Your DORA questions answered – Scope

The first of a series of six articles covering a practical session organised by Ashurst focuses on the scope of DORA.

The specialist team at Ashurst organised a helpful follow-up to their successful initial session on DORA. The number of questions from attendees of the first webinar was the primary motivation for organising a session focusing specifically on answers to practical questions posed by those attending.

A theme apparent throughout the session was that with the January 2025 DORA compliance deadline fast approaching, key aspects of the DORA regime – including the technical standards (RTSs) – remain incomplete. As a result much of the advice from even experts remains couched in conditional language. The team was very sympathetic to the pent-up frustration from those who will be responsible for ensuring their institutions are DORA-compliant apparent in both the number as well as the tenor of the questions posed.

We have tried to summarize the Ashurst team’s answers to each of the questions tackled during the session. The Ashurst team very helpfully organised the questions into broad thematic categories that are reflected in a series of bite-size articles.

2. ICT services in scope
3.CIFs
4.ICT third party contracts
5.Business resilience
6.Extraterritoriality and existing rules

A list of the Ashurst specialists contributing is included below. Any errors or omissions are those of the GRIP team.

The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions.

If you are a ‘financial entity’ within scope of DORA, can you still be considered an ICT third-party service provider, and be expected to take flow-down obligations from other ‘financial entities’? If so, would a basic contractual obligation to comply with DORA be appropriate?

Yes. An organization can be both an ICT service provider as well as a financial entity receiving ICT services within scope of DORA.

And while there is no direct obligation for the policies of a financial entity to ‘flow down’ to an ICT third party service provider, a basic or broad affirmation of the obligation to comply with DORA will almost certainly not be sufficient from an ICT third party service provider.

Does DORA affect unregulated subsidiaries of a regulated entity?

An unregulated subsidiary will likely be caught in the net of DORA regulatory obligations where it is:

  • providing ICT services to a financial entity; or
  • involved in the ICT risk management framework of a regulated entity, for example in its governance or information sharing arrangements.

DORA does apply certain requirements on a sub-consolidated and consolidated basis. For example, the requirement for a register of information on all contractual arrangements (as stipulated by Article 28(3)) applies at an entity level on a consolidated and unconsolidated basis.

Generally the resilience of the whole group should be reviewed. And if the subsidiaries are a part of a consolidated group they must be considered particularly if their activities are potentially a material part of the ability for the regulated entity to deliver services to clients.

‘Small and non-interconnected investment firms’ are subject to a simplified ICT risk management framework (Article 16, DORA). Is ‘small and non-interconnected investment firm’ interpreted the same as under the IFR?

Yes it is. ’Small and non-interconnected investment firm’ is defined in DORA and is attributed the same meaning as in the IFR (i.e. an investment firm that meets the conditions laid out in Article 12(1) of Regulation (EU) 2019/2033).

DORA includes the principle of proportionality – how should this be applied and how relaxed and wide is this principle?

It may be difficult to determine where this principle starts and ends.

A suggested practical approach would be to:

  1. identify all ICT services;
  2. identify critical functions;
  3. identify ICT services that support those critical functions; then
  4. apply the proportionality principle subject to any explicit advice from the regulator by asking the question:
    • How important is each of those ICT service providers to the ongoing delivery of the ICT service or critical ICT service?

The principle of proportionality is intended to help ensure the ongoing resilience of a financial entity. Within the risk framework and documents supporting it that are away from the minimum contractual remediation work it may be possible to demonstrate that some vendors do not have a material impact on a financial entity’s resilience.

The thrust of this question is similar to that of questions being asked by many organizations: is it possible to somehow reduce the burden here by de-scoping certain services that are not material?

But actually proportionality is relevant in both directions and it may be just as important to consider whether for some key vendors the ramping up of requirements may be necessary because of how critical they are to the entity’s ability to remain resilient.  

GRIP Comment

DORA article 4 makes clear that the application of DORA should be proportionate to the size and risk profile of the financial entity, taking under consideration the nature, scale and complexity of its services and operations.

The draft technical standards provide some additional specific information, including criteria that should be considered when relying on the principle. Those criteria are not exhaustive however, and leave open the option for individual entities to develop their own criteria where necessary.

The phrasing and positioning of proportionality in the DORA recitals as well as the draft technical standards may suggest that the responsible regulators could initially be more interested in getting insight into the full extent to which financial institutions are dependent on vendors. In other words the principle of proportionality and its application by firms may be less relevant to begin with simply because it may be very difficult for regulators to assess whether it has been applied appropriately without having insight into the whole of the vendor register of a specific firm or group of firms. 

There is no doubt however, that the proportionality mechanism is intended to make DORA compliance more manageable for all, including smaller or less complex entities that fall within its scope.