17. Januar 2025
Today marks a significant milestone for digital operational resilience in the financial sector in the EU.
After more than four years since its initial announcement as part of the EU Commission’s Digital Finance Package in September 2020, the EU Digital Operational Resilience Act (DORA) becomes today officially applicable across the EU Single Market.
What is DORA, who does it apply to and what are some key considerations that impacted entities shall have in mind from now on? Find out in our summary below.
DORA is an EU Regulation that aims to provide for further harmonisation of the existing rules as well as to bring the EU regulatory framework on digital operational resilience in the financial sector.
The rules on digital operational resilience applicable to financial institutions are currently fragmented and placed in various sector specific pieces of EU financial regulation (e.g., MiFID II, CRD, PSD2 etc.) as well as the Guidelines of the European Supervisory Authorities (ESAs) that are the in many ways the cornerstone of the EU regulatory framework on outsourcing arrangements that the financial services industry has been increasingly dependent on in recent years.
However, a lack of proper harmonisation of sector specific regulations as well as the scope of application of the Guidelines on outsourcing of European Supervisory Authorities (ESAs) combined with their rather non-binding character (i.e. application on a comply-or-explain basis), leave space for regulatory ambiguity in this important area which in the digital age has become a backbone of the proper functioning of the financial services industry.
DORA aims to bridge these gaps and create a harmonised EU regulatory framework that will provide a higher level of regulatory certainty for financial entities.
As of today, DORA puts new obligations on the following financial entities:
Yes. In addition to financial entities, DORA is a very important piece of EU legislation that will have an impact on providers of ICT services to financial entities.
DORA will impact ICT service providers in a different way depending on whether they qualify as critical third-party service providers (CTPP) under the new framework or not (more on the new regime for critical third-party service provider is contained below).
Critical third-party ICT service providers will be directly impacted by the new framework, being required to comply with a number of requirements and become subject to direct supervision of financial supervisory authorities. Namely, DORA is the very first piece of EU financial regulation that creates a supervisory framework for third-party providers of ICT services to financial entities that are deemed as critical.
For this purpose, the ESAs will have the mandate to assess which third-party providers, due to their presence in the EU and the number of financial entities relying on their services, are to be designated as critical (the so called critical third-party providers “CTPPs”).
Once designated by the ESAs as such, CTPPs will be subject to direct regulatory oversight by one of the ESAs, that will be empowered (among other) to conduct on-site inspections, audits and impose fines that are in many ways reminding of the GDPR enforcement regime (stipulating fines in the amount of up to 1% of the global turnover).
When it comes to other ICT service providers they will experience rather indirect impact of the new rules.
To that end, ICT service providers will be required to ensure compliance with certain rules as a result of their contractual obligations towards financial entities, that are increasingly looking to redraft their existing contractual arrangements to ensure compliance with DORA.
In-scope financial entities will need to ensure compliance with new requirements on digital operational resilience which require them (among other) to:
Conscious of the increasing dependency of the entire financial services industry on the IT expertise and infrastructure of specialized third-party providers (like big IT companies), the EU lawmakers have created a new set of requirements under DORA that will impose new obligations on financial entities when it comes to management of third-party related risks.
Financial entities must conduct thorough risk assessments and due diligence before engaging third-party ICT service providers. This involves evaluating the provider’s ability to provide the required services in compliance with the applicable law, relevant security standards, ensure continuous performance of the service and process and store data in accordance with applicable requirements (incl. with respect to locations, access management procedures etc.).
Financial entities will also be required to assess and manage concentration risks associated with relying on a limited number of critical third-party providers. The concentration risk may arise when the financial entity is relying on a third-party service provider is not easily replaceable or when the financial entity is relying on one third-party providers for multiple areas of its operation (this can also be the case where the great number of group entities relies on one third-party provider).
By following the key principles anchored in the EBA guidelines on outsourcing arrangements, DORA creates the legislative basis for mandatory contractual terms that the financial entities need to have in place in their contractual agreements with third-party providers.
Same as the EBA Guidelines, DORA differentiates between the arrangements supporting critical or important functions and all other arrangements by specifying top-up requirements for the former. For this purpose, financial entities are required to implement contractual provisions that provide the basis for efficient business continuity management, incident reporting and required ICT testing, grant necessary access and inspection rights as well as specify efficient exit management strategies that the entities can rely on.
The contractual requirements under DORA go in many ways beyond the scope of the existing EBA requirements. To that end, the financial entities are expected to evaluate the necessity for re-drafting of their existing contractual agreements with particular emphasis on ensuring the compliance with their overall requirements under DORA, conscious of their dependency on third-party providers’ cooperation and assistance in many areas.
Throughout the contractual relationship with the third-party provider, financial entities will be required to continuously monitor their performance, actively exchange information and closely cooperate in relevant areas with them (e.g. incident management and testing).
In addition to third-party providers, which are the first entities in the service providers’ chain, financial entities must ensure that any subcontractors engaged by third-party providers also adhere to the same requirements laid down in the agreement concluded between them and the third-party provider. Further, when it comes to arrangements supporting critical or important functions, financial entities are expected to put a contractual obligation on third-party providers to conduct proper due diligence prior to onboarding their subcontractors as well as to put processes in place that provide for monitoring of their performance.
Yes.
First, financial entities that are in scope of DORA are financial entities that are authorised and operating in the EU. To that end, non-EU financial entities are not directly impacted by DORA. However, where a group of financial entities implements DORA requirements on a group-wide basis they may be indirectly impacted by being required to rely to comply internally with DORA-conform policies and procedures on the management of ICT risks.
Second, when it comes to ICT service providers, they will experience indirect impact whenever providing ICT services to EU financial entities. In this situation, their customers will put contractual obligations on them that will require them to operate in compliance with some key minimum contractual requirements as specified under DORA.
Lastly, critical ICT service providers, that will be subject to the new supervisory framework under DORA (see Chapter 4 above) will be more heavily impacted since in addition to minimum contractual requirements they will need to comply with the requirements of the new supervisory framework.
In order to ensure compliance with DORA framework, financial entities will need to dedicate sufficient time and resources and aim to start with the preparation early on. For this purpose, they will need to:
ICT service providers shall likewise not underestimate the impact of the new framework on them, regardless of whether they are expecting be designated as CTPPs or not.
Starting with the re-drafting of the existing contractual agreements and preparation of internal processes that may get in focus of their customers (due to the new requirements that financial entities will be subject to) are some very first steps that ICT service providers shall consider making if they want to leverage “the first mover advantage” rather than waiting on the sidelines for the wave of customers’ queries that will inevitably start to pile in by the year’s end.
With different jurisdictions taking different paths in terms of regulatory classification of NFTs, the question can be raised: where the EU is currently standing, and more importantly, where it is heading when it comes to this topic?