The financial sector has become increasingly reliant on information and communications technology (ICT), such that it is now of critical importance to the operation of daily functions. The recent CrowdStrike outage (see AB coverage) demonstrated the importance for financial entities to ensure that they are managing ICT-related risks. Given the incident and its widespread impact, regulators will have a renewed focus on scrutinising a financial entity’s compliance with DORA, the Digital Operational Resilience Act (DORA), which comes into effect on 17 January 2025.
DORA is intended to address ICT-related risks as part of a comprehensive and unified regulatory framework covering the digital operational resilience needs of financial entities and establishing an oversight framework for ICT third-party service providers designated as ‘critical’ (CTPPs).
DORA can have wide applicability to financial entities outside of the EU
It is crucial that all financial entities and ICT third-party service providers (ICT TPPs) (including, in both instances, those outside of the EU) urgently consider whether they are within the scope of DORA – and, if so, design a reasonable and proportionate compliance programme to meet the deadline.
Broad scope
Although DORA is an EU regulatory framework, it can have wide applicability to financial entities and ICT TPPs outside of the EU. DORA applies on a direct and indirect basis:
- Direct – applicable to (a) a wide range of EU financial entities, including, banks, insurers, payment providers, electronic money institutions and crypto-asset service providers; and (b) ICT TPPs designated as ‘critical’ by European supervisory authorities (including those based outside of the EU).
- Indirect – applicable to (a) multinational or global financial services groups with EU operations; and (b) ICT TPPs not designated as ‘critical’ by European supervisory authorities that provide ICT services to EU financial entities.
DORA’s requirements of financial entities are comprehensive and fall into five key pillars: ICT risk management; incident management, classification and reporting; digital operational resilience testing; third-party risk management; and information sharing.
Being ICT-resilient has significant business and commercial benefits
Each pillar has extensive requirements to be implemented by 17 January 2025, but here we’ll just focus on the ICT contract requirements, which fall in the third-party risk management pillar.
CTPPs
Under DORA, financial regulators will oversee and regulate non-financial entities. CTPPs will be subject to an oversight framework by the European supervisory authorities and will have certain requirements directly imposed on them.
Contract remediation
A key aspect of DORA is the requirement for financial entities to include certain contractual provisions in ICT service contracts entered into with ICT TPPs.
DORA prescribes two-tiers of contractual provisions to be included in a financial entity’s contracts with ICT TPPs for the provision of ‘ICT services’ – with more extensive contractual provisions for contracts supporting a financial entity’s critical or important functions (including level 2 legislative measures in relation to subcontracting).
Although many of DORA’s contractual requirements should already be contained in a comprehensive ICT contract and are broadly in line with existing financial services regulations – such as the European Banking Authority’s guidelines on outsourcing and the European Securities and Markets Authority guidelines on outsourcing to cloud service providers – DORA does contain ‘new’ requirements.
Non-compliance with DORA can result in substantial fines
The scope of contracts to be remediated is also far broader (eg by not being limited to outsourcing arrangements). On this basis, financial entities that have already remediated contracts to comply with other regulations will still need to reassess their contractual arrangements in accordance with DORA.
DORA is also clear that intra-group arrangements (eg between a financial entity in the EU and a group services company in the UK) fall within the scope of the DORA contractual requirements. Financial entities outside of the EU that procure ICT services on behalf of group affiliates in the EU will therefore be required to apply the DORA requirements to the intra-group contracts governing the provision of those services.
The benefits
As evidenced by the recent CrowdStrike outage, being ICT-resilient has significant business and commercial benefits, and will allow financial entities to better mitigate and manage any future ICT-related disruptions.
Non-compliance with DORA can also result in substantial fines for both financial entities and CTPPs. The EU regulators and relevant competent authorities have been given wide enforcement powers, including administrative penalties and remedial measures being imposed by competent authorities on financial entities in accordance with national legal frameworks.
ICT TPPs will be inundated with similar remediation requests from other financial entities
The regulators have reiterated that there will be no formal grace period for compliance, so regulators could impose penalties for non-compliance as early as January 2025.
Practicalities
With the deadline just a few months away, in-scope financial entities that have not yet started a compliance programme will need to quickly consider the extent to which DORA applies and the gaps to complying with DORA’s requirements under the five key pillars.
From a contractual remediation perspective, financial entities should:
- identify and map ICT TPPs and contractual arrangements (including intra-group) to each financial entity (categorising those that support critical or important functions)
- collate existing contracts with ICT TPPs
- engage with ICT TPPs
- amend ICT TPP contracts in line with DORA requirements.
ICT TPPs should proactively prepare for financial entities amending existing contractual terms, which may include ICT TPPs issuing their own standard amendment documentation to financial entities.
Financial entities may wish to adopt a ‘deemed acceptance’ approach
Contract remediation programmes can often be a time-consuming and resource-intensive exercise (particularly given the reliance on a service provider’s willingness to engage in meaningful negotiations). Financial entities should therefore consider a pragmatic and proportionate approach tailored to its business to achieve compliance in the most efficient way possible.
For example, financial entities may wish to adopt a ‘deemed acceptance’ approach to the contract remediation process (ie issuing a contract addendum on a non-negotiable basis). Also, by engaging with ICT TPPs well in advance of the deadline, financial entities are likely to receive better engagement from ICT TPPs, who will be inundated with similar remediation requests from other financial entities.
Similarly, ICT TPPs should consider taking a proactive approach to DORA’s contractual requirements (eg issuing their own standard amendment documentation). This may allow the ICT TPP to secure more favourable and standardised contractual terms with their financial entity customers.
