What is DORA?

1. DORA is the “Digital Operational Resilience Act”, a new EU framework aimed at ensuring that financial entities and information and communication technology (ICT) service providers are more robust and resilient. Through DORA, the EU aims to make firms, and the financial markets, better protected against severe operational service disruption caused by cyber attacks and ICT issues. This is particularly relevant given the interconnectedness of the financial system and the risk of financial contagion.

2. DORA was passed in January 2023 and will come into force across the EU by January 2025. A second batch of policy documents was recently published for consultation, with more to follow. Although DORA will not apply in the UK, it will be relevant for many UK-based entities, either because they are financial firms who (directly, or indirectly through their group) offer their services in the EU, or because they are ICT service providers who offer services in the EU.
   

Which firms are in-scope?

3. DORA applies to a wide range of financial entities. The list of financial entities includes credit institutions, payment institutions, account information service providers, e-money institutions, investment firms, crypto-asset services providers, CSDs, CCPs, trading venues, trade repositories, AIF managers, management companies, data reporting service providers, insurance companies, occupational pension schemes, credit rating agencies, administrators of critical benchmarks, crowdfunding services providers and securitisation repositories.

4. DORA also applies to ICT service providers. This means any undertaking providing digital and data services provided through ICT systems to internal or external users on an ongoing basis. DORA will impact ICT service providers in two main ways:

• Certain ICT service providers can be designated as “critical” for financial entities, following an assessment by the European Supervisory Authorities or “ESAs” (principally the EBA, EIOPA and ESMA). This brings them, for the first time, directly within the regulatory perimeter, subject to the direct supervision of the ESAs.
• DORA obliges financial entities to take a more proactive approach to contracting with, and managing, their ICT service providers. This means that ICT service providers can expect their customers who are financial entities to have a shopping list of requirements to be included in their contract, as well as a wide range of reporting requirements and management levers.
  

What do Financial Entities have to do?  

5. EU financial entities have a wide range of obligations relating to ICT risk management (Chapter II), ICT-related incident management, classification and reporting (Chapter III) and digital operation resilience testing (Chapter IV). The purpose of this article is not to cover these in detail; however, in order to understand the impact on UK entities, it is worth summarising the obligations in high-level. Financial entities must:

• Put in place an internal governance and control framework for managing ICT risk. The management body of the financial entity (generally the board) will be responsible for this framework, including policies, roles, business continuity plans, audit, supervision of ICT service providers, training etc;
• Put in place an ICT risk management framework. This will include strategies, policies and procedures to protect ICT assets, infrastructure etc, as well as to detect, respond to, and recover from, incidents. The framework must be reviewed annually;
• Identify, classify and document all ICT-supported business functions, roles and responsibilities;
• Continuously monitor and control security and have appropriate systems etc;
• Ensure they learn from incidents (by carrying out post-incident reviews, reporting, awareness programmes etc);
• Have processes to detect, manage, classify and notify to regulators all ICT-related incidents;
• Perform testing. All financial entities must regularly test their ICT systems and address potential ICT vulnerabilities uncovered. Testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of Threat-Led Penetration Testing (TLPT) for larger firms; and
• Have appropriate procedures for the management of ICT third-party risk. This point is covered in more detail in the section headed “Contractual Arrangements” below.
  

What does this mean for UK Financial Entities?

6. The UK regulatory authorities already have requirements for regulated firms relating to outsourcing, and for certain financial firms relating to operational resilience. The FCA has recently been undertaking a cyber and operational resilience questionnaire, looking at whether, for example, firms have a board-approved cyber security strategy, how firms identify and protect their critical assets, and how firms detect and respond to an incident, recover the business and learn from the experience. The FCA, the Bank of England and the PRA are currently consulting on how they should manage critical third parties to the UK financial sector, following the introduction of the Financial Services & Markets Act 2023, which granted the regulators and the Treasury powers in relation to critical third parties.

7. The FCA’s rules on operational resilience overlap, to a certain extent, with the requirements of DORA. The UK operational resilience rules apply to banks, building societies, PRA investment firms, insurers, trading venues, enhanced scope SMCR firms, and payment / e-money firms. The list of firms captured by DORA is wider, and includes, for example, service providers in areas like crypto-assets, crowdfunding and data reporting. UK firms captured by the operational resilience requirements will already have identified their important business services, and set impact tolerances for these services etc. They will have undertaken dependency mapping and scenario testing. Firms which have a presence in both the UK and the EU will be able to apply some of the work from their operational resilience programme to DORA, but there will be much in DORA which is new: for example, the requirements relating to detailed operational resilience testing around ICT (particularly threat-led penetration testing) and threat intelligence sharing. Even for large financial firms which are already extensively regulated in the UK, the introduction of DORA will be a challenge, and require such firms, in all likelihood, to apply the “highest common denominator” requirements across the group. DORA will be a trigger for firms to align with existing programmes such as operational resilience, cloud transformation and cyber transformation. During 2024, the European authorities will publish detailed technical requirements relating to DORA. This will be the opportunity for firms to carry out their gap analysis in order to achieve that alignment.
   

Contractual Arrangements

8. The preamble to DORA notes the difficulties that financial entities have had in negotiating contractual arrangements with ICT third-party services providers, in order to comply with existing regulatory requirements. For example, many financial services firms are already required to include a core set of contractual rights in their agreements with service providers, relating to issues such as audit rights, rights of access for regulators, performance and termination rights etc[1]. DORA is aimed at providing certain minimum safeguards in order to strengthen financial entities’ ability to effectively monitor all ICT risk emerging at the level of third-party service providers. Financial entities will be required to:

• Manage third party risk as an integral part of ICT risk within their ICT risk management framework (including assessing ICT concentration risk);
• Have a strategy on ICT third party risk, including a policy on the use of ICT services supporting critical or important functions provided by ICT service providers;
• Have contractual arrangements in place for the use of ICT services, distinguishing between critical and important providers and others;
• Keep a register of all contractual arrangements with ICT service providers;
• Before entering into a contractual arrangement, ensure they undertake due diligence, identify conflicts of interest, assess risks, assess information security standards, and determine the frequency of audits and inspections;
• Ensure contractual arrangements with ICT service providers include a wide-range of requirements, including:
  • For standard (non-critical) suppliers – service description, locations where services are to be provided, provisions on availability, data protection, access, service levels, assistance in incidents (at no extra cost), cooperation with regulators, termination rights, participation in ICT securities awareness programmes and digital operational resilience training;
  • For critical / important functions: more detailed service descriptions, notice periods and reporting obligations, implementation and testing of contingency plans and ICT security measures, participation in TLPT, performance monitoring, and exit strategies (including transition periods).  
    

What do the Contractual Requirements mean for UK Financial Entities, and for UK ICT Service Providers?

9. Financial entities and ICT third-party service providers must consider the use of standard contractual clauses developed by public authorities for specific services. It is likely that the standard contractual clauses will be published during 2024. This notwithstanding, the contractual arrangements between financial entities and ICT service providers are likely to be subject to considerable scrutiny in the coming months. The DORA requirements overlap, to a material extent, with existing UK requirements. However, the points noted in paragraph 7 apply here. The lists of firms captured by DORA is wider than the equivalent in the UK, and some of the requirements are different, or more detailed. Firms which operate across the UK and Europe will likely need to undertake a detailed gap analysis, and to apply the “highest common denominator” requirements.

10. Although the DORA requirements do not apply to ICT service providers directly (with the exception of those designated as critical – see below), the requirements will end up biting on ICT service providers, to the extent that they enter into contractual agreements with EU financial entities. The contracts will be subject to much more scrutiny than before, and need to be reopened. This could have significant financial implications for service providers, and/or add material cost for financial entities. Financial entities will now be requiring ICT service providers to enter into contracts on detailed and prescriptive terms. If the service provider refuses, it is likely that the financial entity will be unable to enter into the contract. However, nothing will be black-and-white: there will always be scope for negotiation between the parties. It is just that DORA will narrow the scope for negotiation.
    

Designation of Critical ICT Service Providers

11.  DORA also makes provision for the ESAs to designate ICT third party service providers that are critical for financial entities, and to appoint an ESA as “Lead Overseer” for the critical ICT third party service provider. This means that, for the first time, certain service providers will be brought directly within the regulatory perimeter.

12. The ESA designation will be made according to various published criteria, including:

• The systemic impact on financial services of an operational failure at the service provider;
• The systemic character or importance of the financial services entities that rely on the service provider;
• The contagion risk;
• The degree of substitutability of the third party service provider.

13. Once brought within the regulatory perimeter, the Lead Overseer will have a wide range of powers over the critical ICT third party service providers, including powers to request information, conduct investigations, require remediation, issue recommendations relating to e.g. contracting, sub-contracting, and penalty payments of up to 1% of worldwide turnover (which are publicly disclosable). There are also powers for the Lead Overseer to exercise powers outside the EU in certain circumstances. These powers are notable given their extra-territorial nature.
    

What does this mean for UK Critical ICT Service Providers?

14. We do not currently know exactly which service providers will be determined to be critical under the DORA regime. Equally, we do not know which service providers will be determined to be critical under the Financial Services & Markets Act 2023, which granted the regulators and the Treasury powers in relation to critical third parties (see paragraph 6 above). It is likely that there will be some overlap between the two, particularly in relation to, for example, very large cloud services providers. However, there are also likely to be ICT service providers who are designated as critical in one jurisdiction but not the other. A designation as critical will have very significant implications for the ICT service providers concerned: it will bring regulatory oversight, and additional cost, as well as the potential for severe reputational damage in the event of a public censure.
    

Next Steps

15. Many of the detailed requirements of DORA will be fleshed out during 2024 through the publication of regulatory technical standards by the ESAs. The second batch of policy instruments were published by the ESAs on 8 December 2023, and the consultation will be open until 4 March 2024. The UK regulatory consultation on critical third party service providers will also close during Q1 2024, and we will likely have final rules later in the year. Financial entities and ICT service providers should be preparing their board and management for significant change during 2024 and 2025. The first stage will be to conduct a gap analysis, both of governance and risk management frameworks, and of contractual arrangements. The contractual arrangements will need significant scrutiny and amendment during the course of the next year. This is something that Kemp IT Law is uniquely well placed to assist with. We sit at the apex of IT and regulatory law, and have experts with an unparalleled understanding of the issues. Please do not hesitate to reach out if we can help in any way.

[1] See for example the EBA Guidelines on outsourcing of 2019 and ESMA Guidelines on outsourcing to cloud service providers of 2021, which the FCA expect regulated firms to take into account