With the Digital Operational Resilience Act (DORA), the European Union has established a new, unified regulatory framework designed to bolster the digital resilience of financial institutions across Europe. Given the increasing reliance of the financial sector on information and communication technologies (ICT) and the involvement of third-party providers, such regulation at the EU level is essential to mitigate risks associated with IT security and cyberattacks. The regulation came into effect on January 16, 2023, and will become binding on January 17, 2025. Consequently, the financial sector and supporting IT companies must prepare accordingly. Below is a brief overview for those affected.
Why DORA Represents a Paradigm Shift
For the first time, DORA regulates ICT third-party service providers deemed critical, such as major cloud service providers. This approach marks a paradigm shift in IT supervision, intensifying the compliance requirements within the financial industry. Particularly in the areas of ICT risk management, reporting of ICT incidents, and control of risks arising from third-party providers, DORA establishes clear guidelines.
It is important to note that the new regulatory requirements do not replace all existing outsourcing requirements. Rather, they introduce a new perspective on ICT third-party providers. Existing outsourcing agreements may need to be reviewed to determine if contractual updates are necessary.
Digital Operational Resilience
DORA aims to ensure a high level of digital operational resilience. This means that financial institutions must be able to maintain the integrity and reliability of their IT-based operational processes, even when relying on third-party services. Through proactive measures, financial institutions should become resilient against all types of ICT-related disruptions and threats, thereby safeguarding their IT operations in the long term.
Who is Affected by DORA?
DORA affects not only financial institutions but also ICT third-party service providers that have contractual relationships with these institutions (Art 2 Sec 1 DORA).
The definition of ICT third-party service providers (Art 3 No 21 DORA) includes companies that provide digital and data services to one or more users on a continuous basis through ICT systems. Thus, the regulation also applies to cloud service providers, software vendors, data analytics services, and data centers. FinTech companies are notably impacted by the regulation.
Financial institutions must include specific contractual provisions in their agreements with such ICT third-party providers.
Core Areas
Essentially, the regulation encompasses the following four key areas:
- ICT Risk Management (Art 5 – 16 DORA):
Financial institutions are required to maintain an internal governance and ICT risk management framework to ensure proper risk management. - Handling ICT-Related Incidents (Art 17 – 23 DORA):
The regulation specifies how to handle, classify, and report ICT-related incidents. According to Art 19 DORA, financial institutions must report significant ICT-related incidents to the relevant authority. - Testing Digital Operational Resilience (Art 24 – 27 DORA):
Financial institutions are also required to conduct tests to verify digital operational resilience. These tests aim to identify weaknesses, gaps, and deficiencies in digital operational resilience and to initiate necessary corrective measures (Art 24 Sec 1 DORA). - Management of ICT Third-Party Risk (Art 28 – 44 DORA):
DORA also addresses the risks that arise for financial institutions from the use of external ICT service providers. Key principles include the development of a strategy for assessing and controlling ICT third-party risks (Art 28 Sec. 2 DORA). Furthermore, companies must maintain an up-to-date information register documenting all contractual relationships with ICT third-party providers (Art. 28 Sec. 3 DORA). These contracts must also meet specific minimum requirements as stipulated in Art. 30 DORA.
Conclusion
The regulation represents a significant step towards securing the digital infrastructure within the financial sector. Companies that take early steps to implement DORA’s requirements can not only minimize regulatory risks but also significantly enhance their own security posture.
Existing contracts with IT service providers may need to be adjusted to comply with the new regulatory requirements. Our team offers comprehensive advisory services for the implementation of DORA for financial institutions and IT service providers.
Do You Have Further Questions About the Digital Operational Resilience Act?
Do you have further questions on this topic or wish to seek legal advice in other areas of commercial law? As attorneys, we specialize in this and other legal fields. Feel free to contact our law firm at office@geuer.at or by phone at +43-1-4380072. We look forward to your inquiry.
Comments are closed!