilience. Testing should take a risk-based, rather than standardised, approach – firms will be expected to test against the risks that are most relevant to their investment services and business lines. This is to help ensure that firms’ cyber risk controls are tailored to their individual businesses, and that they do not simply use a “one size fits all” solution (which regulators have previously criticised). However, if an event such as a cyber-attack does occur, firms will be required to record the incident and report it to the relevant regulator (in a similar manner to how data controllers are required to notify data breaches to the relevant data protection authority under the GDPR). Time limits for incident reporting will be set out in forthcoming regulatory technical standards (RTS).
Thirdly, DORA requires financial institutions to include certain provisions within their contracts with third-party ICT providers. There is some overlap here with the rules imposed by the EBA’s Outsourcing Guidelines, but the rules are not entirely consistent and DORA introduces some new requirements. Because of this divergence, firms should not assume that having an outsourcing agreement that is compliant with the EBA rules will automatically ensure compliance with DORA. Firms should map their current contracts and contract templates against the requirements imposed by DORA and take steps to ensure that any gaps identified are addressed before the end of the implementation window.
Critical Third-Party Oversight Regime
It is not just financial institutions that will be directly impacted by DORA. Certain third-party ICT providers will be deemed critical third-party service providers under DORA and will be subject to direct regulatory oversight from a lead overseer (one of the European Supervisory Authorities (ESAs) – ESMA, EIOPA or the EBA). Assessing who is a critical third-party will be a job for the ESAs, although ICT providers will be able to make submissions during the process.
DORA requires the assessment to be based on a number of broad factors, including:
- The systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provider faces a large scale operational failure to provide its services
- The systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider, with a particular focus on: (i) the number of financial institutions serviced by the ICT provider that are classified as global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs); and (ii) the interdependence of these financial institutions. The issue that DORA is trying to address here is that any failure or interruption on the part of an ICT provider will be far more likely to have a systemic effect on the European financial sector if the ICT firm is servicing major banks, and if there is a risk of contagion between those banks as a result of ‘interdependence’.
- The reliance of financial entities on the services provided by the relevant ICT third-party service provider in relation to critical or important functions (noting that banks and ICT firms alike will be familiar with this test as a result of the EBA Guidelines)
- The degree of substitutability between the relevant ICT provider and other providers. This includes where the provider can be substituted with a catalogue of other providers, as well as the ease of any data migration.
Specific assessment criteria will be set out in forthcoming delegated acts, which the Commission is empowered to adopt by 17 July 2024. In January 2023, the European Commission issued a call for advice from the ESAs to support the development of these delegated acts. In the call for advice, the Commission requested technical input on the precise, detailed and complete sets of indicators of a qualitative and quantitative nature, for each of the relevant DORA criteria, including any minimum thresholds that may apply. Furthermore, the Commission also requested input regarding the oversight fee to be charged to critical third-party service providers, included estimated costs incurred by the lead overseers in carrying out their role and guidance on how turnover should be calculated so that a proportionate oversight fee can be identified. The deadline for the ESAs’ technical advice is 30 September 2023.
The specific oversight requirements will also be set out in forthcoming RTS. We expect that the requirements will include, among others:
- Establishing an EU subsidiary within 12 months following the outcome of the assessment designating the ICT provider as critical. However, note that: (i) ICT providers may choose to establish a new subsidiary or may repurpose an existing subsidiary; (ii) the requirement to set up a subsidiary in the EU is not intended to prevent the ICT provider from supplying ICT services from facilities and infrastructure located outside the EU; and (iii) DORA does not appear to set out any requirements around capitalisation or substance of the EU subsidiary (i.e., there appears to be no requirement that the subsidiary in question actually undertakes ICT business or holds a certain level of assets)
- Operational resilience requirements, such as testing
- Carrying out thorough due diligence on any appointed subcontractors
- Record-keeping and reporting obligations
- Ensuring that appropriate ICT security requirements and measures are in place
- Responding to information requests raised by the overseer in full compliance with the parameters of the request
- Cooperating with any investigations by the lead overseer
- Paying the oversight fee
DORA requires the ESAs to submit draft RTS to the Commission on the conduct of oversight activities by 17 July 2024.
Indirect impact on ICT providers
Even if a ICT provider is not designated a critical third-party provider, ICT providers contracting with financial institutions will still need to review their existing contracts and financial services addendum templates against the mandatory requirements under DORA and consider what updates are likely to be required.
It is also possible that there could be a ‘second wave’ of ICT providers that are later brought within scope of supervisory oversight once the regime beds down.
If you are a financial institution and would like assistance with ensuring your firm is compliant with DORA before the implementation window expires, our experts stand ready to help. Likewise, if you are an ICT provider and you want to understand what DORA means for you, or you are concerned that you could be deemed a ‘critical’ provider and be directly subject to financial services regulation, we can help you carry out a DORA impact assessment. Please contact our DORA leads above for further assistance.