Prepare now for DORA, financial entities and IT providers advised

While detailed regulatory technical standards are currently being drawn up to support the implementation of DORA, there are actions financial institutions and IT service providers can take now based on the high-level legislative provisions to ensure their compliance before 17 January 2025, when DORA takes effect.

What is DORA?

The DORA package, initially proposed by the European Commission in September 2020, consists of both a regulation and a directive. The legislation was finalised and approved by EU law makers in the European Parliament and Council of Ministers last November, and came into force in January this year. The DORA regulation is directly effective in every EU member state.

DORA is aimed at strengthening operational resilience in EU financial services. It applies to banks, insurance companies, investment fund managers, e-money institutions, cryptoasset service providers, crowdfunding platforms and investment firms. Some of the provisions of DORA also apply directly to certain ‘critical’ third party ICT service providers, for example with respect to oversight on their resilience. Beyond that, all ICT service providers that contract with financial entities can also expect the obligations on financial entities to flow down into their contractual agreements with those entities.

Recently, the Dutch National Coordinator for Security and Counterterrorism (Nationaal Coördinator Terrorismebestrijding en Veiligheid) identified an imbalance between the increasing IT-related risk and the development of resilience. The European Commission said the DORA package is designed to ensure the financial sector in Europe stays “resilient through a severe operational disruption”.

Impact of DORA on businesses in the financial sector and in the ICT sector

Financial entities must implement a suite of operational measures under DORA. The EU’s supervisory authorities for financial services are responsible for drafting regulatory technical standards, for adoption by the European Commission, to supplement the DORA legislation. Those standards will set out the detailed measures entities should take to ensure their compliance with the new regime – a consultation on four sets of standards closes on 11 September, with further consultations expected later this year. However, the core requirements are set out in the DORA legislation itself and include provisions on:

• ICT risk management: financial entities will, among other things, be obliged to design a framework for ICT risk management, organising the monitoring, setting up of back-ups, periodic testing of an ICT continuity plan, and awareness-raising programmes for employees;
• ICT-related incidents: financial entities will need to design and implement a process for detecting and handling incidents, and keep a logbook of those incidents;
• testing of digital resilience: financial entities will need to design a risk based programme for testing digital operational resilience;
• ICT management in relation to third party service providers: financial entities will need to design a strategy for risk management in the case of outsourcing. Third party risk must explicitly be embedded in the ICT risk management framework.

DORA also impacts ICT third-party service providers that provide their services to financial entities. Financial entities must ensure that the digital operational resilience obligations they are subject to under DORA are reflected in their contractual arrangements with ICT service providers. ICT service providers should therefore prepare for requests from entities for renegotiation of existing contracts. This may, however, provide an opportunity for ICT third-party service providers to find new ways to cost-effectively comply with the DORA requirements and help financial entity customers of theirs do so too.

Contract due diligence

DORA demands sound management of ICT third party risks and will require in-scope contracts to meet a suite of requirements. Among those requirements, financial entities will need to:

• create, maintain and update a register of information in relation to all contracts on the use of ICT services provided by ICT third-party service providers;
• ensure that the contracts contain all “key contractual provisions”. These include a full description of the services and service levels, as well as provisions on data protection, data recovery, incident assistance – at pre-agreed cost, termination rights for specific circumstances, access rights, inspection rights, and audit rights over the ICT third-party service provider;
• ensure compliance with additional requirements for outsourced critical or important functions, including having available monitoring rights and having in place an exit strategy – including provisions ensuring that their ICT service provider assists them in moving to other third-party or in-house solutions.

To comply with DORA, financial entities should perform due diligence on existing contracts with third party ICT service providers, ensuring that all relevant key contractual provisions are catered for and that its contract register is up-to-date.

In this regard, financial entities should account for the fact that they are dependent on the cooperation of ICT service providers. Where the scope of services is expanded or additional risks are allocated to the ICT service providers, financial entities should expect to ICT service providers to make their own contractual demands in return – such as for adequate compensation.

Time to act

Although the rules of DORA will only take effect in January 2025, financial entities and ICT service providers are strongly advised to make an early start with compliance with both the operational and contractual matters.