DORA is coming – are you ready?

Background

The use of information and communication technology systems within the financial services sector is now ubiquitous, with critical core business operations such as payments, securities clearing and settlement activities, electronic trading, credit rating, claim management and funding increasingly being digitised. Digitalisation has also deepened interconnections and dependencies within the sector, and with third party infrastructure and service providers.

Whilst undoubtedly beneficial to the functioning of the sector's operations, however, this high level of interconnectedness also creates a systemic vulnerability. Previously localised cyber incidents now have the potential to impact a far greater number and range of organisations than was previously the case, spreading through connected networks which are not constrained by geographical boundaries.

Whilst the financial services sector as a whole has stayed ahead of the curve in implementing processes and solutions to help mitigate the risks presented by cyber-attacks, recent increases in the threat landscape (including the vastly increased sophistication of malicious actors, as well as broader geo-political factors) have demonstrated that further, and faster, work is required to shore up the sector's defences. In Europe, although the sector is governed by current systems of financial supervision, up to now provisions on tackling digital operational resilience and IT security were not fully or consistently harmonised.

In keeping with a more general approach being taken by regulators globally to focus on the security of their critical infrastructure assets, the European Union ("EU") has in recent years adopted a strong focus on developing a framework to bolster the resilience of financial systems operating within their territories. The culmination of this effort was the approval by the European Parliament in December 2022 of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA"), which looks to harmonise approaches on tackling digital operational resilience and IT security.  DORA has a two year implementation period, and will apply from 17 January 2025.

Overview

Flowing from the EU's aim to harmonise approaches across the sector as a whole, DORA seeks to cover the vast majority of the financial services ecosystem and, therefore, applies to a broad spectrum of market participants. Article 2(1) of DORA sets out the exhaustive list of covered entities, which include amongst others, payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.

One of the more interesting inclusions in the list of covered entities in Article 2(1) is "ICT third-party service providers". These are defined very broadly in Article 3 of DORA as "undertakings providing ICT services", which are themselves defined broadly as "digital and data services provided through ICT systems". In the financial services context, this could pick up providers of cloud computing services, software, data analytics services and data centre services, as well as providers of payment processing activities and those operating payment infrastructures (save for central banks operating payment or securities settlement systems).

Importantly, however, ICT third-party service providers are not classified as "financial entities" under Article 2(2) of DORA, with the effect that certain of the obligations under DORA will not apply to those organisations – including the requirements relating to risk management, incident classification and reporting, digital operational resilience testing, information and intelligence sharing regarding cyber threats and vulnerabilities and measures for the sound management of ICT third party risk.

Notably, Article 2(3) of DORA excludes a (small) number of institutions from the scope of the regulation, including certain types of insurance and reinsurance undertakings, institutions for occupational retirement provision, intermediaries who are SMEs and post office giro institutions. Firms will need to look at the detailed text of the regulation to assess whether or not they are within scope.

Given the breadth of coverage of DORA, a significant number of firms and their IT suppliers will have to get to grips with the new regulation, which will demand a more resilient financial technology than ever before. Firms will need to heavily assess their technology providers' performance and may even need to revisit the terms of those relationships in some circumstances. Providers may need to improve their infrastructure and performance to stay in the market. Some providers will be directly regulated for the first time.

Whilst the implementation period may seem lengthy, the steps organisations will need to take to comply from day one are considerable and will consume a significant amount of management time and operational resource to effect. As such, it is important that firms caught by DORA are taking steps now (if they aren’t already) to make necessary changes, which could involve designing and implementing new policies, making changes to their infrastructure, operations and processes and reviewing their arrangements with third party ICT providers (including renegotiating terms), amongst other things. Firms may also need consulting, technology solutions, legal and regulatory advice. As we move towards January 2025, firms which delay planning and implementing change may find it difficult to meet the deadlines.

We expect that mature firms, particularly in banking, will already be complying with many of the requirements imposed by DORA, as this is just the latest round of regulatory requirements they have had to implement in the last decade. For insurers and securities firms, there may be more work to do; and a wide range of market segments, such as data providers, are regulated for the first time. But regardless of their operations, all firms will need to conduct their own "gap" analysis to assess where their shortcomings are and take the necessary steps to address them.

DORA does not only apply to the activities of European firms and ICT third-party service providers. Firms based in the UK and other international territories may be subject to DORA if they operate in EU markets (for example, through locally incorporated group entities). Likewise, ICT third-party service providers are subject to the DORA requirements once they enter into contractual arrangements with firms covered by DORA.  ICT third-party service providers established outside of the EU that have been designated as "critical" under DORA will be required to establish a subsidiary in the EU within 12 months of its "critical" designation in order to continue to provide services to firms in the EU.

Scope

As noted above, one of the primary aims of DORA is to achieve a "high common level of digital operational resilience" within the EU. In doing so, it will apply a common standard in place of the current patchwork of standards from the European Banking Authority ("EBA"), European Securities and Markets Authority ("ESMA") and European Insurance and Occupational Pensions Authority ("EIOPA"). DORA lays down uniform requirements concerning the resilience of network and information systems supporting the business processes of firms.

It is neatly separated into different chapters covering various topics, which include:

1. ICT risk management;
2. ICT-related incident management, classification and reporting;
3. Digital operational resilience testing;
4. Managing ICT third-party risk; and
5. Information and intelligence sharing.

Proportionality is a theme that is pervasive throughout DORA (and much other European legislation), and it will be important for firms to ensure that they are clear on which rules are absolute, and which can be implemented having regard to the principle of proportionality. Unfortunately there is no clear-cut definition of what would be proportionate in a given context – this will come down to a case by case analysis, and will require firms to engage with the requirements that are subject to the proportionality principle to assess the steps they should take having regarding to their "size and overall risk profile and to the nature, scale and complexity of their services, activities and operations".

In the context of monitoring risks emerging at the level of ICT third-party service providers, for example, Recital 64 provides that, in applying a proportionate approach to such monitoring, firms should consider the nature, scale, complexity and importance of their ICT-related dependencies and the criticality or importance of the relevant services, processes or functions, and perform a careful assessment of any potential impact on the continuity and quality of the firm's services. This will require firms to perform a detailed analysis of each of their ICT vendors to understand how the relevant services support their operations, and the potential consequences (in particular for end-customers) if there are service delivery or performance issues.

Regulatory technical standards

To operationalise the application of DORA, the EBA, ESMA and EIOPA (together, the "European Supervisory Authorities") are mandated to jointly prepare a set of "policy products", which include regulatory technical standards, on various matters. The policy products will be delivered in two batches, the first batch by a deadline of 17 January 2024 and the second by 17 June 2024. The European Supervisory Authorities published the first batch of regulatory technical standards on 19 June 2023 for consultation. More information can be found here. 

Interaction with the NIS 2 Directive

As part of the broader cross-sectoral focus on shoring up operational resilience in critical infrastructure operations, in November 2022 the Council of the European Union formally adopted the Directive on measures for a high common level of cybersecurity across the Union ("NIS 2 Directive"). The NIS 2 Directive imposes a wide range of cyber security obligations on organisations operating in 16 key industry sectors, of which the "Banking Sector" (i.e. Credit institutions referred to in point (1) of Article 4 of Regulation (EU) No 575/2013) and "Financial Market infrastructures" (i.e. Operators of trading venues referred to in point (24) of Article 4 of Directive 2014/65/EU, and Central counterparties (CCPs) referred to in point (1) of Article 2 of Regulation (EU) No 648/2012) are two.

However, in acknowledgement of the fact that the NIS 2 Directive applies generally across industry, and that sector-specific regulations are required to effectively shore up the threat in certain key sectors, DORA is classified as "lex specialis" with regards to NIS 2 – which means in practice that where DORA and NIS 2 cover the same subject matter organisations covered by both will be required to look to the provisions in DORA rather than in NIS 2.

Note that this does not mean that financial services institutions covered by NIS 2 will be able to disregard that legislation entirely. As Recital 18 to DORA states clearly, those entities "should remain part of the ecosystem" of NIS 2, e.g. through Cooperation Group and CSIRT teams.

For more information on the NIS Directive, please see our article published here.

About Us

Fieldfisher is a European law firm with market-leading practices in many of the world’s most dynamic sectors. It is an exciting, forward-thinking organisation, with established sector expertise in technology, financial services, energy & natural resources and life sciences.

We have decades of experience supporting financial sector firms and their suppliers, including advising on the regulatory impacts of rolling out new technologies and cross-border work.

We understand that financial firms are technology-driven, highly regulated and are under unique pressures to innovate, respond to cost pressures and meet the highest standards for performance.

Our team is here to help. We offer deep expertise in implementing financial technology platforms and new products in areas as diverse as share and bond dealing, back office systems and Fintech. We also support a wide range of traditional outsourcings, cloud and SaaS contracting and technology consulting. As well as contractual support, we regularly work with clients on their internal risk assessments and communications with the regulators on new projects.

We focus on delivering pragmatic solutions to the legal, operational and regulatory challenges of technology implementations in critical financial services environments.

Get in touch

We'll be publishing a series of short articles over the coming months with our thoughts on each of the key topics covered by DORA. Look out for the first of these articles, which will be published in coming days.

If you would like a to speak to one of the financial services and payments team please get in touch with Jonathan Rehbein (jonathan.rehbein@fieldfisher.com) to arrange a free 30 minute consultation.