On December 27, 2022, the Digital Operational Resilience Act (DORA) regulation for the financial sector was published in the Official Journal of the EU. The provisions of DORA will be applicable as of January 17, 2025. It forms, together with the Crypto Assets Market (MiCA) Regulation, the Pilot System for Distributed Ledger Technology (DLT)-based Market Infrastructure Regulation and the Directive on clarifying or amending certain related EU financial services legislation, part of the Digital Finance Package, which was adopted by the European Commission on September 24, 2020. As indicated in recitals 12 of the DORA, it"(...) aims to consolidate and upgrade ICT (information and communication technology) risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience. The operational risk rules, when further developed in those Union legal acts, often favored a traditional quantitative approach to addressing risk (namely setting a capital requirement to cover ICT risk) rather than targeted qualitative rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities. Those acts were primarily meant to cover and update essential rules on prudential supervision, market integrity or conduct. By consolidating and upgrading the different rules on ICT risk, all provisions addressing digital risk in the financial sector should for the first time be brought together in a consistent manner in one single legislative act. Therefore, this Regulation fills in the gaps or remedies inconsistencies in some of the prior legal acts, including in relation to the terminology used therein, and explicitly refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring.
DORA, along with the Data Act, the Cybersecurity Act, the Directive on measures for a high common level of cyber security within the Union (NIS 2 Directive) and the proposed Artificial Intelligence Act (AI Act), among others, will form the framework of the strategy for the European Digital Decade, which has been adopted by the European Commission until 2030.
The addressees of DORA are primarily "financial entities" in the broadest sense, but the regulations of this legislation will also be extended to so-called "third-party ICT service providers," i.e., companies providing ICT services. It seems that the biggest changes related to DORA will affect these entities. This is due to the fact that, to date, the laws, guidelines and recommendations of the ICT regulators in Poland have been addressed exclusively to entities in the financial sector. Meanwhile, with the entry into force of DORA, third-party ICT service providers will not only be required to directly comply with the requirements of this regulation, but will additionally have to take into account the fact that financial supervisory authorities will begin to exercise supervision over them, including the possibility of imposing financial penalties. Naturally, this supervision will be exercised only to the extent of the services they provide to entities in the financial sector.
DORA provides for far-reaching responsibilities on the part of designated providers of key ICT services. In addition, the regulation stipulates extensive supervisory powers, which will be exercised mainly by the lead supervisory authority. It is worth to briefly discuss the key rights and obligations that DORA imposes on third-party ICT service providers.
First of all, it should be noted that direct financial supervision will be provided to an ICT service provider that is recognized as a key supplier, following an evaluation by one of the European Supervisory Authorities (ESAs)1. At the same time, DORA provides for the possibility for an external ICT service provider to apply for key supplier status.
Allowing ICT service providers to apply for key supplier status is a welcome solution - it will allow ICT service providers to obtain such status when, for various reasons, they are overlooked by the ESAs, and who, due to the provision of services to entities in the financial sector, wish to qualify as a key supplier. Undoubtedly, obtaining the status of a key supplier will affect the reputation of such a supplier in the market and contribute to strengthening its competitiveness against other ICT service providers. For the above reasons, ICT service providers that decide to obtain key supplier status should start preparing for this process now.
As for the criteria for designating an external ICT service provider as a key provider, according to DORA, these are:
- systemic impact on the stability, continuity, or quality of financial service delivery if a particular third-party ICT service provider were to face a large-scale operational failure;
- The systemic nature or importance of the financial entities that use the services of a particular third-party ICT service provider;
- The degree of substitutability of the external ICT service provider.
An analysis of the above provisions indicates that the criteria for designating a third-party ICT service provider as a key provider have been written in fairly general terms and can be interpreted broadly. For this reason, ICT service providers will have to document in detail and precisely the issues that will be subject to evaluation in the context of obtaining key supplier status. This will apply both to those suppliers that will be subject to the procedure for granting such status, initiated by the Joint Committee, and to those that will themselves seek to apply for such status. It should be emphasized, however, that the European Commission will have the authority to adopt a delegated act in which the above criteria will be further clarified. As a result, it can be expected that the criteria for designating key suppliers will be further clarified, and the procedure itself will thus be clearer. The procedure for designating key suppliers is expected to begin after the European Commission adopts the delegated act, i.e., as of July 17, 2024.
DORA also stipulates what minimum requirements contracts with ICT service providers must contain. Of importance here are clauses concerning, among other things.
- the obligation of the external ICT service provider to provide assistance to the financial entity, either at no additional charge or for a fee determined ex ante;
- the obligation of the third-party ICT service provider to cooperate fully with the competent authorities and the financial entity's forced restructuring authorities, including their designees;
- conditions for participation of third-party ICT service providers in ICT security awareness programs and operational digital resilience training developed by financial entities.
In addition, for contracts for the use of ICT services supporting critical or essential functions, contractual arrangements must, among other things, specify:
- requirements for a third-party ICT service provider to implement and test contingency plans, and to have ICT security measures, tools and policies in place to ensure an adequate level of security in the provision of services by the financial entity;
- the obligation for a financial entity's third-party ICT service providers to participate and fully cooperate in penetration testing for threat searches;
- The right to monitor on an ongoing basis the performance of an external ICT service provider;
- Exit strategies, in particular the establishment of a mandatory adequate transition period.
Despite the fact that the above contractual requirements are aimed at financial entities, it is expected that ICT service providers will want to comply with them, particularly because of the possibility of being placed under the supervision of the ESAs as key providers. This may also contribute to ICT service providers that provide these services to entities in other sectors also taking the above contractual requirements into account, and they will be prompted to do so by the desire to gain a reputation and competitive position in the market for these services.
For the purpose of sound supervision, the lead supervisor is to assess whether each key third-party ICT service provider has put in place comprehensive, robust and effective policies, procedures, mechanisms and arrangements to manage ICT-related risks that the provider may pose to financial entities. The assessment of a key ICT provider is to include:
- ICT requirements to ensure, in particular, security, availability, continuity, scalability and quality of service;
- physical security affecting the provision of ICT security;
- risk management processes;
- management solutions including organizational structure;
- identification and monitoring of significant ICT incidents and their prompt reporting to financial entities;
- data portability mechanisms and application portability and interoperability;
- testing ICT systems, infrastructure and controls;
- ICT audits;
- application of relevant national and international standards applicable to the provision of ICT services to financial entities.
An analysis of the above DORA provisions indicates that key ICT service providers should review their services to determine whether they meet the criteria to be examined in the evaluation procedure by the lead supervisory authority. The range of potential requirements for ICT service providers here is quite broad, and as a result, this will require a significant amount of work. It should be noted, however, that depending on the results of this assessment, an individual supervision plan will be prepared, which will specify the goals for the provider and further supervision activities. As a result, by preparing for this assessment well in advance, the key ICT service provider will be in a better position to meet its annual goals in its supervision, and this will result in better cooperation with the lead supervisory authority.
The leading supervisory authority will have broad powers over key ICT providers. These will include the right to:
- request all relevant information and documents;
- conduct general investigations and inspections;
- request the submission of reports after the completion of surveillance activities;
- issue recommendations.
In addition, the leading regulator has the authority to impose a periodic fine on a key ICT service provider. It is imposed when
- the key third-party ICT service provider fails to comply with the measures to be taken in connection with the exercise of the supervisory authority's powers (i.e., to request all relevant information and documentation, to conduct general investigations and inspections, to request reports following the completion of supervisory activities), and
- after at least 30 calendar days from the date on which the key external ICT service provider received notification of the relevant measures.
The periodic penalty is imposed for each day until the measures are complied with and for no longer than six months after the key external ICT service provider is notified of the decision imposing the penalty. The amount of the periodic penalty shall be calculated as of the date specified in the decision imposing it and shall be up to 1% of the average daily global turnover of the key external ICT service provider in the preceding fiscal year.
In the context of the above regulations, ICT service providers should take appropriate technical and organizational measures so as not to expose themselves to penalties and, in the event of a penalty being imposed and made public, to reputational damage. This includes adequate preparation for inspections conducted by the leading supervisory authority, the provision of necessary information, and the implementation of the authority's recommendations and reports following the completion of supervisory activities.
The lead supervisory authority will be able, through a simple request or decision, to obligate key external ICT service providers to provide any information that is necessary for the lead supervisory authority to perform its duties under DORA, including all relevant company or operational documents, contracts, strategy documentation, ICT security audit reports, ICT incident reports, as well as any information on parties to whom the key external ICT service provider has outsourced operational functions or activities. Of significance is the circumstance that if the obligation to provide information is conveyed through a simple request, the key ICT service provider will not be required to respond. If such a response is given, the information provided must not be untrue or misleading. However, the key ICT service provider will be obliged to respond if the request for information is transmitted through a decision. Then, for failing to provide information in a timely manner or providing incomplete information, the leading supervisory authority may punish it with a periodic fine. The key ITC service provider will be able to appeal such a decision to the ESA's Appeals Board, and will also be entitled to challenge it before the Court of Justice of the European Union.
In view of the above-mentioned competencies, key ICT service providers should already review their organizational structures so that, once they are under supervision, they will be prepared to cooperate with the lead supervisory authority, provide it with full documentation and enable it to conduct inspections. It seems that a good solution would be to create a dedicated unit within the organization to deal with cooperation with the leading supervisory authority and at the same time coordinate the activities of the other units in the investigation. This will allow better cooperation with the leading supervisory authority and reduce the possible periodic penalty imposed.
Within three months of the completion of an investigation or inspection, the lead supervisory authority, after consultation with the supervisory forum, shall adopt recommendations to be addressed to the key external ICT service provider. The recommendations shall be promptly forwarded to the key external ICT service provider and to the competent authorities of the financial entities to which the provider provides ICT services.
It should be emphasized that the recommendations issued by the leading supervisory authority will undoubtedly have a significant impact on the operations of the key ICT service provider. This will be the case not only because the aforementioned recommendations will be communicated to financial entities that use the services of the provider in question, but also because the leading supervisory authority will inform the aforementioned entities whether the provider plans to comply with its recommendations, and the public about whether the provider has provided it with explanations for complying with the recommendations, or that the explanations provided to it on this subject are insufficient. It is indisputable that the provision of this kind of information may significantly affect not only the key supplier's further cooperation with financial entities, but also its reputation.
Competent authorities shall inform relevant financial entities of the risks identified in the recommendations to key external ICT service providers. Financial entities will be required to take these risks into account. Otherwise, the competent authorities may take a decision ordering financial entities to temporarily suspend, in part or in whole, the use or implementation of a service provided by a key external ICT service provider until the risks identified in the recommendations to key external ICT service providers are eliminated. If necessary, the competent authorities may also, in this situation, order financial entities to terminate, in part or in whole, the relevant contractual arrangements with key external ICT service providers. As a result, key providers should therefore cooperate with the lead supervisory authority in developing recommendations and ensure that they minimize the risks of the ICT services they provide as much as possible and do not expose themselves to the possibility of ceasing to provide them to financial entities.
To conclude, although DORA imposes new obligations primarily on financial entities, ICT service providers will also be affected by its implementation. It should be emphasized that these will not only be spillover effects. The DORA regulations explicitly extend their scope to third-party ICT service providers. For key providers, the situation will change the most, as they will be placed under direct supervision, and the supervisor will be equipped with a wide range of measures that can be applied to them. At the same time, financial sector players will seek regulatory-safe solutions. For this reason, ICT service providers should think about DORA today - not so much as a burden, but as an opportunity to gain a competitive advantage in the market.
1. The ESAs consist of, among others: the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.