The EU sends an early Christmas gift with the adoption of Digital Operational Resilience Act
10 January 2023
10 January 2023
The DORA Regulation and Directive were published in the Official Journal of the European Union on 27 December 2022. DORA will apply from 17 January 2025 and member states are required to apply measures implementing the DORA Amending Directive from the same date. We first heard about DORA a couple of years back, when the headline point of the quasi-regulation of ICT third-party technology providers stole the limelight. However, for EU regulated firms, this is only a small part of the new requirements under DORA, which largely impose additional obligations on regulated financial institutions.
In short: probably - if you’re an EU financial entity. Certain UK firms are already subject to similar requirements under UK regulation and there are additional proposal for Critical Third Parties in the Financial Services and Markets Bill.
DORA will apply to the majority of EU-regulated financial entities, including: credit institutions; payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366; account information service providers; electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC; investment firms; authorised crypto-asset service providers and issuers of asset-referenced tokens; central securities depositories; central counterparties; trading venues; trade repositories; managers of alternative investment funds; management companies; data reporting service providers; insurance and reinsurance undertakings; insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries; institutions for occupational retirement provision; credit rating agencies; administrators of critical benchmarks; crowdfunding service providers; securitisation repositories (all of the above being "Financial Entities").
As previously mentioned, DORA will also apply to ICT third-party service providers which are designated as "critical" for Financial Entities.
While there has understandably been a lot of focus on the designation of critical ICT third-party providers, the proof is in the pudding when it comes to impact. Even a quick skim of the text of the regulation reveals that the real substance for Financial Entities is in the range of other obligations imposed by DORA. We have set out the key themes behind these obligations below.
DORA introduces new governance structures, and internal systems and controls requirements for Financial Entities. The management body is required to take responsibility for defining, approving and overseeing the management of the firm's ICT risk and the implementation of all arrangements related to the firm's ICT risk management framework. There is also an explicit requirement to develop an ICT risk management framework in the first instance, which should be sound, comprehensive and well-documented. The ICT risk management framework will need to explain how it supports the firm's business strategy and objectives, establish the risk tolerance level for ICT risk and set our clear information security objectives.
There is an additional requirement to identify all information and ICT assets, map their configuration and interdependencies and determine those that are critical. This exercise extends to identifying all ICT processes that are dependent on ICT third-party service providers and identify interconnectedness in respect of such providers, where they provide services that support a critical or important function.
Managing and overseeing ICT risk will need to be assigned to a control function to ensure an appropriate level of independence and to avoid conflicts of interest. Consequently, where firms do not an independent team in place with sufficient skills to do this, additional resourcing will be required.
Security requirements form a bulk of the obligations imposed by DORA. Financial Entities are required to establish policies, procedures and protocols to ensure the security, resilience and continuity of their IT systems. DORA also requires that Financial Entities continuously monitor ICT security and put in place mechanisms to detect anomalies in relation to their IT systems to identify potential material points of failure.
Financial Entities will be required to report major ICT-related incidents to the relevant competent authority. The notification requirements include an obligation to provide an initial notification to the competent authorities the same or next day by using standardised reporting templates.
This is a step change from what most firms are used to – except payment service providers who are subject to similar requirements under PSD2 - and will likely result in greater regulatory scrutiny much earlier in the process when a firm is subject to a security incident.
DORA requires firms to implement a testing programme to cover the resiliency of IT systems and processes. This requires Financial Entities (apart from microenterprises) to follow ensure that the tests are undertaken by independent third parties (whether internal or external). For IT systems and applications which support critical or important functions, firms should conduct such tests annually.
ICT third-party service providers may be designated as "critical" under DORA, whereby they will become subject to oversight by the European regulators. However, there is a restriction placed on Financial Entities as well – they can only utilise critical ICT third-party providers if the provider establishes an EU subsidiary within 12 months of its designation.
DORA is unclear on precisely the role of such subsidiary undertakings, as it makes clear at Recital 82 that the requirement to establish a subsidiary in the EU should not prevent critical ICT third-party service providers from supplying services from outside the EU, nor does DORA impose a data localisation obligation as it does not require data storage or processing to be undertaken within the EU.
DORA will have significant impact on in-scope firms. We have set out a summary of practical steps to take ahead of full implementation. We expect DORA will be published in the Official Journal by early 2023 and become effective on the twentieth day from this date, with application beginning 24 months following that. This means DORA is set to begin to apply to in-scope firms at the start of 2025.
The first step for Financial Entities is to carry out a scoping exercise to identify where they need to remediate in order to meet the DORA requirements. Many firms will already meet some of the DORA requirements (e.g. firms may already carry out sufficient ICT security testing), meaning it is important to identify and target the right areas which need work. Firms should therefore undertake a GAP analysis of their current governance and risk frameworks, systems, processes and procedures to identify which will be impacted by DORA and develop an implementation plan outlining how remediation will be achieved.
DORA also includes contractual requirements for relationships with providers of ICT services (both critical and non-critical). These appear to be somewhat aligned with those in the EBA Guidelines on Outsourcing. For example, the termination rights required under DORA are materially similar to those required under the EBA Guidelines on Outsourcing. With the two year implementation timeline, 2025 might feel like a long way away for some. However, anyone who has been involved with remediating vendor contracts to achieve compliance with the EBA Guidelines on Outsourcing will attest to how long this process can take. We advise that firms start to consider how they will approach this in the near-term to avoid being snowed under at the end of 2024.
While the contractual requirements are likely to be supplemented by delegated regulation, Financial Entities should consider carrying out an exercise to identify vendor agreements which will need to meet the contractual requirements and identify where remediation is required. Financial Entities should also consider reflecting the contractual requirements in standard form agreements and/or negotiating playbooks, to the extent they are not already included, to ensure that new vendor relationships are papered in a compliant manner ahead of the go-live date.
Financial Entities may also consider mapping which of their existing vendors are likely to be categorised as critical ICT third-party providers and engaging with them to determine whether they have, or plan to open, an EU subsidiary. For those critical ICT third-party providers which do not / will not have an EU subsidiary within 12 months following designation, Financial Entities should consider appropriate exit planning arrangements and alternative providers.
Critical ICT third-party service providers will also need to establish a series of systems, procedures, and governance and risk frameworks to ensure compliance with DORA. As such, it would be prudent for firms which expect to be designated to begin scoping preparations.
While DORA permits the European Supervisory Authorities to designate firms as critical ICT third-party service providers, this cannot be done until the European Commission adopts further delegated regulation on the assessment criteria for designation. DORA provides for such delegated regulation to be adopted within 18 months from the date which DORA enters into force.
However, it is widely acknowledged that the designation powers have been implemented with the intention of capturing cloud providers. As a result, cloud providers should consider ramping up their scoping work and developing implementation plans in the short-term.
Author: Henry Glasford
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.