The Digital Operational Resilience Act, or Regulation (EU) 2022/2554 of the European Parliament and of the Council of December 14, 2022 on digital operational resilience for the financial sector (DORA) will have wide-ranging impacts on in-scope financial entities across the EU, including:
- credit institutions;
- payment institutions and electronic money institutions;
- investment firms;
- AIFMs and UCITS management companies; and
- (re)insurance undertakings, (re)insurance intermediaries and ancillary insurance intermediaries.
Under DORA, “digital operational resilience” is defined as the “ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by information and communication technology (ICT) third–party service providers, the full range of ICT–related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.
For financial entities in Ireland DORA represents an evolution of cross industry guidance papers issued by the Central Bank of Ireland (CBI) over recent years:
- Information Technology and Cybersecurity Risks (September 2016);
- Operational Resilience (December 2021); and
- Outsourcing.
This is because the Central Bank sought to align its guidance with international regulatory colleagues and proposals across the European Union (EU), the UK, Asia, Australia, and the US. Financial entities across the EU will have to consider the extent to which their existing business models will need to be upgraded to meet the requirements of DORA and have almost two years to do so with the implementation deadline being January 17, 2025.
Extraterritoriality of DORA
The increasingly interconnected world that we live in means that financial entities offer their services across multiple jurisdictions, often using the same technology platform in all of their host jurisdictions. The reality is that those kinds of technology platforms cannot realistically be prevented from supplying their customers with technology solutions from third countries. This means that financial entities will have to consider DORA even where, at first glance, it may seem that DORA might not apply. Examples include:
- third country financial entities can become subject to DORA requirements if they operate in the EU;
- third party ICT-related service providers outside the EU are subject to DORA requirements as soon as they are entering into contractual arrangements with financial entities covered by DORA;
- third party ICT-related service providers outside the EU that the EU supervisory authorities designate as critical ICT third-party service providers must establish a subsidiary in the EU within 12 months of the designation. This designation will not trigger a requirement that data be processed locally in the EU but it does mean that EU supervisory authorities can conduct inspections outside the EU.
DORA requirements
DORA introduces uniform requirements concerning:
- Information and communications technology (ICT) risk management;
- reporting of major ICT–related incidents and notifying, on a voluntary basis of significant cyber threats to the competent authorities (in Ireland, usually but not always, the CBI);
- digital operational resilience testing;
- Information-sharing arrangements on cyber threat information and intelligence;
- key principles for the sound management of ICT third–party risk;
- requirements in relation to the contractual arrangements concluded between ICT third–party service providers and financial entities; and
- enabling provisions in relation to the creation of an oversight framework for critical ICT third–party service providers.
The imposition of these requirements is hugely significant because financial entities are so embedded in our lives and the regulatory reach of competent authorities, including the CBI, is moving beyond financial entities to critical third parties who provide specialised services to financial entities such as cloud service providers, independent software vendors and payment processors. However, thinking that DORA is simply a matter for a firm’s IT department to manage will not be sufficient.
Taking a look at how the CBI imposed regulatory sanctions on financial entities in Ireland that failed to live up to expectations on outsourcing and cyber security, it is not hard to see that boards of financial entities will have to redesign aspects of their business from the ground up and to ensure that teams from legal, compliance, risk management and IT are involved in: designing an approach to DORA that is fit for purpose; and implementing the policies and procedures to apply that approach.
DORA is outsourcing ’plus’
Prior approaches to outsourcing solely related to services that a financial entity would normally do itself and consider as a ‘core’ activity. The clue to the difference is in the phrase ‘digital outsourcing’. So much of DORA relates to contractual requirements in the use of ICT Services which are defined as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
What this means is that a financial entity’s legal team has a critical role to carry out before entering, in negotiating and in maintaining a contractual arrangement with third parties providing ICT services.
Things to do before entering a contract with a third party:
- assess whether the contract relates to a critical or important function, and if so, assess the benefits and costs of alternative solutions;
- identify and assess all relevant risks, including information concentration risks where the service provider’s services are not easily substitutable;
- identify and assess any conflicts of interest that the contractual arrangement may cause;
- in case of subcontracting to third parties: weigh the benefits and risks that may arise, in relation to insolvency legislation in case of bankruptcy, constraints for urgent data recovery, compliance with EU data protection rules and effective enforcement in non-EU countries.
- where subcontracting concerns the use of ICT-related services supporting critical or important functions: financial entities shall assess whether and how long and complex chains of subcontracting may compromise their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.
Things to include in contracts with an ICT third party service provider:
- a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider;
- an indication of the locations where the services will be provided and where the data will be processed;
- provisions on the availability, authenticity, integrity and confidentiality of data, including personal data;
- provisions on the guarantee of access, recovery and return of data in the event of insolvency, resolution, cessation of activities of the ICT third party service provider or their termination;
- the obligation of the ICT third party service provider to offer incident support to the financial entity at no additional cost or at a cost determined ex ante;
- the obligation of the service provider to cooperate fully with the competent authorities and resolution authorities of the financial entity;
- termination rights and minimum notice periods; financial entities shall ensure that contractual agreements can be terminated if:
- the ICT third party service provider has significantly breached applicable laws;
- there are circumstances which may alter the performance of the functions provided through the contractual arrangement; the service provider has proven weaknesses in its overall ICT-related risk management;
- the competent authority of the financial entity can no longer effectively supervise the financial entity because of the conditions of the contractual arrangement or the circumstances related to it; and
- conditions for the participation of the ICT third party service provider in security awareness programmes and digital operational resilience training developed by financial entities.
Where a contract covers a critical or important function, it must include:
- precise and quantifiable service levels and applicable corrective actions;
- notice periods and reporting requirements by the ICT third party service provider regarding their ability to provide continuity of services;
- an obligation to implement and test contingency measures and to put in place additional security measures, tools and policies;
- an obligation for the ICT third party service provider to participate and cooperate fully in testing carried out by the financial entity;
- the right to continuously monitor the ICT third party service provider’s performance in various ways;
- exit strategies from the contractual arrangements with mandatory adequate transition periods
- without disrupting the business of the financial entity;
- without limiting compliance of the financial entity with its regulatory requirements;
- without affecting the continuity and quality of services provided to clients of the financial entity.
Ongoing compliance related to contractual arrangements with third parties:
A register of all contractual arrangements on the use of third party ICT-related services providers, distinguishing between those covering critical functions and others.
Financial entities must identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with ICT third-party service providers that provide services that support critical or important functions.
Trevor Nolan is partner and head of Asset Management and Regulation, Eversheds Sutherland.