Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (“DORA”) contains a number of requirements for ICT service providers, which will become binding on January 17, 2025. Therefore, 2024 will be a year of intensive work on the part of service providers to ensure compliance with the new, demanding regulation.
Will DORA benefit ICT providers?
DORA regulations do not appear in a vacuum. The approach to the risk related to outsourcing in the financial sector is regulated at the EU level by soft law, for example by EBA Guidelines on outsourcing arrangements no. EBA/GL/2019/02 of February 25, 2019. Moreover, Member States provide for local regulations in this area.
Across the European Union, the approach to cyber-security and outsourcing in the financial sector was fragmented. This clearly resulted in obstacles to the functioning of the EU internal market and hindered the cross-border provision of services to the financial sector by ICT service providers.
Thus, there was huge regulatory inconsistency - often not only at the level of local regulations of Member States, but also at the level of different branches within the financial sector of one Member State.
As an example, Polish legislation regulates ICT outsourcing differently for banking activities, than for brokerage or insurance activities. Each time, the obligations of an ICT service provider are determined by the law regulating a given branch and related activity, the obligations of providers are not harmonised and the regulations are sometimes difficult to apply simultaneously. The problem arises, for instance, when one agreement for the provision of ICT services is qualified under the regime of several, different outsourcing laws.
One of the aims of DORA is to deal with this type of inconsistency and to ensure uniform and consistent ICT risk management both at the local level and across borders. From the perspective of ICT service providers, especially those operating in different EU countries, it will facilitate their business.
Alignment with the DORA requirements will allow a minimum security standard to be met in each Member State, fully understood by any EU financial institution. This will certainly increase the attractiveness of local ICT providers on the markets of other Member States.
How does DORA regulate the obligations of ICT providers?
DORA regulates the obligations of ICT providers in two ways - directly and indirectly.
Direct impact of DORA regulations involves placing ICT service providers under the direct supervision of regulatory authorities. This may occur when the regulators classify the ICT service provider as a critical ICT third-party service provider.
Indirect impact of DORA regulations, on the other hand, imposes an obligation on financial entities (not directly on the ICT provider) to introduce an adequate policy towards ICT third-party service providers and to undertake certain activities towards them (e.g. auditing, monitoring, verification of the ICT provider) as well as to include in contracts with ICT service providers certain provisions (providers' obligations/financial entities' rights) required by DORA (e.g. exit plan, grounds for termination or guaranteed service levels).
In the first of the above-mentioned cases (direct impact), the ICT provider will be subject to the supervision of the regulator, which implies, i.a. additional obligations, including information obligations, the need to pay a supervision fee, being audited by the supervisory authority, including the obligation to implement recommendations and being subject to possible sanctions (along with financial penalties).
In the second case, where DORA affects the ICT provider indirectly, the final scope of obligations will result from the assumptions made in the financial entity's internal policies on how the requirements from DORA will be implemented and from the content of the relevant agreement between the ICT service provider and the financial entity.
It will be mandatory for such an agreement to include, among others, such obligations of the ICT service provider as:
- an obligation to support the financial entity, at no additional charge or at a charge determined ex ante, in the event of an ICT-related incident;
- conditions for the participation of ICT third-party service providers in ICT security awareness programmes and digital operational resilience training developed by financial entities.
ICT providers' obligations under DORA also depends on whether or not the provider supports under its services critical or important functions. In contracts covering such functions, DORA requires additional provisions to be included, such as i.a. the obligation of third-party ICT service providers to participate in the TLPT (threat-led penetration testing) of the financial entity concerned and to fully cooperate with the ICT service provider in this regard.
What awaits ICT providers in 2024?
The year 2024 will be a time for financial entities to review their existing contracts with ICT providers.
In accordance with DORA, financial entities may only contract with ICT third-party service providers that comply with appropriate information security standards. If the contract concerns critical or important functions, financial entities shall take due consideration of the application, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.
As a consequence, ICT service providers need to prepare for a higher than usual intensity of enquiries and audits by financial entities in the area of information security and review of the cyber-security measures implemented.
It will often also be necessary to amend existing contracts and supplement them with the clauses required by DORA. Additional obligations, depending on how they are regulated in the agreement, may result in increased costs for the provision of ICT services.
By Gabriela Kocurek, Attorney-at-Law, KWKR