Provisional agreement reached on DORA: one step closer to a new regime for ICT resilience in EU financial services

On 10 May 2022, an agreement was reached by the European Parliament and the Council on the proposed regulation on digital operational resilience for the financial sector ("DORA"). 

Once formally adopted, the regulation will apply to almost all EU financial services firms, imposing significant new requirements around ICT risk management. It will also establish a new regime for the direct oversight of certain "critical" ICT third-party service providers for the first time. 

The agreement is subject to approval by the Council and Parliament before proceeding with the formal adoption process, and is expected to apply 24 months after its publication in the EU Official Journal. 

What should financial services firms and their technology service providers be looking out for and doing to prepare?

For EU financial services firms, DORA will significantly expand existing requirements around ICT risk management, including annual ICT risk assessments, incident identification and reporting, response and recovery, testing (including penetration testing by external providers), governance, and third-party risk management. Firms should start considering the risk profile of their existing ICT systems; the 24 month implementation period will likely go quickly for firms that need to transition away from legacy ICT systems, for example. Firms that are also in-scope of the UK operational resilience regime will also need to consider how the two regimes overlap. See our earlier briefings, here and here.

Technology providers that are not currently regulated by EU financial services regulators, but provide services to EU firms, should be aware on two fronts:

• As EU financial services customers begin to prepare for DORA, they might require additional commitments from vendors on things like ICT incident management and reporting, and the involvement of external testers in testing programmes. The pending implementation of DORA will put these aspects under greater focus, particularly in long-term outsourcing contracts.
• Larger vendors or those providing technology that is relied upon for services with 'systemic' characteristic should start to consider whether they might be designated as "critical" under DORA. If so, technology providers could be subject to direct regulatory oversight for the first time, with substantial fines for non-compliance and powers for regulators to issue direct recommendations, including on technical areas such as patching. See our earlier briefing, here.

Digital Finance and Cybersecurity: Wider regulatory picture in the EU

It isn't just DORA that is progressing through the EU legislative process. On 13 May 2022, the Council and European Parliament also reached provisional agreement on a revised Directive on Security of Network and Information Systems ("NIS 2 Directive"). Negotiations also continue on the regulation governing crypto-assets (MiCA), which forms part of the EU's wider digital finance package alongside DORA. Watch out for our upcoming alerts in these areas. 

What about the UK?

The UK regulators have recently implemented the new "operational resilience" regime for certain in-scope firms. Digital and ICT resiliency is an important part of that, but operational resilience also looks at the broader end-to-end view of the resilience of firms' important business services. At the same time, the PRA has also extended requirements for outsourcing and third-party risk management for dual-regulated firms, and the Bank of England is consulting on doing the same for financial market infrastructure providers (FMIs). 

For third party service providers, the FCA, PRA and Bank of England intend to publish a Discussion Paper on Critical Third Parties in 2022. Commentary in recent papers suggests that this might look in particular at regulatory approaches to third parties "that may be a source of systemic risk to the financial stability of the UK". While the policy context of protecting the financial system from systemic ICT risk mirrors that of DORA, it remains to be seen whether the UK regulators will follow the same path as the EU under DORA. 

Moving quickly

This is a fast moving area, that we are following closely. If you would like to discuss how the requirements might affect your business, do get in touch.