DORA explained: The new EU standard for financial services鈥 digital resilience
The financial sector has, in recent years, become increasingly reliant on information and communications technology ('ICT') systems and on information in digital form to deliver financial services, such that it is now of critical importance to the operation of daily functions. The digitisation and reliance on ICT by financial entities will only continue to accelerate as they seek to harness data and capitalise on the benefits that new technologies, such as generative AI, offer.
As the sector鈥檚 dependency on ICT has increased, so too has its vulnerability to cyber risk 鈥 which can not only impact the financial entity in question but also, due to the interconnectedness of the industry, impact other financial entities, sectors and even the wider economy.
In response, after a long period of consultation, on 16 January 2023 the European Union鈥檚 Digital Operational Resilience Act ('DORA') entered into force. DORA applies across the EU on a uniform basis and has the primary objective of providing a comprehensive and unified framework to enhance the digital operational resilience of the EU financial sector and to minimise disruption to financial entities in the EU.
Scope
The scope of financial entities captured by DORA extends well beyond EU banks, insurers and payment and electronic money institutions to capture many other types of financial entities operating in the EU, including crypto- asset service providers and crowdfunding service providers (together 'financial entities').
Whilst DORA will not apply directly to financial services firms in the UK, multi-national/UK financial services groups with EU operations will need to ensure that those financial entities are DORA compliant.
DORA also directly applies to certain ICT third party service providers which are designated as 鈥渃ritical鈥 by European Supervisory Authorities ('ESAs'), including those that are based outside of the EU providing services to financial entities.
January 2025 deadline
Financial entities operating in the EU are required to fully comply with the extensive conditions required of them under DORA by 17 January 2025. Despite the significant challenge financial entities, as well as ICT third party service providers to those financial entities ('ICT TPPs'), are facing to achieve compliance by this date, the ESAs have confirmed that this deadline will not move and that no additional 鈥渢ransitional period鈥 will apply beyond this date.
On this basis, financial entities will need to expediate efforts this year to fully understand and implement DORA鈥檚 requirements, some of which 鈥 secondary legislation in the form of certain 'Regulatory Technical Standards' which set out the technical detail and methodology to meet the level 1 DORA general principles and requirements 鈥 will only be finalised in mid July 2024.
In this article, we summarise what DORA means for financial entities and ICT TPPs and what they should do now to meet the looming deadline.
Financial entities: Key requirements
Financial entities are required to comply with prescriptive DORA requirements in relation to ICT risk and resilience albeit, for some of those requirements, on a proportionate basis considering the size, nature and risk profile of the financial entity and its activities.
DORA鈥檚 requirements are comprehensive and fall into five key pillars:
- ICT risk management.
- Incident management, classification and reporting.
- Digital operational resilience testing.
- Third-party risk management.
- Information sharing.
Each pillar has extensive requirements to be implemented by 17 January 2025.
We have focused below on one requirement 鈥 directly relevant to the legal function 鈥 the ICT contract requirements, which fall in the third-party risk management pillar.
ICT contract remediation
A key aspect of the third-party risk management pillar is the requirement for financial entities to address the risks arising from contractual arrangements on the use of 鈥淚CT services鈥 concluded with ICT TPPs. This requirement, in particular, will be time consuming for financial entities due to the dependency on ICT TPPs to agree terms, who themselves are likely to be inundated with requests from financial services clients to amend existing contracts.
DORA prescribes 鈥渢wo tiers鈥 of contractual provisions to be included in a financial entity鈥檚 contracts with ICT TPPs for the provision of 鈥淚CT services鈥 鈥 with more extensive contractual provisions for contracts supporting a financial entity鈥檚 critical or important functions (or 'CIFs').
Although many of DORA鈥檚 contractual requirements should already be contained in a comprehensive ICT contract and are broadly in line with existing financial services regulations 鈥 such as the EBA guidelines on outsourcing and the ESMA guidelines on outsourcing to cloud service providers 鈥 DORA does contain 鈥渘ew鈥 requirements to be included in ICT contracts. For example, an ICT TPP is required to provide assistance at no additional cost or at a cost determined ex-ante where an ICT incident related to the ICT service occurs. The scope of contracts captured by DORA to be remediated by 17 January 2025 is also far broader (e.g., by not being limited to 鈥渙utsourcing鈥 arrangements).
On this basis, financial entities which have already remediated contracts to comply with other regulations will still need to reassess their contractual arrangements in accordance with DORA.
DORA is also clear that intra-group arrangements (e.g., between a financial entity in the EU and a group services company in the UK) are to be treated the same for the purpose of contractual remediation as a contract a financial entity may have directly with an ICT TPP outside of the financial entity鈥檚 group.
Critical ICT TPPs: Key requirements
DORA applies to an ICT TPP directly where an ICT TPP is designated by the ESAs as critical to financial entities in the EU ('CTPP').
The basis upon which ESAs will designate an ICT TPP as a CTPP has been finalised (in a delegated regulation dated 22 February 2024) but as yet, no CTPPs have been designated.
Under the oversight framework appliable to CTPPs, CTPPs will have requirements directly placed on them as well as being required to pay oversight fees (also prescribed in a delegated regulation dated 22 February 2024).
One such requirement on CTPPs, is to establish a subsidiary in the EU within 12 months following its designation (if this is not currently the case), otherwise financial entities will not be able to continue to make use of that CTPP鈥檚 ICT services.
CTPPs may be subject to investigations and inspections by ESAs, with non- compliance with DORA exposing CTPPs to substantial financial penalties (up to 1% of the average daily worldwide turnover in the preceding business year until compliance is achieved within certain limits) as well as public notices.
What should financial entities and ICT TPPs be doing now?
Financial entities:
- Understand the extent to which the financial entity falls within scope of DORA and ensure DORA鈥檚 requirements, as set out in the level 1 text and delegated legislation, are understood.
- Establish and/or amend all policies, processes, procedures and frameworks to meet DORA鈥檚 requirements by 17 January 2025.
- From a contractual remediation perspective: identify and map ICT TPPs and contractual arrangements (including intra-group) to each financial entity (categorising those which support CIFs), collate existing contracts with ICT TPPs, engage with ICT TPPs and amend ICT TPP contracts in line with DORA requirements by 17 January 2025.
ICT TPPs:
- Pro-actively prepare for financial entities amending existing contractual terms, which may include ICT TPPs issuing their own standard amendment documentation to financial entities.
- Consider whether CTPP designation is likely, and if so, understand the actions needed to be taken to comply with DORA.
Our team
Rowan Armstrong
Partner
Alex Mason
Partner
Duncan McMeekin
Legal Director
You may be interested in...
澳门六合彩资料
Navigating new advertising restrictions on junk food
澳门六合彩资料
Impending reform of defamation law in Ireland: The Defamation (Amendment) Bill 2024
澳门六合彩资料
Digital Services Act: What has enforcement been like for the DSA so far?
澳门六合彩资料
How might AI impact insurer climate targets?
澳门六合彩资料 - Consumer Duty
From products to protection: The rise of embedded insurance
澳门六合彩资料
The FCA comments on competition between big tech firms and financial service firms
澳门六合彩资料
The space data revolution
澳门六合彩资料
Follow the leader: Insurers using algorithmic underwriting
澳门六合彩资料
Government foreshadows significant savings for public bodies as part of data protection overhaul
澳门六合彩资料
CyberCube鈥檚 Global Threat Outlook: The evolving threat of cyber operations
澳门六合彩资料
A new digital safe space 鈥 How does the EU Digital Services Act affect insurers?
澳门六合彩资料
鈥淭OBA traps鈥 - general exposure risk under existing TOBAs
Press Release
澳门六合彩资料 advise Management on One Equity Partners鈥 significant investment into digital media group MSQ
澳门六合彩资料
AI modelling biases in quote engines
澳门六合彩资料
MiCA: The Comprehensive Crypto Regulation Set to revolutionise the EU
澳门六合彩资料
Cyber security and data breaches
澳门六合彩资料
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
澳门六合彩资料
鈥楧ecentralised and autonomous鈥 鈥 evolution or misunderstanding of unincorporated association law?
澳门六合彩资料
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
澳门六合彩资料
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
On-Demand
NFTs and Smart Contracts - an in-house lawyers perspective
澳门六合彩资料
Health care apps 鈥 Part 1 of 2: Exploring the ins and outs of intellectual property (IP)
Published Article
Top tips for implementing 鈥楧ata Protection by Design & Default鈥
The GDPR requires all businesses to implement 鈥楧ata Protection by Design & Default鈥 but what does that mean in practice and how can businesses practically comply?