The EU’s Digital Operational Resilience Act: DORA for Financial Firms
An important new regulation is being implemented by the EU for the financial sector in the European Union. Known as DORA (the Digital Operational Resilience Act),[1] the regulation builds on the significant regulatory oversight of ICT risk in financial services. This regulation is designed “to ensure a sound monitoring of ICT third-party risk” (page 10 of the regulation). It is initially planned to come into effect in early 2025 but financial firms will have to commence preparations for the comprehensive risk management framework in order to have the necessary governance in place, and to be able to provide the necessary reports to competent authorities and to manage ICT risk.
The regulation is therefore also significant for so called “ICT third-party service providers” who contract with financial entities. This definition covers undertakings providing digital and data services, including providers of cloud computing services, software, data analytics services and data centres[2].
Financial entities must also have specific contractual provisions in their contracts with ICT third-party service providers, which are covered in detail in this paper.
Financial entities will have to ensure that direct suppliers will have to meet minimum due diligence and contractual requirements, and these obligations will have to be flowed down the supply chain to second party subcontractors and beyond.
Critical ICT third-party providers
DORA is also significant for the IT community as it introduces direct supervision of a much smaller number of ICT service providers to address systemic operational resilience for the financial sector but this aspect of the regulation is not covered in detail in this paper.
This will be a very small category of providers who will be subject to direct oversight by a regulator known as the Lead Observer. This may be one of EBA (European Banking Association), ESMA (European Securities and Markets Authority) or EIOPA (European Insurance and Occupational Pensions Authority). ICT vendors and their critical third-party supply chain will also therefore be indirectly impacted in assisting the critical ICT third parties to comply with their obligations. At present, there is no defined list of who the critical ICT third parties will be, but this will be a very small category of well-known vendors. There is a separate consultation in the UK on similar regulation which will affect a similar category of providers, who will be known as critical third parties (CTPs) for the UK regulation.[3]
Financial entities
Financial entities must also have specific contractual provisions in their contracts with ICT third-party service providers.
Financial entities will have to ensure that direct suppliers will have to meet minimum due diligence and contractual requirements, and these obligations will have to be flowed down the supply chain to second party subcontractors and beyond.
The wider context
The regulation is part of a much wider regulatory context. At the EU level, the regulation is part of operational resilience, and is justified because of the increased cyber threats facing all sectors. The European Systemic Risk Board (ESRB) in particular has identified cyber risk as potentially constituting a systemic vulnerability to the financial services sector.
The regulation states that although ICT security and digital resilience are part of operational risk, there has been less focus in the post-crisis regulatory agenda on ICT risk, and it has been inconsistently approached across member states.
The regulation therefore forms an important part of the overall review of systemic risks from an operational risk perspective, and as part of operational risk, from a concentration risk perspective. Further, the regulation is intended to enable consistency with both the NIS Regulations (which regulate the maintenance of appropriate levels of cyber security and reporting of incidents for network and information systems) and the European Critical Infrastructure Directive. In terms of hierarchy between potentially overlapping regulation, regulators advise that DORA will become the general framework for ICT risk (a “lex specialis” exemption), which will prevail in the event of overlap with NIS and similar regulation will be construed.
The EU further believes that the regulation is needed because “the monitoring of the contractual dimension is not fully anchored into Union Legislation” (Recital 27). The
European Banking Association (EBA) Regulations on outsourcing and the EU’s data protection legislation (in particular (GDPR) both regulate contractual provisions on ICT and data risk, but the new regulation will have far wider effect.
In the UK there is a similar concern about resilience, and the UK government has in parallel sought to update its own implementation of the NIS Regulations and is looking more generally at data storage and processing infrastructure security and resilience, on which there was a call for views in May 2022. The government is currently considering the responses to this and may well report soon on further measures to protect digital infrastructure.
DORA should also be looked at in the light of the recent fines levied on TSB by the PRA and FCA in the UK. The regulators identified a number of critical failings in the implementation of TSB’s new IT systems following its demerger from Lloyds. The reports from PRA and FCA are highly critical of the governance processes applied, but also commented on the complexity of the supply chain arrangements for the new systems that were being implemented, noting that 85 fourth party subcontractors were involved in the provision of the service. While the contractual provisions in those cases were largely complied with, there were still governance failings in the implementation and oversight of the supply chain that contributed to the ultimate failure of the project.
What does DORA regulate?
The regulation requires financial entities to have in place internal governance and control frameworks that “ensure an effective and prudent management of all ICT risks”. This must be overseen by the management body of the financial entity who is responsible to define, approve, oversee and be accountable for the implementation of all arrangements related to ICT. As with other regulations on operational resilience, the firm cannot contract out of its liability to regulators. Financial entities are able to take a proportionate approach to the risk for their specific organisation but as with the implementation of the current EBA regulations on outsourcing, it remains to be seen whether this will result in very material flexibility on contractual provisions.
In the case of the EBA regulations on outsourcing, there is a defined list of provisions that apply to critical or important functions, but these can be generally applied by regulated firms notwithstanding that the outsourcing is not necessarily critical or important, with variations depending on the criticality of the outsourcing, and it is possible that a similar approach could be taken with DORA, including by financial firms in the UK who will have global operations.
Summary of the key provisions of DORA
The regulation has nine chapters, and this paper summarises the key operational chapters, chapters II to VI. Chapters VII to IX contain information on the competent authorities who will ensure compliance with the regulation, delegated acts and transitional and final provisions. Chapter I contains a general summary and definitions. The provisions in these articles are detailed and should be reviewed closely by ICT vendors to establish the measures they are likely to have applied to their specific services. The text is relatively concise, but each financial firm will have to establish the specific measures it will require for its own ICT risk management to comply.
Chapter II – ICT Risk Management (Articles 5 to 16)
The regulation requires that financial entities must create a full ICT risk management framework that must be sound, comprehensive and well documented, enabling firms to address ICT risks quickly, efficiently and comprehensively and to ensure a high-level of digital operational resilience that matches their business needs, size and complexity (Article 6(1)).
There are detailed provisions as to what the ICT risk management framework must include in Article 6(8) It must effectively protect all relevant components and infrastructures, including computer hardware, servers, as well as relevant premises, data centres, sensitive designated areas and people (i.e., all that is part of the digital footprint of a financial entity’s operations), to ensure that all those physical elements are adequately protected from risks including damage and unauthorised access or usage.
The framework must contain a comprehensive digital resilience strategy which must be a “holistic” multi-vendor strategy. Firms must map at entity level key dependencies on ICT third-party providers and explain the rationale behind their procurement mix of third-party service providers. This is designed to avoid excessive concentration on a small number of vendors directly or indirectly.
Article 8 requires there to be a detailed mapping of ICT functions which must be documented and continually updated. It is not expressly clear how this will map onto other critical economic functions and operational resilience mappings already required, or if any inconsistencies will need to be identified before the regulation comes into force.
These measures will require financial firms to engage in a continuous process of management, detection and systems improvement according to the state of the art to protect their ICT systems and ensure detection of anomalous activities, with appropriate response and recovery including back-up and recovery procedures. Consistent with the Bank of England, PRA and FCA’s operational resilience proposals from late 2019, there will also be a continuous process of learning and improvement. Much of this will be familiar to financial firms already, but the regulation is a comprehensive approach to systems that must nevertheless be mapped onto the existing governance frameworks that at present may be under development or maintained in a different way.
Article 15 enables the ESAs (European Supervisory Authorities) to develop common regulatory technical standards by 17 January 2024 for standardising business continuity policy and plans and testing, as well as to “specify further elements to be included in ICT security policies, procedures, protocols and tools” (see Article 9(2).
Chapter III – ICT-related incidents (Articles 17 to 23)
Chapter III covers ICT related incidents management classification and reporting obligations. The regulation requires the harmonising and streamlining of the reporting by financial firms of ICT related incidents through a management process. There are detailed provisions on the classification of ICT-related incidents to determine the severity of the incident (including reputational, economic, technical and service criticality impacts). Major ICT-related incidents – defined as incidents with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity – must be reported without undue delay – in an earlier version of the regulation this was initially to the competent authority no later than the end of the business day or if the incident took place later than 2 hours before the end of the same business day, within 4 hours from the beginning of the next business day. The process then prescribes an intermediate report, and a final report “when the root cause analysis has been completed”. Financial entities should also inform their users and clients where the incident has or may have an impact on their financial interests and include details of all measures which have been taken to mitigate the adverse effects of such incident.
Financial firms may require appropriate supporting processes to be adopted by ICT vendors to provide appropriate information on threats and incidents. Financial entities and ICT vendors will also need to consider their duties in relation to personal data breach and non-personal data breach reporting according to the regulators involved, which may include data protection or sector regulators, e.g. telecommunications.
Chapter IV – Operational Resilience testing (Articles 24 to 27)
Financial firms are required to maintain “a sound and comprehensive digital operational resilience testing programme as an integral part” of their ICT risk management framework. Article 25 sets out a non-exhaustive list of the “full range of appropriate tests” required, including vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing (Article 25(1)).
Advanced testing is required every three years by means of threat led penetration testing on live production systems supporting at least the critical functions and services of the financial entity. There are specific obligations in Article 26(2) that “where ICT third-party service providers are included in the remit of the threat led penetration testing [TLPTs], the financial entity shall take the necessary measures to ensure the participation of these providers”. Only those identified by competent authorities (based on criteria in the regulation and further developed by the ESAs) as significant and cyber mature should be required to conduct advanced testing based on TLPTs.
The risk management framework will need to be periodically tested for the preparedness and identification of weaknesses, deficiencies or gaps, as well as the implementation of corrective measures. Again, these measures can be proportionate according to the nature of the business and risk profiles.
Chapter V Section 1 – managing of third-party ICT risk (Articles 28 to 30)
This part of the regulation sets out principle-based rules for financial entities to monitor risks arising through its ICT third-party supply chain, and specific contractual requirements that are necessary to ensure management of third-party risk. Importantly, the regulation will harmonise minimum contractual aspects deemed critical to enable a complete monitoring by the financial entity of ICT third-party risk throughout the conclusion, performance, termination and post-contractual stages of the relationship with the ICT vendor.
The EU believes that it is necessary to establish an appropriate Union oversight framework for continuous monitoring of the ICT supply chain. However, the regulation stops short of requiring strict caps and limitations to ICT third-party exposures. As such, key legal and commercial issues such as the precise level of financial risk to be accepted by ICT third-party service providers has not been regulated, with a view to what the regulation describes as striking a fair balance between the imperative of preserving contractual freedom, and of guaranteeing financial stability to the sector.
The regulators have identified that the complexity of contractual arrangements is increasing, particularly that financial entities are often encountering difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements they are subject to, or otherwise in enforcing specific rights such as access or audit rights, when these are actually enshrined in agreements (Recital 28). The specific concern raised was that many contracts do not provide for sufficient safeguards allowing for a fully-fledged monitoring of the subcontracting process, and this was indeed an issue that was highlighted in the UK by the PRA and FCA in the TSB case. On this basis, there are specific contractual requirements set out in Articles 28 to 30 for managing third-party risk. As noted above, these provisions can be proportional, but must be fully complied with. Many of these provisions will be familiar from the EBA’s outsourcing guidelines, and the language not surprisingly maps quite closely, but less closely than in earlier versions of the draft regulation. However, in this case, the provisions do not just apply to outsourcing but to lCT third-party vendors, and this could result in a significant increase in repapering for current agreements.
Before entering into a contractual arrangement, the entity must comply with the following:
- assess whether the contractual arrangement covers a critical or important function;
- assess if the supervisory conditions for contracting are met;
- identify and assess all the relevant risks in relation to the contractual arrangement, including the possibility that it may reinforce ICT concentration risks;
- undertake all due diligence on the prospective providers and ensure that they are suitable; and
- identify and assess any conflicts of interest.
Financial entities must only enter into contractual arrangements with ICT third-party service providers that comply with “appropriate information security standards”.
The detailed requirements also include specific termination rights (Article 28(7)) and therefore assume a far more dynamic relationship with the vendor than hitherto may have existed. In particular, the impact of a breach or failure by an ICT third-party service provider could well trigger or require the entity to consider triggering termination, and it is not clear whether financial entities may well require other breaches of contract to be reported from independent services conducted for other vendors, and whether a reputational risk alone caused by a separate service failing could be sufficient to entitle termination.
Of particular note to the UK, as a third country, is that where the contractual arrangement considers that an ICT third-party service provider further subcontracts a critical or important function to other providers, risks and benefits of using third countries must be considered. Where the arrangements are concluded with an ICT third-party service provider established in a third country, a financial entity must in addition consider at least:
- insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy (for example, in the UK, there are regulations which may apply under the Utilities Regulations); and
- any constraints that may exist practically to ensure the urgent recovering of data.
The regulation will also need a detailed review by financial firms to assess whether other provisions of the regulations will also be flowed down to third and fourth party subcontractors and beyond. In particular, there may be obligations for further audits and practical assistance in understanding the financial firm’s risk profile which could significantly add administration costs, and therefore will or could well require increased fees to cover monitoring provision of information.
Further, provision of sensitive information around technology changes in the future, and innovation could be part of the discussions with customers, and enhanced confidentiality may be required in this regard. At the very least, the systems engaged by the financial firm must be state of the art, and they will inevitably be required to collaborate on technological development and share information about the performance of systems that may interoperate where provided by multiple vendors.
Chapter V Section II – oversight framework of critical ICT third-party service providers (Articles 31 to 44)
An important part of the regulation will be the oversight of certain critical ICT third-party service providers. These have not yet been designated but will comprise a very limited number of most likely well-known vendors.
The regulation provides for a detailed oversight framework including an oversight forum which will, on a yearly basis, undertake a collective assessment of the results of all oversight activities and appropriate benchmarking.
Critical providers will be required to assist overseers to understand the systemic impact of their services to the financial services sector, and identification and management of concentration risks, and substitutability between services. The Lead Overseer’s remit is broad, covering service and data integrity, physical security, risk management processes, governance, reporting, testing, audit, and use of applicable international and national standards (Article 30(2)).
Article 31 provides that the Lead Overseer in each jurisdiction will have significant powers.
The critical ICT third-party provider can be fined for failing to comply by way of a daily periodic penalty payment, for up to 6 months following the Lead Overseer’s notification, at 1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year. Clearly, to the extent a third-party subcontractor of an ICT critical third party is responsible, these administrative penalties could be relevant in determining the measure of loss to the ICT critical third-party.
Chapter VI – information-sharing arrangements (Article 45)
Finally, the regulation contains information sharing arrangements that will require financial entities to exchange among themselves cyber threat information and intelligence, in order to generally improve the sector resilience. There are no express specific provisions for ICT vendors to share information and intelligence but financial firms may seek to obtain this information, including by engaging specific services from ICT vendors.
Conclusion
The regulation will affect financial firms in their dealings with technology ICT third-party providers. While the contractual provisions are relatively clear in terms of the basic list, further provisions will have to be considered as well as more general assistance obligations to enable financial firms to comply with all of the requirements of the regulation. This will result in an increased level of scrutiny, and communication with ICT third-party providers. As such the full implications of the regulation will have to be worked through in detail by each firm according to its own risk profile.
Perhaps of more pressing concern for financial firms is the requirement for a comprehensive risk management framework. While the framework can be adopted in a proportionate manner, the firms will have to undergo detailed mapping against their operational resilience plans and the critical economic functions identified as part of that planning. It is clear that this will require significant resourcing, and understanding of the state of the art and cyber technology as it relates to the financial sector.
The regulation is anticipated to come into force in early 2025, so there is time to prepare and as well as the governance processes to be developed or reviewed, many contracts currently being negotiated will extend at least into 2025 and therefore provisions should be considered as early as possible.
[1]The regulation can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&from=EN
[2] The definition of ICT third-party providers excludes providers of hardware components and “undertakings authorised under Union law which provide electronic communication services as defined referred to in point (4) of Article 2 of Directive (EU) 2018/1972 of the European Parliament and of the Council.” This comprises (a) ‘internet access service’ as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120; (b) interpersonal communications service; and (c) services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting;
[3] FCA Discussion Paper DP3/22 “Operational Resilience: Critical Third Parties to the UK Financial Sector” March 2022.