Digital Operations Resilience Act

What is the scope of DORA?

DORA will apply to a wide range of financial entities, including:

• Credit, payment and e-money institutions
• Investment firms
• Crypto-asset service providers
• Central securities depositories
• Trading venues
• Trade repositories, and
• Some insurance and reinsurance undertakings

What are the key features of DORA?

Common standards

DORA introduces common standards to help mitigate the risk of cyberattacks. Firms will have to apply the same robust set of protections, but on a proportionate basis depending on the scale and complexity of their operations. It also reduces regulatory complexity across Member States by providing a uniform set of definitions for IT risks, third party service providers and digital operational resilience.

Risk framework

The legislation requires financial services firms to design and maintain an IT risk management framework and put in place comprehensive internal governance to support this framework. This includes:

• Building disaster recovery procedures and business continuity plans in proportion to the firm’s size
• Creating communication policies
• Carrying out adequate reviews to ensure improvements are made following significant issues
• Periodically testing IT risk frameworks and addressing any deficiencies

Incident management and reporting

Financial services firms are required to establish a robust incident management policy that includes adopting early warning mechanisms and ensuring the suitable classification of issues. To ensure that reporting to the European point of contact is standardised across Member States, firms will have to report major incidents to their national regulator using harmonised reporting templates.

Information exchange

To improve security awareness, DORA encourages financial services firms to share information among themselves on cybersecurity threats, response tactics and general intelligence on improving digital resilience.

Outsourcing contract arrangements

The legislation requires outsourcing contracts between financial services firms and third party IT providers, or “ICT Services” to contain certain provisions and content with the aim of standardising terms and conditions to manage third party risk where this is practicable.

One of the key points to note about DORA is that these contractual requirements applies to the use of ICT Services and not only outsourcing arrangements, as is the case with existing regulatory guidance on outsourcing.

Digital operational resilience testing

Under DORA, financial services firms will be required to carry out testing to assess the effectiveness of their preventive, detection, response and recovery capabilities and to uncover and address potential ICT vulnerabilities.

Testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements to more advanced testing by means of threat-led penetration testing for certain financial services firms.

Oversight of critical third party providers

In terms of third party providers of software, data and cloud services, DORA permits the European supervisory authorities (ESAs) to specify a third party provider as ‘critical’.

An ESA will be designated as a lead overseer for each critical third party service provider. Critical third party providers will be subject to far reaching obligations, including to keep suitable risk management procedures, to permit general investigations of its contracts and polices, and to facilitate on-site inspections by the lead overseer.

Critical third party service providers are expected to co-operate in good faith with the lead overseer. DORA provides administrative penalties on third party providers for non-compliance of 1% of average daily worldwide turnover. Member States can choose to impose harsher sanctions under national law.

When will DORA come into force?

DORA will apply to in-scope financial services firms from 17 January 2025.

This period leading up to January 2025 gives relevant financial services firms an implementation period to thoroughly review their ICT contractual arrangements and implement any changes which may be required in order to ensure compliance with DORA.

Impact of DORA

There is no doubt that DORA will represent a significant implementation project for in-scope financial service firms.

However, financial services firms which use the services of a critical ICT provider will likely welcome the regulatory oversight aspects of DORA. The direct oversight by European regulators will assist those firms when they are seeking information, reporting, audit and inspection rights from these providers. This is an issue which has caused problems in the past when financial services firms were seeking to comply with the associated requirements in sectoral outsourcing guidelines.

The companies which are designated as critical ICT providers may not be as welcoming of these direct oversight provisions. This may be because the powers granted to the lead overseer align with the types of provisions which some providers, usually for good practical reasons, have sought to resist in their contracts with customers, eg detailed rights of audit, inspection, and reporting.

Coupled with this is the threat of very substantial fines and the requirement to pay the costs of the lead overseer. These issues mean that the relevant companies should be paying very close attention to this aspect of DORA and taking note that DORA entered into force on 16 January 2023 and its provisions will apply from 17 January 2025.

Contact a member of our Technology or Financial Regulation teams for expert advice and guidance on the implications for your organisation.

The content of these articles are provided for information purposes only and does not constitute legal or other advice.