Digital operational resilience in the financial sector: What is DORA and what are its implications?

The Digital Operational Resilience Act (“DORA”) is an EU Regulation that was introduced in response to growing reliance on information and communication technology (“ICT”) systems in the financial sector.

ICT plays a crucial role in facilitating various financial activities, improving internal processes, and enhancing customer experiences. However, this increased reliance on ICT also brings about risks and vulnerabilities that could expose financial entities to cyberattacks and incidents with the potential wider impacts on not only financial entities but also other companies, sectors and the broader economy.

This article summarises Regulation (EU) 2022/2554 on DORA, and the DORA Directive which aligns certain financial services Directives to the Act.

The key aims of DORA are to harmonise the rules and requirements for financial entities in relation to ICT providers and to have much greater visibility and oversight at EU level of so-called critical ICT providers on whom regulated entities rely.

March 2024 was a timely reminder, particularly for customers of Tesco, Sainsbury’s and McDonalds about the impact that technology failures can have on every-day processes. While technology failures in sectors like retail might lead to inconvenience and temporary loss of sales, in the financial sector, the stakes are much higher. The potential for significant financial loss, regulatory penalties, erosion of trust, and systemic risk highlight the importance of robust technology infrastructure and effective risk management practices in financial institutions.

What is digital operational resilience?

Digital operational resilience is defined in DORA as:

"the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including through disruptions".

What is the current status?

Both DORA and the DORA Directive entered into force on 16 January 2023, 20 days following their publication in the Official Journal of the European Union. Being a Regulation, DORA will apply directly in EU Member States from 17 January 2025 and EU Member States will be required to implement the DORA Directive from the same date.

What are the new rules?

There are three main types of rules:

• Harmonisation of the requirements across the EU - DORA aims to harmonise rules relating to operational resilience across the EU and across 21 different types of financial entities. It covers key areas such as ICT risk management, incident management and reporting, resilience testing of ICT systems, and the management of third-party ICT risks.
• Much greater visibility of providers across the EU - DORA introduces a framework for overseeing systemic and concentration risks arising from financial entities’ reliance on ICT third-party service providers (“TPPs”).
• A framework for overseeing critical third parties - DORA establishes an EU-level oversight framework to ensure proper management of ICT risks posed by so-called critical TPPs (“CTPPs”) to financial entities.

Who does it apply to?

DORA has implications for three key types of entities:

• A wide range of financial institutions in the EU – The institutions concerned are listed in full in Article 2 and collectively referred to as “financial entities”. Subject to the exclusions in Article 2(3) and 2(4), these financial institutions include credit institutions, payment institutions, e-money institutions, investment firms, cryptoasset service providers, central securities depositories, account information service providers, managers of alternative investment funds, UCITS management companies, data reporting service providers, administrators of critical benchmarks and TPPs. Definitions of such entities are set out in Article 3.
• TPPs to financial institutions in the EU - Whilst much of the focus of DORA has been in relation to the requirements on financial entities and the assessment and implication of being categorised as “critical” (see below), DORA also introduces requirements impacting all TPPs to financial entities in the EU. In summary these require that key contractual requirements and provisions be included, for example in relation to initial due diligence, audit rights, minimum security standards, cooperation with competent authorities, and termination rights. Consistent with most of DORA, this should be carried out on a proportionate basis depending on the nature, scale and complexity of the services.
• CTPPs (whether or not in the EU) - In addition to the requirements imposed on financial entities and indirect implications for TPPs, DORA also introduces enhanced requirements for managing ICT third-party risk in relation to CTPPs and an oversight framework whether or not the CTPP is in the EU. The background to the assessment of being designated a CTPP references the prevention of “endangering the financial stability and integrity of the Union”, so it does seem likely that a determination of criticality will impact a relatively small number of overall providers whose services, or failures, have the largest potential impact.

The requirements for CTPPs include new contractual requirements, being overseen by a “Lead Overseer” (one of the European Supervisory Authorities), and being subject to an oversight framework. Furthermore, any “critical” third parties out with the EU must effectively incorporate a subsidiary within the EU within 12 months of being categorised in order to continue to provide their services to financial entities. DORA also provides for periodic payments to be applied by the Lead Overseer for non-compliance with its powers in relation to CTPPs of up to 1% of the average daily worldwide turnover of the CTPP in the preceding year.

It is also important to consider DORA from a corporate group perspective. If one or more entities in the group are regulated in the EU, then that entity may be subject to DORA as well as having wider implications for the group.

Who decides which third parties are critical?

Ultimately ESAs will determine whether or not a TPP is critical for financial entities. They will do so considering factors such as the potential systemic impact of a service provider’s failure, the importance of the financial entities depending on these services, the extent of the financial entities’ reliance on these services for critical functions, and the ease of switching to another provider.

Upon classifying an ICT TPP as critical, the ESAs are obligated, via the Joint Committee, to inform the service provider about their critical status and the commencement date for oversight activities. The TPP is then required to inform the financial institutions they serve of their critical designation.

Certain entities have the option not to be identified as critical unless they choose to be. This category includes financial entities that offer ICT services to other financial entities, providers of ICT services within the same group, and TPPs that cater exclusively to financial entities operating within a single Member State.

Significantly for non-EU providers, financial institutions may only engage with CTPPs from outside the EU if these providers have established an EU-based subsidiary within 12 months after their critical status designation.

On 29 September 2023, the ESAs published technical advice in response to the European Commission’s request for further criteria and it contains details of the quantitative and qualitative criteria. This should be a helpful starting point for third parties to consider their role, and whether they are likely to meet the criticality criteria.

What else is anticipated prior to the implementation date?

It is important to monitor DORA closely as it approaches the Implementation Date. Various supporting documents like delegated acts, feedback on consultations, and technical standards are currently in preparation to enhance the framework. In February 2024, the Commission took a significant step by adopting two delegated regulations that detail the process for identifying critical ICT third-party service providers to the financial sector and establish the methodology for calculating oversight fees these providers will incur, including payment methods.

Next, the Council and the European Parliament will review these Delegated Regulations. Should there be no opposition, these regulations are set to be published in the Official Journal and then enter into force.

What's happening in the UK?

As mentioned above, DORA has implications for CTPPs regardless of whether they are operating in the EU. In addition, the Financial Services and Markets Act 2023 gives the Treasury and regulators (FCA, PRA, BoE) broad powers regarding critical third-parties, allowing them to impose duties, issue directives, gather information and take enforcement actions.

On 7 December 2023, the UK’s regulatory authorities issued CP26/23 – Operational resilience: Critical third-parties to the UK financial sector which sets the stage for a future UK regulatory framework akin to DORA in the EU. Responses to the consultation paper were due by 15 March 2024. Our Financial Services Regulatory team will monitor developments closely. If you’d like to discuss the implications of DORA or any other regulatory issues, please get in touch.