Enacted to enhance digital security for financial entities, the EU’s Digital Operational Resilience Act (“DORA”) introduces harmonization of security requirements for the business processes of financial organizations.
With 17 January 2025 approaching, the effective date of DORA, information and communications technology companies will be feeling the pressure to ensure they can deliver digitally operational resilient ICT services. What this means is that where ICT third-party service providers deliver services, such as cloud computing services, software, data analytics and data centers, to financial institutions, the ICT service provider will need to ensure continuity of service such that these services can withstand all sorts of ICT-related disruptions and threats.
The requirements for ICT service providers are complex, particularly for organizations designated within the Act as ‘critical ICT third-party providers,’ who will be subject to direct oversight from European Supervisory Authorities.
Amid regulatory scrutiny, the in-scope ICT providers have limited time to prepare, with pressure from financial entities, which will include those entities in the banking and payments, insurance, and investment sectors, to meet new standards for security of their networks and information systems.
ICT risk management must be of utmost priority to relevant organizations as the Act requires efficient protection of both software and hardware of financial services’ information systems, necessitating potential upgrades in the technology itself and to contractual terms with their ICT service providers. DORA requires a written contract between the financial entity and the ICT third party service provider. The more prescriptive requirements apply to critical third-party providers and these contracts will include monitoring rights and exit strategies, alongside the EU-wide supervisory regime.
In scope organizations will be required to work together on DORA compliance as ICT service providers are expected to participate in their financial services’ client’s penetration testing programs, potentially exposing gaps in defensive security capability. This will trigger new ways of working across the supply chain.
Planning for the massive and complex regulatory response required from ICT service providers will require substantial effort, leveraging tech-enabled review processes, creating new contract templates, and putting in place an effective robust system to track, analyze, organize, and action critical changes to a large body of contracts.
This article examines challenges posed by DORA with a specific ICT service provider’s lens and offers recommended approaches to effectively navigate these challenges.
The Challenge: Understanding the Regulatory Scope
Determining whether your organization falls within the scope of DORA is complex, particularly with the broad criteria outlined. DORA directly and indirectly impacts information, communication, and technology (ICT) service providers (e.g., cloud platforms or data analytics services) to financial entities, including banks, asset managers, investment firms, insurance companies and many other types of financial market participants.
The first step is to conduct a thorough assessment of your organization's ICT services and client base to determine if you meet the criteria set by DORA. Seek guidance from legal experts with expertise in regulatory compliance to ensure an accurate interpretation of the EU security framework legislation and its impact on your organization.
ICT providers must determine whether they are considered a “critical” ICT third party under DORA, triggering additional risk-adequacy requirements and regulatory scrutiny. Providers of critical ICT services must appropriately manage the cyber and IT security risk they pose to financial entities and support continuity of service. The bar is raised for critical ICT providers to meet stringent requirements to security, availability, quality, and scalability of respective services to financial entities Under DORA, EU financial services regulators will make audit and inspection requests of ICT providers, which will require an open and transparent approach to evidencing operational resilience. Ensure your IT, legal, compliance and business stakeholders are aligned on regulatory audit and inspection requirements, defining, and applying processes which enable you to respond quickly.
The Challenge: Assessing Resilience Capability
DORA requires financial entities to have a robust ICT risk management framework that enables them to address ICT risks, and this indirectly impacts their ICT third party service providers. ICT requirements will not be new to the organizations concerned as DORA is designed to work in conjunction with the existing regulatory framework, although it is incumbent on ICT service providers to evaluate their current digital resilience capability, and ICT risk management framework such as incident management and digital operational resilience testing, they must meet under the new broader requirements of DORA. By conducting an initial mapping of existing financial services clients and strategic third-party providers, ICT companies should be able to identify its existing cyber security risks and threats to its digital resilience.
Conducting a thorough review of resilience capability will help identify gaps and areas for improvement regarding service reliability. This should be followed by a review of existing contractual arrangements with financial services clients to ensure agreed levels of service currently offered are known and any upgrade to obligations can be identified and addressed. Bear in mind that DORA will touch a broader scope of financial market participants than previous reviews of this nature.
In future-proofing your digital resilience strategy, this analysis should be a cross-functional activity involving IT, legal, compliance and risk management. Effective and prompt communication of ICT-related incidents and reliable reaction times will form part of this strategy,. coupled with investment in technological development. The strategy should be reviewed at least once a year, and upon any ICT major incident, to ensure methods to address risk are kept fresh.
The Challenge: Compliance Gap Analysis
DORA introduces a harmonized approach across the EU of heightened oversight and compliance requirements, demanding robust operational resilience capabilities from ICT providers. Post January 2025, ICT providers should expect more scrutiny from their financial services clients and with critical providers, from the European Supervisory bodies. This will require more frequent audit triggers in contracts with the financial sector clients and will result in more audits during the vendor relationship lifecycle.
Ensure that ICT services are clearly mapped out, with descriptions and functions categorized according to their importance and relevance. Reexamining the pathways of third-party subcontractors to ensure transparency of the supply chain and that contractually sound relationships are in place with the suitable flowing down of obligations and right to audit will be essential.
The Challenge: Remediation and Implementation
ICT-providers must have in place contractual provisions, such that they align with the standards set by the applicable law on the availability, authenticity, integrity, and confidentiality of financial services clients’ data. DORA supports the termination of services, and contractual arrangements, where there is a sub-standard service by the critical ICT service providers. This will encourage a level of service and commitment to delivery not previously seen by the industry.
Strategies such as identifying and prioritizing mitigation of ICT threats affecting the availability, authenticity, integrity, and confidentiality of financial services clients’ data; and then taking a proactive approach to continuous improvement in cyber and IT security is recommended.
Critical ICT service providers need to develop a remediation plan and implement necessary changes to ensure DORA compliance. A standardised approach to streamline the review and amendment activities is required.
Under DORA, ICT providers must augment their business continuity planning arrangements to include support for rapid exit management of financial services clients.
The onus is on ICT providers to actively manage supply chain risk, encompassing all technology suppliers. Implement comprehensive supply chain risk management processes, including vendor assessments, due diligence, and securing reliance of key third-party providers. It is recommended to collaborate with legal partners experienced in contract management to ensure current contractual arrangements are known, with an emphasis on upgrading where necessary to align with DORA's supply chain risk management principles.
The Challenge: Consequences of Non-Compliance
Proper management of ICT risks is the “North Star.” Failure to comply with DORA will be met with financial implications, reputational damage, and regulatory intervention. Prioritize compliance efforts to mitigate the risks associated with non-compliance.
Develop a comprehensive roadmap that prioritizes remediation efforts based on regulatory insights and industry best practices. Collaborate with legal teams to develop and maintain a fit-for-purpose DORA framework aligned with your organization's strategic objectives.
The Challenge: Contract Management and Operation
Ensuring good contract management is crucial for compliance with DORA, particularly in areas such as the ICT framework and third-party risk management. Ensure adequate training and development of systems where key personnel are familiar with the security provisions in all related contracts for the delivery of services. Implement best practices for contract management, including thorough review and updating of contractual arrangements to align with DORA requirements. With the adoption of a harmonized approach to security requirements for financial entities, it will allow ICT providers to standardize processes, contract terms and service delivery across multiple clients.
Conclusion
Navigating DORA compliance presents significant contractual and operational challenges for ICT service providers, although adopting proactive measures with care and strategic planning can enable a smooth transition. By assessing your organization's digital resilience capability, committing to an in-depth understanding of regulatory obligations and their impact on your business, knowing your contract portfolio and promoting cross-functional collaboration across your IT, legal and compliance functions, ICT providers can effectively navigate the complexities of DORA compliance.
Factor helps clients meet regulatory change deadlines by designing and deploying tech-enabled solutions, overseen by expert project managers to handle contract analysis, counterparty outreach, bilateral negotiations, and data transfer of remediated documentation.
With hundreds of complex projects under our belt, Factor has narrowly focused its investments (in technology, tools, methodologies) with the aim of being the best in the world in regulatory response and remediation. As such, Factor is well-placed as a trusted partner to guide you through a successful DORA transition.
Contact us today to learn how Factor can support your DORA compliance journey.
