Out-Law Analysis 7 min. read
11 Aug 2022, 1:31 pm
Banks, insurers, investment firms and other financial services companies across Europe are set to face stiffened obligations designed to ensure the services they provide are not disrupted by cyber attacks, outages or other risks to the integrity and continuity of those services.
The requirements are set out in the draft Digital Operational Resilience Act (DORA), which is expected to become EU law later this year. As well as impacting financial entities directly, DORA will also impact third party providers of ICT services and the contracts financial entities agree with those providers.
DORA was first proposed by the European Commission in September 2020. The European Parliament and Council of Ministers reached provisional agreement on the DORA text in May and the ‘finalised’ text agreed on was subsequently published in June.
DORA will enter into force 20 days after its publication in the Official Journal of the EU. For that to happen, both the Parliament and Council must formally adopt the legislation. Pinsent Masons has been able to confirm that a vote of the Parliament is anticipated in September. A spokesperson for the Council did not provide an indicative timeframe for their vote but did say final adoption will most likely be after the summer.
Luke Scanlon
Head of Fintech Propositions
Pinsent Masons has had confirmation … that there is no intention to repeal existing laws and therefore, at this stage, the position is that DORA will exist alongside current requirements
If a vote of the Council takes place around the same time and if both institutions adopt the text, it is possible DORA would subsequently enter into force in October 2022. DORA would begin to apply 24 months after entering into force. So, in the scenario where it enters into force in October 2022, it would begin to apply from the corresponding date in October 2024.
The majority of DORA is directed at regulated financial entities. The entities that are in-scope are referred to under the umbrella term of ‘financial entities’ in the legislation, and the long list includes regulated businesses in banking, insurance, investment, e-money and payments, including account information service providers, as well as in the cryptoassets and crowdfunding sectors.
Providers of critical information to the financial services sector such as credit rating, critical benchmarking and data reporting services are also in scope, as are financial market infrastructure providers such as central securities depositories, central counterparties and trading venues.
ICT third-party service providers are also in scope of DORA. They come within scope of the regulation in two ways: as service providers to financial entities, or where they are designated as ‘critical’ ICT third-party providers – in which case they are subject to a distinct oversight framework.
The regulation also sets out a list of entities that are not within scope. The list includes institutions for occupational retirement provision that operate pension schemes which together do not have more than 15 members in total. It also includes insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises, small or medium-sized enterprises.
DORA sets out contractual requirements for contracts between financial entities and ICT third-party service providers.
ICT services are defined as “digital and data services provided through the ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which include technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
There are some important differences between this definition and the one that is commonly used to define outsourcing. For example, it does not refer to “recurrent services”, only those that are “ongoing”, and there is no need to consider whether the service is something that the financial entity would not normally undertake itself. If a contract is for a “digital or data service” and it is “ongoing” it will fall within scope of DORA.
The requirements for contracts for ICT services which support critical or important functions are more prescriptive than those applicable to other contracts.
A critical or important function is defined consistently with existing law as a “function whose disruption would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or whose discontinued, defective or failed performance would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services legislation”. No further criteria are provided.
The regulation follows the existing regulatory principle that intragroup provision of ICT services “should not be considered less risky than the provision of ICT services by providers outside of the financial group, and should be thus subject to the same regulatory framework”.
It further provides that “undertakings which are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should equally be considered as ICT third party-service providers under this Regulation”.
Financial entities are required to assess ICT risk “on the basis of any potential impact on the continuity and quality of financial services at individual and at group level, as appropriate”.
Intra-group services providers will not be designated as ‘critical’ ICT service providers or subject to the oversight framework applicable to those providers.
DORA sets out contractual requirements for all contracts for ICT services with more prescriptive requirements applying to contracts which support critical or important functions. Contracts must be in writing and available as "one written document" ... "on paper, or in a document with another downloadable, durable and accessible format".
The contractual requirements in DORA are closely aligned in structure and substance to those of the European Banking Authority (EBA) guidelines on outsourcing, with few additions. Additions for all contracts include requirements for providers to assist when an ICT-related incident related to the service occurs “at no additional cost or at a cost that is determined ex-ante", and to further participate “in the financial entities' ICT security awareness programs and digital operational resilience trainings".
For ICT contracts for critical or important functions, financial entities must consider whether the provider has "the most up-to-date and highest information security standards". The provider is required to “participate and fully cooperate in a threat led penetration test of the financial entity”. The contract is also to include a "mandatory adequate transition period."
DORA is not as prescriptive as the EBA guidelines on outsourcing and other existing frameworks in relation to subcontracting requirements. At the pre-contractual stage, financial entities are to engage in an "in-depth analyses of subcontracting arrangements, notably when concluded with ICT third-party service providers established in a third country" according to the recitals and "weigh benefits and risks that may arise in connection" with subcontracting. For critical or important functions, financial entities are to assess "whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity".
The only contractual requirements relating to subcontracting set out in DORA are for the contract to specify whether subcontracting is permitted, the conditions of subcontracting and the locations of subcontracted functions, ICT services and data processing activities.
The EBA, together with the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) – the other European supervisory authorities – have power to develop regulatory technical standards relating to subcontracting.
DORA does not repeal sourcing requirements set out in existing EU law and guidance, such as that made under the CRD, MiFID II and Solvency II frameworks. Pinsent Masons has had confirmation from the European Commission that there is no intention to repeal existing laws and therefore, at this stage, the position is that DORA will exist alongside current requirements.
DORA directly addresses overlap with the Network and Information Security Directive and its soon to be issued successor, NIS2.
DORA sets out a framework for the direct supervision of large ICT service providers which are to be designated by the EU supervisory authorities as ‘critical ICT third-party providers’ (CITPPs). Once designated, those providers will need to form a subsidiary in the EU if they do not already have a presence.
While there is a requirement to have a subsidiary in the EU, there is no direct requirement for financial entities to only contract with the EU entity of the designated CITPP. If the CITPP does not form an entity in the EU within a specified period after designation, financial entities will be prohibited from using its services.
A group of ICT companies may be designated as a CITPP with one of its EU entities appointed as the point of contract.
One of the EU supervisory authorities – the EBA, EIOPA or ESMA – will be appointed as the lead overseer for the CITPP. The authority will issue an oversight plan to the CITPP and carry out investigations and inspections. It will also have extensive powers to request information and documentation.
The lead overseer also has the power to issue recommendations to the CITPP. This includes powers to ask the CITPP to take specific IT security measures and change terms and conditions or subcontracting arrangements. The CIPTT is not compelled to comply with the recommendations, but if it does not, regulators may direct financial entities to suspend or cancel contracts with the CITPP.
DORA sets out a new detailed regime for ICT incident response management. It includes requirements to report major ICT incidents to regulators on a mandatory basis, as well as significant cyber threats on a voluntary one. There are also requirements to inform customers of incidents.
Financial entities will need to look closely at the extent to which their supplier contracts enable them to meet all of the incident response requirements in terms of identifying and recording all incidents, reporting within specific timeframes to regulators and undertaking remediation action.
In similar vein to the EU’s plans for DORA, UK policymakers are also seeking to stiffen operational resilience in financial services by bringing ‘critical third parties’ (CTPs) to financial institutions within the scope of direct regulation by financial regulators in the country.
Major technology providers will want to track progress of the Financial Services and Markets Bill through the UK parliament to understand how the new UK regime might apply to them. It is likely that some of the providers will be subject to both DORA and the UK’s CTPs regime. Businesses in that position will want to understand what the requirements are likely to be under both frameworks, identify processes that might support compliance across the different jurisdictions, and consider lobbying UK law makers where they see scope for amendments that would make compliance with the two regimes easier.