DORA – When regulated entities additionally qualify as ICT third-party service providers
Background
We can read it everywhere: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) is coming. Except for those few players exempt from DORA, regulated entities in the financial and insurance sectors (Concerned Entities) have to consider which additional requirements DORA imposes on them.
Concerned Entities and information and communication technology (ICT) third-party service providers (ICT TPSP) falling within the scope of DORA have invested a lot of time and energy to comply with the cloud IT outsourcing requirements. Now they'll be getting ready to make sure they comply with DORA as from 17 January 2025. The Luxembourg law of 1 July 2024 relating to DORA and entering into force as from 17 January 2025, amended several important Luxembourg laws to reflect the application of DORA throughout national law.
DORA aims to achieve a high common level of digital resilience and sets a number of requirements concerning the security of network and information systems supporting the business processes of financial entities.
This requires Concerned Entities and ICT TPSP to verify their entire existing documentation to ensure they have the relevant analysis, assessments, documentation, strategies, and procedures in place relating to, amongst others:
- Governance and control framework ensuring an effective and prudent management of ICT risk
- ICT risk management framework as part of the overall risk management system
- ICT systems, protocols and tools for the purposes of addressing and managing ICT risk
- Identification and documentation of, amongst others, the ICT supported business functions, roles and responsibilities
- Monitoring and controlling the security and functioning of ICT systems and tools
- Detection of anomalous activities, including ICT network performance issues and ICT-related incidents
- Comprehensive ICT business continuity policy
- Backup and restoration and recovery policies
- Information gathering on vulnerabilities and cyber threats, ICT-related incidents and related analysis
- Crisis communication plans and related policies and strategy
- Reporting major ICT-related incidents and voluntary notifications of significant cyber threats
- Digital operational resilience testing
- Contractual provisions, etc.
Classification
When checking the applicability of the respective provisions under DORA, it is important for Concerned Entities to assess the scope of their services and to see which DORA provisions apply to them. In particular, it shall be examined whether Concerned Entities need to comply with DORA (i) on the one hand because of their own status as regulated Concerned Entities within the meaning of article 2 of DORA, but (ii) on the other hand also with additional DORA requirements that are generally imposed on ICT TPSP, in case they would, for example, provide bundled services, including tech components, to their customers qualifying them as ICT TPSP.
This is supported by recital 63 of DORA which states that:
- undertakings that are part of a financial group and provide ICT services to their parent undertaking, subsidiaries or branches of their parent undertaking;
- financial entities providing ICT services to other financial entities;
- participants in the payment services ecosystem, providing payment-processing activities or operating payment infrastructures,
should be considered as ICT TPSP.
In line with DORA definitions
DORA defines an ICT TPSP as an undertaking providing ICT services1, while ICT services are considered as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. This includes hardware as a service and hardware services, which includes providing technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.2
Concerned Entities have to verify whether the tech components of their services fall within the definition of ICT services imposing their classification as ICT TPSP.
Consequences
Concerned Entities that need to align their documentation to the requirements of DORA when falling within the scope of Article 2 (2) would also and particularly need to modify their documentation towards their customers when acting as ICT TPSP.
For example, Concerned Entities would have to, amongst others, do due diligence on the ICT TPSP used for the provision of their services and verify whether the concerned ICT TPSP complies with appropriate information security standards. They would further have to make sure they comply with article 30 of DORA listing the key contractual provisions to be ensured, including, amongst others:
- the obligation of the ICT TPSP to provide assistance to the Concerned Entities at no additional cost (or at a cost determined ex-ante), when an ICT incident occurs that is related to the ICT service provided to the Concerned Entities;
- the obligation of full cooperation by the ICT TPSP with the competent authorities and the resolution authorities of the Concerned Entities, including persons appointed by them;
- termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; va clear and complete description of all functions and ICT services to be provided by the ICT TPSP, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts of it, is permitted and, when the conditions applying to such subcontracting;
- the locations, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT TPSP to notify the financial entity in advance if it envisages changing such locations, etc.
It should be noted that where Concerned Entities qualify as ICT TPSP themselves, they would need to verify their documentation as concerns DORA to foresee that they are compliant on the one hand as concerns their status as Concerned Entities, but additionally and qualifying themselves as ICT TPSP they would need, on the other hand, be able to provide all the standards and results requested by DORA on ICT TPSP and the related proofs, documents and procedures to their customers, as applicable.
And where it is critical
It should be noted that ICT third-party risk occurring at ICT TPSP from a foreign country or a critical ICT TPSP needs to be monitored properly throughout the EU given the increased use of outsourcing arrangements, subject to an oversight framework for the latter in response to the threat of the Union's financial stability and integrity. An ICT TPSP is critical within the meaning of DORA where it is designated as such in accordance with article 31 of DORA.
DORA makes clear that it acts upon the manifestation of key principles to guide financial entities to properly manage their ICT third-party risk that is even more important to take into account where ICT TPSP are used to support critical or important functions of the Concerned Entities.
Critical functions supported by ICT TPSP require additional contractual provisions to be foreseen in the documentation of Concerned Entities, including, amongst others, on:
- the right to monitor the performance of the ICT TPSP on an ongoing basis, including access rights, inspections rights; etc
- notice and reporting obligations of the ICT TPSP to the Concerned Entities;
- requirement of ICT TPSP to implement and test business continuity plans;
- exit strategies, etc.
Conclusion
It is important that Concerned Entities properly analyse how DORA applies to them and the scope of the services they provide to verify how much they need to modify their documentation to fully comply with DORA. The double qualification as Concerned Entities and ICT TPSP creates heavier compliance requirements. that need to be taken into account in advance to have the time to adapt and prepare appropriately ahead of the 17 January 2025 deadline.
This article was originally published in AGEFI Magazine and is reproduced with permission from the publisher.
1 Article 3 (19) of DORA.
2 Article 3 (21) of DORA.