The EU’s Digital Operational Resilience Act 2022/2554 (DORA)

Financial services regulators have long grappled with the complexity of regulating to maintain stability in financial markets, given:

• the dependence of modern financial systems on third party systems, technology and platforms, which has only intensified with the adoption of cloud solutions; and
• the systemic risk posed to the smooth functioning of financial markets if a technology provider suffers a cyber incident. 

Long IT sub-contracting chains can make it hard for financial institutions to understand the vulnerabilities in their IT estate and the location of key functions (where these may be located in entities who do not have a direct contractual relationship with the financial institution). 

The EU’s Digital Operational Resilience Act 2022/2554 (DORA) was crafted with this in mind – to require financial institutions to identify those ICT services which support critical or important functions and to ensure the contractual arrangements with the providers of those functions are bolstered to include certain core protections. 

DORA came into force in January 2023, and EU financial institutions and IT suppliers providing critical services to financial institutions operating in the EU now have until January 2025 to comply with its requirements (following which, EU regulators will be empowered to request that financial institutions take steps to remedy security vulnerabilities and can impose fines).  It also potentially affects non-EU based companies, to the extent that these companies have functions delegated to them by EU financial institutions, and these functions fall within the concept of ‘ICT services’. 

We are working closely with our financial services clients to ensure their readiness for DORA compliance and to ensure their contracts appropriately address the new DORA requirements as failure to comply with the DORA requirements can have serious consequences, including:

• fines;
• sanctions for board members; and
• reputational damage and potentially criminal penalties for non-compliance. 

Key dates

• January 2023 - DORA becomes effective.
• September 2023 - Public consultation on four regulatory technical standards (RTS) and one implementing technical standard (ITS) closed. 
• January 2024 - First bath of technical standards finalised.
• June 2024 - Delegated regulations 2024/1772, 2024/1773 and 2024/1774 published implementing a series of RTS.
• July 2024 - Final bath of technical standards published. These now need to be adopted by the Commission.
• 17 January 2025 - DORA applies

Who will be impacted?

DORA imposes obligations upon:

• a wide range of ‘financial entities’: including banks, investment firms, pensions companies and asset managers, electronic money institutions, insurance companies and crypto asset firms, amongst others; and
• certain ICT third party service providers: being organisations that provide services to the financial entities that meet certain benchmarking criteria set out in DORA. 

Some in-scope ICT providers will be designated critical, and then will be subject to supervision by the European Securities and Markets Authority, the European Insurance and Occupational Pensions Authority or the European Banking Authority (which has the role of lead overseer).  As yet, no service providers have been so designated, as this requires a two-step assessment to be conducted.  However, recent commentary from the European Banking Authority suggests that providers of network infrastructure services and data centre services are very likely to meet the criticality threshold. 

Although DORA is an EU regulation, it can also apply to non-EU third party service providers that provide services to financial entities that are within the EU.

What are ICT services?

ICT services are defined to include ‘digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.’ 

Criticality for an ICT service provider will be determined by:

• the systemic impact on the stability, continuity or quality of the provision of financial services if the provider suffered a large scale operational failure (based on the number of financial entities and the total value of assets of financial entities to which the relevant ICT third party service provider provides services);
• the systemic character or importance of its financial services customers (taking into account the number of global systemically important institutions or other systemically important institutions that rely on the provider and the interdependence between the institutions which rely on the provider);
• the nature of the financial entities’ services which rely on the provider and whether these are critical or important functions; and
• how easy it would be to substitute the services of the provider for a third party (i.e. whether there are any real alternatives in a specific market, the market share of the service provider, the technical complexity or sophistication involved and any likely difficulties which would be encountered partially or fully migrating the relevant data and workloads to another provider, including financial costs/time of migration or increased ICT risk or other operational risks of a migration).

Structure

DORA is underpinned by a series of regulatory technical standards and implementing technical standards.  Of those standards now in final form, the standards in the Delegated Regulations 2024/1773 are important for setting the key obligations on financial entities to observe from an internal standpoint and embed in contractual requirements, requiring each in-scope entity to:

• have a policy in place to assess exposure to third party IT supplier risk including tools in that policy for assessing risks associated with providers who support a ‘critical or important’ function;
• set standards for pre-contractual due diligence;
• ensure the relevant components from Article 30 of DORA are included in all contracts with third party ICT providers (to the extent it is possible to obtain audit rights over third party providers for example);
• set up a monitoring function to oversee contractual arrangements and performance of the service provider (including ensuring compliance with confidentiality, availability, integrity and authenticity of data requirements and compliance with the entity’s own policies and procedures) and steps to be taken if a provider is not meeting relevant service levels; and
• plan for exit / termination (and ensure exit plans are devised, accepted and tested over the life of the contract).

Impact

Key deliverables that financial entities need to have in place, internally from a compliance perspective and documented in contractual arrangements include: