DORA applies from today with ‘challenging new requirements’ for businesses

Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA) applies to most regulated entities in the European financial sector, such as credit institutions and insurers, but also certain third-party ICT service providers.

Critical ICT third-party service providers designated as such by the European supervisory authorities (ESAs) come directly within the scope of DORA. They provide critical or important functions to the financial services sector and must also fulfill many of their own obligations in addition to those stipulated in their regulated clients' contracts.

DORA also impacts many ICT service providers that are not within this ‘critical’ cohort through the obligations of financial companies to manage third-party risk.

The framework laid down by DORA is intended to strengthen digital operational resilience of the European financial sector as a whole. Amongst other things, it obliges in-scope entities to implement an enhanced resilience framework impacting various levels of their organisation, including cybersecurity risk management, incident management, stress tests and the management of ICT third party suppliers.

DORA is bolstered by regulatory technical standards (RTSs), implementing technical standards (ITSs) and guidelines formulated by the ESAs: EBA, EIOPA and ESMA. Some of these have already been adopted, such as the ITS on the creation of a standard template for the mandated information register, whereas others are yet to be approved.

The reporting obligations required by DORA by means of an information register are also noteworthy. Financial businesses are required to record all contractual agreements with third-party ICT service providers in a register and make details available to their competent authority on request.

"Given that DORA is now upon us, it presents affected businesses with potentially major challenges," said Florian Elsinghorst, an expert for regulated industries at Pinsent Masons. "In particular, in-scope entities need to put a lot of effort into managing ICT third party risk: the vast majority of IT services are covered by DORA. Financial organisations must adapt their existing contracts with third-party ICT service providers to be DORA-compliant, which may entail a substantial amount of contract management and negotiation work."

Andreas Carney, a technology and financial services sourcing expert at Pinsent Masons, said: "Now is a good time to take stock of what has been achieved in terms of implementation and assess what more needs to be done to achieve compliance said. The application of DORA from today will no doubt draw it into sharper focus for regulators - they will be interested in the level of compliance that has been achieved."

Carney highlighted that third party risk management is naturally a key aspect of the DORA framework. DORA’s requirements in this regard apply to outsourcing arrangements but also other ICT services arrangements. "While entities may have implemented previous regulatory requirements specific to outsourcing or cloud, DORA adds another layer of requirements – as well as the need to look at their entire ICT services environment," he said. "DORA includes detailed requirements for subcontracting and these should be considered not only by the regulated entities themselves, but also third-party suppliers to those entities in how they contract and manage their own supply chain. Other aspects of DORA will also have a ‘flow down’ effect on IT service providers."  

"Our consulting experience shows that DORA can also mean a major implementation effort for IT service providers," Daniel Widmann, also of Pinsent Masons, said. "They are asked by their clients from the financial sector to adapt existing contracts, the implementation of which may cause difficulties in practice. This is also due to the fact that IT services are often categorised differently by financial companies in terms of criticality. IT service providers are faced with the challenge of having to adapt an often standardised service for customers in the financial sector. It is therefore all the more important for IT service providers to understand which obligations are mandatory under DORA and where there is room for negotiation."

"We are seeing different approaches being adopted for implementation by both regulated entities and ICT suppliers," Carney said. "These vary from clients managing implementation in-house, where we support on developing an understanding of DORA’s requirements, how it applies to their business, and identifying the steps needed to comply, right through to relying on us for full end-to-end support where we advise on all of DORA’s requirements, prepare templates and manage negotiation of ICT service contracts."