DORA: A new era of Digital Operational Resilience for Financial Services approaches - What should financial services firms and their ICT providers do now?
Introduction
The financial services industry has long been a trailblazer in technological innovation, eagerly embracing digital transformation to bolster efficiency, security, and customer experience. However, this digital revolution has brought about an increased reliance on complex third-party information and communication technology (ICT) systems, which can pose substantial operational risks. Concentration risk in certain technology sectors, such as cloud infrastructure, is also a concern, with incidents involving a critical service provider potentially impacting the European Union’s entire financial system.
Until now, EU firms have lacked clear regulatory guidance on how to effectively evaluate and mitigate ICT risk, leading to inconsistent approaches, and unpredictable and uneven supervision amongst regulators, further compounding the problem. To address these challenges, the EU has introduced the Digital Operational Resilience Act (DORA), a comprehensive regulatory framework aimed at strengthening the digital resilience of the EU’s financial sector.
DORA will take effect from 17 January 2025, directly applicable in all EU Member States, and covering a wide range of EU-regulated financial services entities (e.g. credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and insurance, including their agents, and reinsurance undertakings). DORA will also apply to parent companies which, although based outside the EU, procure ICT services on a group-wide basis where the group includes EU-regulated firms.
Understanding DORA: A Paradigm Shift in Operational Resilience
DORA is a ground-breaking piece of legislation that seeks to harmonise the rules governing ICT risk management and operational resilience across the EU and, in doing so, establishes a set of stringent requirements for financial entities, including banks, investment firms, and insurance companies, as well as their third-party ICT service providers (with critical third-parties directly regulated and other third-party ICT service providers to be caught by their contracts with their financial services customers. See further below). The notion of a third-party ICT service provider covers a deliberately wide range of services including cloud computing, data analytics and data centres – in fact, it covers most modern technology services leveraging ICT systems and excludes only traditional analogue telephone services.
At its core, DORA recognises the interconnected nature of the financial ecosystem and the potential for systemic risks arising from ICT disruptions or cyber incidents. By setting common standards and expectations, DORA aims to enhance the overall resilience of the financial sector, ensuring that critical services can withstand and swiftly recover from operational disruptions. Regulatory technical standards issued by the European Supervisory Authorities will set out in more detail and/or expand upon some of DORA’s requirements such as defining critical third-party ICT service providers and setting out ICT-related incident reporting thresholds and testing requirements.
Key Pillars of DORA: Strengthening Digital Resilience
DORA is built upon five key pillars that collectively address the various aspects of digital operational resilience:
1. ICT Risk Management: This emphasises the importance of proactive risk management and the adoption of industry best practices, and requires firms to implement resilient ICT systems, continuous risk monitoring, business continuity planning, and learning from incidents.
2. Incident Reporting: DORA introduces mandatory incident reporting obligations for financial entities and critical ICT providers. This pillar focuses on the prompt detection, management, classification, and reporting of ICT-related incidents. It harmonises incident reporting procedures across the financial sector and reporting of significant cyber threats.
3. Digital Operational Resilience Testing: Firms must establish digital operational resilience testing programs to assess and identify weaknesses in their resilience capabilities. It mandates regular testing, including advanced threat-led penetration testing for high-risk entities.
4. ICT Third-Party Risk Management: Recognising firms’ increasing reliance on third-party ICT service providers, this pillar addresses the associated risks requiring due diligence and monitoring, as well as requiring firms to ensure that their ICT providers adhere to the same resilience standards as they do.
5. Information and Intelligence Sharing: The final pillar promotes the sharing of cyber threat information and intelligence among financial entities to enhance collective resilience, raise awareness, and support defensive strategies.
Implications for Firms and their ICT Providers
The introduction of DORA will have far-reaching implications for both financial services firms and their ICT providers. Some key considerations include:
- Governance and Accountability: DORA places a strong emphasis on governance and accountability, requiring financial entities to establish clear lines of responsibility and oversight for digital operational resilience. Senior management and boards of directors will play a crucial role in ensuring compliance and fostering a culture of resilience.
- Investment in Resilience Capabilities: Achieving and maintaining compliance with DORA will necessitate significant investments in people, processes, and technology. Financial entities and ICT providers may need to enhance their risk management frameworks, incident response capabilities, testing methodologies, and third-party management practices.
- Collaboration and Information Sharing: DORA encourages collaboration and information sharing among financial entities, ICT providers, and regulatory authorities. This collective approach aims to promote transparency, facilitate knowledge transfer, and enable a more coordinated response to potential threats or incidents.
- Third-Party Risk Management: Financial entities will need to conduct rigorous due diligence and ongoing monitoring of their ICT providers to ensure compliance with DORA's requirements. This may lead to a reassessment of existing vendor relationships and the implementation of more robust contractual agreements and service level agreements.
- Regulatory Oversight and Enforcement: DORA empowers regulatory authorities with enhanced oversight and enforcement capabilities. Financial entities and ICT providers can expect increased scrutiny, audits, and potential penalties for non-compliance, underscoring the importance of proactive preparedness and adherence to the new regulations.
Contracting for DORA
With the clock ticking down, EU financial services firms and their ICT providers should act now and start preparing to meet the 2025 deadline. Firms will first need to map and classify all their contractual arrangements with third parties providing such ICT services to determine if DORA requirements apply, which may prove problematic given that these days ICT services are a component of most contracts, e.g. where an IT platform is provided as an ancillary part of a larger services arrangement.
Having determined which contracts are caught, as well as if the contract is for critical or important functions, Article 30 of DORA sets out a range of contractual requirements to be incorporated into existing contracts as well as new ICT agreements entered into in the future. Frustratingly, these DORA requirements are similar, but not identical, to those set out in the EBA Outsourcing Guidelines, meaning that a gap analysis will be needed and that remediation of existing contracts is quite likely.
Although Article 30(4) contemplates standard contractual clauses, none have been published so far and, in any event, financial services firms have between them developed a very wide range of contract templates and precedents for use when buying ICT services which approach regulatory compliance in myriad different ways. For this reason, the use of the ‘DORA Addendum’ is gaining traction (similar to the various GDPR addenda we saw a few years back), intended to address DORA’s requirements in a simple contract amendment. Of course, the party drafting these documents (i.e. customer versus supplier) typically favours their own position at the expense of the other parties, meaning that some review and negotiation may be required.
This all takes time, so the strong advice is to act sooner rather than later. Our expert DORA readiness team is fully versed in the issues, so please do get in touch with us or speak with your usual Fladgate contact.