IT and data

DORA Regulation – an ICT service provider's perspective.

Published on 21st Feb 2025

DORA stands for Digital Operational Resilience Act and refers to Regulation 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.

The Act applies from 17 January 2025 and is a milestone in the digital operational resilience regulations for both financial institutions and their ICT service providers. In this piece we'll focus on the perspective of the ICT service providers.

FS 3

What is DORA?

The Regulation has been enacted in response to the increasingly sophisticated cyber security challenges that the financial sector is facing. DORA significantly changes the ICT regulatory landscape in the financial sector, as it replaces many of the existing legal and regulatory requirements, both at EU and Members States levels. DORA puts it all together in one piece, harmonizing the framework across different EU jurisdictions and empowering supervisory authorities with new competences over third party ICT service providers.

DORA is a comprehensive legal framework for ICT risk management. It covers the following main areas:

  • ICT risk management,
  • ICT incident management,
  • Digital operational resilience testing,
  • Management of third-party ICT service providers,
  • Exchange of information on cyber threats and vulnerabilities,
  • Oversight of critical third-party ICT service providers.

Who is a third-party ICT service provider under DORA?

DORA applies to a wide range of financial institutions - banks, insurers, payments institutions, to name a few. What's new is that DORA is also directed to the ICT third-party service providers.

A third-party ICT service provider under DORA is an undertaking that provides "ICT services". That doesn't say much, unless we take a look at the definition of "ICT services" which covers "digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services".

From a practical point of view these definitions are intended to cover most of the common ICT-related services, such as software licensing, ICT project management, ICT Development, ICT help desk and ICT incident management, ICT security management services, data provision and analysis, various types of hosting and data storage services including Cloud services (IaaS, PaaS, SaaS)[1]. That means most of the IT providers supporting financial entities will fall under this category. Most does not mean all. Some ICT services may not be subject to DORA, even if they explicitly fit into the definition of an 'ICT service'. This, however, requires a case-by-case analysis.


Impact on the third-party ICT service providers

Understanding how DORA interferes with ICT providers' business is easier, once we consider the customer's perspective. Thanks to DORA, the ICT-related risks become an essential part of risk management systems in the financial entities. Banks and others need to rearrange their ICT governance framework to meet new requirements. This includes not only preparing and updating internal procedures but also reviewing and amending ICT contracts with third party ICT service providers.

Until now, legal requirements for ICT contracts not qualified as "outsourcing" have been of limited nature. Under DORA more ICT services agreements are subject to special requirements.

To give some examples, such agreements need to describe SLA, exit plan and robust audit rights for financial entity and its regulator. Basic set of requirements (see Art. 30.2 of DORA) applies to agreements covering ICT services supporting functions other than critical or important. Additional requirements (see Art. 30.3 DORA) apply to contracts for ICT services supporting critical or important functions.

Interpretation of the requirements may be different between financial entities and ICT providers. We can see many controversies, especially around the contractual wording on managing subcontractors, audit rights and ICT incident handling. Commercial terms more often become a topic of debate, as improved compliance standards mean also higher risk for the ICT providers.

Given the above, as a third-party ICT service provider you should know that:

  1. Your financial sector clients have higher expectations on ICT compliance.
  2. More of your services are covered by ICT regulations (not only those qualified as outsourcing).
  3. Your contractual terms and internal procedures may be audited against DORA compliance.
  4. Your agreements need to be supplemented with clauses satisfying DORA requirements.
  5. If you meet certain criteria, you may be appointed as critical provider and become directly supervised by the financial sector regulatory bodies.

Special rules for special players – critical ICT service providers

As the financial services sector becomes more and more tech-dependent, the EU officials decided to impose enhanced regulatory control over the third-party ICT service providers. For this purpose, a category of "critical third-party ICT service providers" have been introduced. It refers to those ICT providers which play significant roles in maintaining the operations and security of the EU's financial sector. It shouldn't be mistaken with commonly used abbreviation "critical provider", which refers to providers of ICT services supporting critical or important function.

A critical third-party ICT service provider under DORA is one which meets the following criteria[1]:

  • systemic impact on the stability, continuity or quality of the provision of financial services in the event of a provider's large scale operational failure,
  • systemic character or importance of the financial entities that rely on the provider,
  • reliance of financial entities on the services provided by provider in relation to critical or important functions of financial entities that ultimately involve the same provider, directly or indirectly, through subcontracting arrangements;


degree of substitutability of the provider, considering among others the lack of real alternatives and difficulties in relation to migrating the data and workloads to another provider.

The decision on which provider is considered a critical third-party ICT service provider will be an outcome of the special procedure and will be made by a Joint Committee, consisting of the European Supervisory Authorities appointed as so-called Lead Overseers (i.e. EBA, ESMA and EIOPA). One may expect that the regulators will pay special attention to providers of the network infrastructure, cloud computing, core financial services software, data analytics and data centres.

What are the critical ICT service providers' obligations?

The Lead Overseer will assess if each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities. Based on the assessment, the Lead Overseer will adopt an individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider. What is more, the Lead Overseer will have the right to impose periodic monetary penalties to stimulate DORA compliance and even (in certain cases) require financial entities to temporarily suspend the use or implementation of a service provided by a critical ICT service provider.

OC Comments

Both financial institutions and ICT service providers need to consider the impact of DORA on their organisations. Gap analysis is a good starting point that allows to assess how much work is ahead. Being compliant with DORA requires understanding of legal and ICT related matters. DORA is a regulation that implements a "risk-based approach" which allows the regulation to be technology-neutral, but leaves significant space for interpretation. Being "compliant" with DORA heavily depends on how specific requirements are understood to be proportionally addressed in the organisation. Team of lawyers and engineers working hand in hand is a solution to these challenges.

At OC we comprehensively guide clients through the process of achieving compliance with DORA:

  • training of teams and management,
  • analysis of compliance with the new requirements (gap analysis),
  • adaptation to the new regulation (preparing set of strategies, policies, procedures, tools),
  • support in ICT risk assessment,
  • preparation of contractual terms, defense lines, support in negotiations.
Share
Related articles
What will be the impact of the European Health Data Space Regulation on life sciences companies?
06/02/2025 6 mins
The EU Data Act: Part 1 – what does it regulate?
23/01/2025 5 mins
GDPR for HR | UK ICO audits AI recruitment tools and the English High Court defines controllers in DSARs
18/12/2024 4 mins
GDPR for HR | ICO enforcement and the new data protection audit framework, and data privacy risks in pre-employment vetting
29/10/2024 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

services

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up