With only six months to go until the European Union Digital Operational Resilience Act (DORA) becomes applicable on 17 January 2025, DORA implementation projects are running full steam ahead. DORA lays down uniform requirements concerning information and communication technology (ICT) supporting the business processes of most regulated entities in the financial sector. It also extends the powers of the financial services supervisory authorities to ICT service providers deemed to be “critical” by the authorities.

In this update to our previous alert, we discuss some frequently asked questions and provide an update on the current status of DORA. We also summarize the European Central Bank’s draft Guide on Outsourcing Cloud Services. In addition, this alert describes some developments relating to operational resilience in the United Kingdom and comments on similarities and differences to the EU regime.

DORA Frequently Asked Questions

Dora Regulates How In-Scope Entities Must Use ICT and Their Arrangements With ICT Service Providers. But What Are ICT Services?

DORA defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services, which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.¹

The term “ICT system” is used but not defined in DORA. DORA does, however, define the term “ICT asset.” An ICT asset is “a software or hardware asset in the network and information systems used by the financial entity.”² Our understanding is that an ICT system refers to a system comprising ICT assets.

ICT services can include hardware such as workstations, phones, servers, data storage devices, and appliances. ICT services may also include software, digital data services and analysis/support for such services, and cloud services including infrastructure as a service, platform as a service, and software as a service. Annex III of the draft Implementing Technical Standards on the Register of Information specifies categories and identifiers for different types of ICT services.

Are We Required to Maintain a List of the ICT Services We Use?

DORA requires that financial entities prepare a list of ICT services provided by ICT third-party service providers in the form of a register of information.³ The draft Implementing Technical Standards (ITS) on the register of information provides for the establishment of standard templates for the register of information. These prescribe information, including information regarding contractual arrangements, to be included in the register and prescribe categories of ICT services and identifiers for each category.⁴

Financial entities are expected to use the templates. Whilst a financial entity may create a register using its own version/format, it will be expected to contain the same content as is specified in the templates. Financial entities are required to provide the register to the competent authority upon request.⁵

Firms may have existing lists that they use to populate the register of information for each financial entity within their group. Please note that a financial entity’s outsourcing register is unlikely to capture all ICT services. Conversely, if a firm has a list of service providers, or maintains lists of contracts with vendors (nonclients), these will likely be more extensive than is required for the register.

The European Supervisory Authorities (ESAs) are currently conducting a dry-run exercise for the preparation of the register of information on ICT third-party service providers with volunteers. The materials and tools published in this context are meant only for this exercise. The final technical package for the reporting, which will start in 2025, will be published later in 2024. 

What Is the Territorial Scope of Dora?

DORA lists specific types of in-scope financial services providers, e.g., credit institutions, payment institutions, alternative investment fund managers (AIFMs), management companies of undertakings for collective investment in transferable securities (UCITS), etc. These are referred to as financial entities. Companies providing ICT services that are designated by the ESAs as critical for financial entities are subject to certain provisions of DORA.

In some cases, DORA can affect financial services providers and ICT services providers established outside the European Union. Specifically, this means that:

• Third-country financial entities can become subject to DORA if they operate in the European Union; and
• Certain third-party ICT-related service providers outside the European Union may need to at least take into consideration, or become subject to, DORA if they enter into contractual arrangements with financial entities subject to DORA.

Further, a third-party ICT-related service provider located outside of the European Union providing services to in-scope financial entities would become subject to DORA if they are designated as a critical ICT service provider by the ESAs. Within 12 months of being designated as critical by the ESAs, the critical ICT third-party service provider must establish a subsidiary in the European Union if it does not already have an establishment in the European Union (see our previous alert).

For financial entities, DORA does not itself clearly specify its territorial scope. For each type of entity, it is necessary to refer to the EU regulations/directives setting out the harmonized rules for that type of financial entity in order to determine whether there is a territorial limitation. For example, UCITS management companies are required to be established in the European Union, whereas an AIFM may be established in the European Union or outside the European Union. In some instances, there remains a lack of clarity regarding the precise territorial scope of DORA. For instance, for a third-country AIFM, the ESAs have not clarified what EU nexus triggers the application of DORA and whether the nature of that nexus impacts how DORA applies. 

How Is Dora Relevant to Contracts Between an Entity Subject to Dora and Its Service Provider?

DORA imposes a range of obligations on financial entities. These include, amongst other matters, a requirement to put in place a sound, comprehensive, and well-documented ICT risk management framework; a requirement to establish and implement a process to monitor and log ICT-related incidents; and a requirement to undertake digital operational resilience testing. 

Specifically in relation to ICT service provider contracts, DORA requires the rights and obligations of the financial entity and an ICT third-party service provider to be clearly allocated and set out in writing and identifies certain elements that must be addressed in the contractual arrangements. Delegated Regulation (EU) 2024/1773 specifies further details of the requirements for contracts with ICT service providers supporting critical or important functions.

Separate to considering whether its contract with an ICT service provider addresses the required elements, a financial entity must ensure it can comply with DORA in relation to the ICT services it procures from ICT service providers and consider whether this requires any particular contractual provisions. Some of these may be matters that DORA requires the contract to address (e.g., procuring that service providers will fully cooperate with competent/supervisory authorities). Others may be necessary to ensure the financial entity is, for example, able to implement its risk management framework, and therefore may be bespoke (e.g., whether the financial entity requires the use of certain authentication procedures). 

The task for financial entities is as follows:

• For a new appointment of an ICT service provider, a financial entity must ensure that it undertakes precontractual due diligence in accordance with DORA and reviews the contract to ensure it addresses the mandatory elements⁶ and other matters identified by the financial entity as necessary to ensure it can comply with DORA. 
• For existing appointments of ICT service providers, part of the DORA implementation project should involve reviewing the contracts to ensure they address the required contractual elements and other matters identified by the financial entity as necessary to ensure it can comply with DORA and, if they do not, putting in place amendments to fill any gaps. 

Is It Sufficient That a Financial Entity Has Complied With Existing Outsourcing Requirements?

Whilst compliance with existing outsourcing requirements is helpful (for example in MiFID II for investment firms and in AIFMD for AIFMs), it is not necessarily sufficient. Firstly, DORA’s scope is broader than that of the outsourcing provisions, since DORA may apply to ICT procurement contracts that are not classified as an outsourcing under EU sectoral laws. Financial entities must review and amend not only IT outsourcing agreements but also ICT procurement contracts. To the extent that the use of ICT services subject to DORA also constitutes an outsourcing as defined by the applicable sectoral law, the outsourcing rules apply together with DORA. The German supervisory authority, BaFin, has signaled that compliance with DORA will usually mean that the requirements of the sectoral law provisions on outsourcing are also met.⁷

Secondly, certain of the elements required to be addressed in contracts by DORA are not necessarily required under the sectoral law on outsourcing. A key example is the requirement for ICT service providers to participate in security awareness programs and digital operational resilience training.

Is There an Indirect Impact for Financial Entities Not Directly Subject to Dora?

If a financial entity subject to DORA appoints an entity (a delegate) that is not otherwise subject to DORA to provide financial services (for example, where a UCITS management company appoints a non-EU asset manager as investment manager of a UCITS), DORA does not apply directly to the delegate. However, the financial entity in the scope of DORA must comply with the ICT risk management provisions within DORA and any applicable sectoral law provisions on outsourcing or delegations. Those outsourcing provisions generally provide that the financial entity’s risk management must not be negatively affected by the outsourcing or delegation. It is understood that this may effectively involve some indirect application of DORA to a delegate that would not otherwise be subject to DORA. 

There Are Special Rules for the Use of ICT Service Providers Supporting “Critical or Important Functions” of a Financial Entity Regulated Under Dora. How Does One Identify the “Critical or Important Functions” of a Financial Entity?

DORA defines “critical or important functions” as “a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorization, or with its other obligations under applicable financial services law.”⁸ 

According to recital 70 of DORA, this includes, but is not limited to, activities, services, or operations the discontinuance of which is likely (in one or more EU member states) to lead to the disruption of services that are essential to the real economy or to disrupt financial stability due to the size, market share, external and internal interconnectedness, complexity, or cross-border activities of an institution or group, with particular regard to the substitutability of those activities, services, or operations.⁹

The Financial Stability Board, an international body that monitors and makes recommendations about the global financial system, has developed a toolkit for enhancing third-party risk management and oversight. One of the aims of the toolkit is to promote interoperability across different jurisdictions and sectors. Firms may find the toolkit useful, especially the guidance it provides on helping financial institutions identify critical services.

Are There Equivalent Requirements to DORA in the United Kingdom?

UK-regulated firms are responsible for managing operational risk. They must take reasonable care to organize and control their affairs responsibly and effectively, with adequate risk management systems.¹⁰ This is supplemented by requirements in the Financial Conduct Authority (FCA) rules including requirements relating to firm’s management and governance, risk management, internal controls, business continuity and contingency planning, and outsourcing requirements. 

Those existing requirements are being supplemented by new provisions specifically addressing operational resilience. There are new requirements that apply to certain types of firms, and proposed requirements that will apply to service providers that are not licensed by the FCA.

UK Operational Resilience Regime

The UK operational resilience regime encompasses a broader range of operational risks than EU DORA and focuses on the ability of in-scope firms to withstand operational resilience regardless of cause (i.e., not limited to those originating from digital or ICT incidents). 

The UK operational resilience framework applies to banks, insurers, and certain large investment firms. It therefore has a significantly narrower scope compared with DORA. With respect to asset managers, whether the framework applies depends on their authorization status. Generally, if an asset manager is (i) regulated by both the FCA and the Prudential Regulation Authority (PRA) or (ii) classified as an “enhanced scope SMCR firm,” it would be subject to the UK operational resilience framework.

Following the publication of the PRA and FCA’s final rules and policy statements on 29 March 2021, an initial implementation phase was triggered whereby firms were required to: (i) identify “important business services” and set impact tolerances, (ii) map important business services and commence a program of scenario testing, and (iii) develop and put into effect a strategy or plan setting out how they would comply with the regulator’s requirements and expectations. 
In summary, the framework requires in-scope firms to:

• Identify their important business services;
• Set impact tolerances for each important business service and remain within them;
• Have in place strategies, processes, and systems to enable compliance with their obligations;
• Carry out mapping exercises;
• Carry out scenario testing and lessons-learned exercises;
• Undertake self-assessments;
• Have a communications strategy; and 
• Ensure that their boards and senior management give certain approvals and review their operational resilience documentation.

Following the expiration of this initial implementation phase, from 1 April 2022, in-scope firms entered into a three-year transition period ending 31 March 2025, at the end of which, they will have to prove that they are able to remain within the impact tolerances that they have set for each “important business service” in the event of a severe-but-plausible disruption.

The FCA rules and guidance on operational resilience are in Chapter 15A of the Senior Management Arrangements, Systems and Controls sourcebook.

Regime for Critical Third Parties to the UK Financial Sector

The United Kingdom is in the process of introducing a UK critical third-party (CTP) regime. While the legislative framework is set out in the Financial Services and Markets Act 2023, which is already in force, it is not yet operational. The CTP regime is expected to be operationalized in Q4 2024, subject to the conclusion of ongoing consultations between His Majesty’s (HM) Treasury, the PRA, and the FCA. 

The new regime seeks to oversee the material services CTPs provide to financial services firms. It covers a wide range of third-party service providers, including those that provide cloud services, information technology (IT) services, claims management services to insurers, and cash distribution services. The aim of the regime is to grant financial regulators powers to directly oversee services that CTPs provide to financial services firms, to ensure that such services are resilient, and to reduce the risk of systemic disruption. 

Under the new regime, HM Treasury is empowered to designate certain third-party service providers as critical. The designation is made if the failure or disruption of the services provided by these third parties would pose a risk to the stability or confidence of the UK financial system. Once designated, the CTPs must comply with requirements set by the UK financial regulators. The UK financial regulators are empowered to make rules, gather information, and take enforcement action against CTPs. The new CTP regime is currently due to come into effect in Q4 2024, at which point, HM Treasury is expected to start making regulations designating the first CTPs. 

UK technology businesses with customers that are financial entities in the European Union will therefore need to navigate two regulatory regimes in parallel. Whilst there may be some overlap between the operational resilience requirements for CTPs that are introduced in the United Kingdom in the future and the parts of DORA specific to ICT service providers, the UK regime is not being modelled on DORA. There is much in DORA which is new, for example, DORA’s requirements for detailed operational resilience testing in ICT and threat intelligence sharing. In many instances, the EU and UK regimes will need to be applied in tandem, most likely looking for the highest common denominator.

The European Central Bank’s Draft Guide on Outsourcing Cloud Services to Cloud Providers

The European Central Bank’s Draft Guide on Outsourcing Cloud Services to Cloud Providers (the Guide) is addressed to credit institutions directly supervised by the European Central Bank (ECB). It will complement the EBA Outsourcing Guidelines and supplement DORA and EU member states’ national legislation implementing DORA. The Guide is nonbinding and aims to clarify both the ECB’s understanding of related legal requirements and its expectations for the banks it supervises.

In the Guide, the ECB provides its interpretation of the risk management provisions of DORA, the NIS2 Directive (see our previous alert on this topic), and the Capital Requirements Directive in the specific context of the use of cloud services, including with regard to: 

• Pre-outsourcing due diligence and risk assessments, including assessments of concentration risks, risks arising from the involvement of subcontractors of the cloud service provider, and data protection risks arising from laws of third countries;
• Treatment of cloud assets as part of their own ICT inventory; 
• Business continuity, resilience, and disaster recovery;
  • In the ECB’s opinion, back-ups of critical or important systems should not be stored in the cloud hosting the services concerned, and business continuity management measures should address a worst-case scenario where some or all of the relevant cloud services provided by one or more cloud service providers are not available and the institution has to perform an exit under stress or an exit without cooperation from the cloud service provider(s) in question; for critical functions, the institution must retain the ability to bring data and applications back on-premises.
• Testing; 
• Encryption, cryptographic key management processes, and tracing mechanisms monitoring compliance with restrictions regarding data locations;
• Identity and access management policies;
• Contractual requirements regarding termination and exit and the credit institution’s own exit plan;
• Audits and how credit institutions may work together to verify compliance; and
• Incident handling. 

Status of DORA

DORA sets out the Level 1 legislative framework and is supplemented by Level 2 measures, including delegated acts and technical standards. Although DORA becomes applicable on 17 January 2025, many of the Level 2 measures are still in the process of being finalized.

Secondary Legislation Supplementing DORA

The EU Commission has adopted delegated acts under DORA on the following topics: 

• Classification of ICT-related incidents and cyber threats: Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.
• Contractual arrangements on the use of ICT services supporting critical or important functions: Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
• The risk management framework described by DORA: Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.

Critical ICT Third-Party Service Providers Regime

The EU Commission has also adopted two delegated acts that are especially important for ICT providers serving the financial industry and supplement Chapter V, Section II of DORA. These acts relate to the designation of critical ICT third-party service providers (CTPPs) by the ESAs. Third-party ICT providers designated as critical will be subject to regulatory oversight by the ESAs, even though the providers themselves do not provide financial services—a novelty. It has some similarities to the United Kingdom’s proposed regime for CTPs. The CTPP regime can also apply to ICT service providers located outside the European Union. 

The delegated acts relevant to the designation of ICT providers as CTPPs are:

• Criteria for the designation of ICT third party providers as critical: Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024.
• Fees payable by critical ICT service providers: Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024, with regards to determining the amount of oversight fees to be charged by the lead overseer to critical ICT third-party service providers and the way in which those fees are to be paid.

CTPP Regime vs. “Critical or Important Function”

For the avoidance of doubt, it should be noted that the above delegated acts relating to the CTPP regime do not relate to the question of whether an ICT service provider supports a “critical or important function” of a financial entity. An ICT service provider supporting a function that its customer, the financial entity, has qualified as critical or important is not automatically a CTPP. As above, the designation of CTPPs is assigned by the ESAs depending on, broadly, how many entities in the financial industry rely on that provider and the nature of the functions supported by the provider. 

Technical Standards Supplementing DORA

As mentioned above, DORA is to be supplemented by technical standards, which may be either ITS or regulatory technical standards. The ESAs are continuing to work on these. 

The deadline for the ESAs to submit the first batch of draft technical standards to the European Commission was 17 January 2024 for certain DORA articles (articles 15, 16(3), 18(3), 28(9), and 28(10)). On 13 March 2024, the Commission adopted draft Delegated Regulations on the first batch, which entered into force on 15 July 2024. 

The ESAs published the second batch of policy products under DORA on 17 July 2024:

• Final Report on Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under Regulation (EU) 2022/2554
• Final Report on Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554
• Final Report on Draft regulatory technical standard on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of Regulation (EU) 2022/2554
• Final Report on Draft Regulatory Technical Standards on harmonisation of conditions enabling the conduct of the oversight activities
• Final Report on Draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents; and Draft Implementing Technical Standards On the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat
• Final Report on Draft Regulatory Technical Standards specifying elements related to threat led penetration tests under Article 26(11) of Regulation (EU) 2022/2554

Other Useful Materials Related to DORA 

On 8 July 2024, the German supervisory authority BaFin published a legal gap analysis comparing the IT risk management and IT third-party risk management requirements applicable until now to the requirements under DORA. This document is for information purposes only. 

Footnotes