Countdown to DORA: our insights and resources on how to best prepare for the entry into force of DORA
The Digital Operational Resilience Act will apply from 17 January 2025, strengthening cybersecurity obligations across the financial sector. Financial entities and service providers alike are racing to update their contractual documentation.
- For financial entities, this is a direct obligation under the regulation, which significantly reinforces the current status quo as DORA covers a much broader range of ICT services.
- For service providers, an update of the documentation - and/or guidance of their clients on how they may be already compliant - has proven a necessity to maintain and further reinforce/strengthen their presence in the financial sector.
Here are our latest analyses and resources to best comply with this regulation.
Practical tips for compliance. Part 1
Did you know that looking at articles 28 and 30 of the DORA and the RTS on contractual arrangements and subcontracting may not be sufficient to ensure compliance?
Here are a few examples of requirements that may be found in other RTS that could indirectly impact contracts without setting a mandatory requirement for contractual provisions:
- RTS on Risk management Tools: Financial entities must request from ICT Service Providers to investigate the relevant vulnerabilities, determine root causes and implement appropriate mitigating actions.
- RTS on Risk management Tools: Where appropriate, financial entities are expected to collaborate with the ICT Service Providers in the monitoring of the version and possible updates of third-party libraries.
- RTS on Register of Information: Given that the register of information must be kept up to date, ICT Service Provider may be requested to provide information throughout the duration of the contract.
- RTS on content of the notification and reports for major incidents and significant cyber threats: To ensure that they comply with notification obligations, financial entities are likely to further specify the collaboration requirements mentioned in article 30 to require more specific deadlines and information from ICT service providers with regards to incident management.
Practical tips for compliance. Part 2
The Europeans Supervisory Authorities (EBA, EIOPA and ESMA) announced their timeline to collect information for the designation of Critical ICT Service Providers under DORA. Announcement is available here.
This presents an opportunity to recall who they are and what this means.
Who are the Critical ICT Service Providers ? They have a systemic impact on the stability, continuity or quality of the provision of financial services.
How are they designated? ESAs will designate the Critical ICT Service Providers based on the criteria defined in the Commission Delegated Regulation 2024/1502 (RTS)
What are the consequences? Critical ICT Service Providers will be subject to oversight by financial services supervisory authorities and will have to pay oversight fees.
What is new?
To determine which providers are critical, ESAs indicate that they will use the registers of information provided by financial institutions. Following this 15 November announcement, national authorities will have to submit these registers before 30 April 2025. This is despite the fact that the RTS relating to the register of information have not yet been adopted following their rejection by the European Commission based on the principle of proportionality and requiring an update by the ESAs.
As a result, these registers are likely to be an early focus of enforcement for national authorities, and institutions should be ready to make them available shortly after the entry in application on 17 January 2025.
Regulatory landscape
DORA is accompanied by implementation texts interpreting many of its provisions. The three European Supervisory Authorities (ESAs) - the European Insurance and Occupational Pensions Authority, the European Banking Authority and the European Securities and Markets Authority - are mandated jointly to develop certain technical standards and guidelines relating to ICT risk management, monitoring of ICT third-party risk, testing, and incident reporting. The ESAs were required to develop 12 policy instruments, to be delivered to the European Commission in two batches: the first batch by 17 January 2024 and the second batch by 17 July 2024.
We have centralized the state of adoption of these documents in the table below (last update 14 November 2024).
Practical tips for compliance. Part 3
DORA is not a standalone regulation: it includes over a dozen regulatory and implementation technical standards, (RTS and ITS) that will have a direct impact on compliance policies and contractual remediations.
Adopted and entered into force:
- Criteria for Designating Critical ICT Third-Party Providers and Oversight.
- Fees for Critical ICT Third-Party Providers.
- ICT risk management framework and simplified ICT risk management framework.
- Criteria for the classification of major ICT-related incidents and significant cyber threats.
- Contractual arrangements on use of ICT services supporting critical or important functions.
Adopted but Not yet Published nor Entered into Force:
- Reporting of major ICT-related incidents (both RTS and ITS).
- Harmonisation of oversight activities.
Not yet adopted/finalized:
- Subcontracting ICT services supporting critical functions.
- Threat-led penetration testing.
Breaking News. Last Friday, the Implementing Technical Standards (ITS) on register of information have been adopted. They have just been published by EUR-Lex.
Let’s remember the context
The initial draft was rejected by the Commission in September 2024 mainly because of the mandatory requirement for the ICT third-party service providers to be identified solely by a Legal Entity Identifier (LEI). The Commission argued that the companies should have a choice between the use of the LEI and the European Unique Identifier (EUID), an additional identifier which is available free of charge for EU based companies unlike the LEI.
Last updates within the past months
On 15 October 2024, the ESAs issued an opinion indicating that the EUID could add unnecessary complexity and hinder the implementation of the Digital Operational Resilience Act (DORA), potentially increasing maintenance efforts for financial entities and authorities. That being said, in the latest draft submitted to the Commissionn ESAs clarified the proposed framework to prioritize the use of the LEI when both identifiers are available to a financial entity. The EUID would serve as an alternative identifier for ICT third-party service providers established in the EU. The new draft also includes some minor changes.
What’s next?
Registers of information are likely to be an early enforcement point for authorities as they will be a necessary source of information for the designation of Critical ICT Service Providers.