The Impact of DORA for IT Service Providers

Think back a while ago to the global IT outage caused by an update and then think DORA -  the  ‘Digital Operational Resilience Act’, or ‘DORA’, a European Union (“EU”) law which will apply from 17 January 2025.

Join us as we ‘explore a DORA’, as it could apply to you as an IT provider who deals with clients in the financial services sector, even if you are not a ‘critical ICT services provider’ and are based in the UK and not the EU. That’s because the tentacles of DORA can also filter down though contracts from your financial services clients and depends on the activities of your clients.

DORA’s objective is to ensure “digital operational resilience”, a phrase defined in the Act, essentially meaning the requirement on in-scope financial institutions to ensure they can resist all types of Information Communication Technology (“ICT”) related disruptions and threats, notably, cyber-attacks.

Not only ICT providers, to be deemed by European authorities, to be critical will be directly affected by DORA, but possibly those providing cloud computing services, data centres, financial software providers, financial compliance services, such as AML tools and ICT providers contracting with financial services clients are likely to be affected.

ICT ‘players’ should therefore consider the potential impact of DORA on their businesses before January 2025.

Where is DORA?

As an EU law, DORA won’t apply itself in the UK, but will directly impact financially regulated businesses in the UK who operate in the EU, and through contract management requirements, could impact their ICT providers. Financial services providers in the UK, with a presence in the EU, will need to flow down the contract requirements in DORA to all their ICT providers, including potentially those in the UK.

Section II of DORA also sets out an “oversight Framework of critical ICT third-party service providers”, who will be designated and notified by European authorities and will comprise those who are “critical for financial entities”. If services are provided to these entities, the ICT provider could be deemed to be “critical” in the EU.

So as cyber security is again the ‘name of the game’, it’s worth thinking now about what you need to do in order to be ready for DORA compliance, either for financial services ICT products and services, contracts or critical generic ICT services, including changes to accreditation and certification requirements.

What kind of things does DORA do?

It’s all about tech and the extent of technology use across financial services. Again, like our ‘NIS Regulations’ it’s another law that boils down to the potential chaos and havoc that could be caused by cyberattacks, this time specifically, in the financial services sector.

DORA itself is intended to achieve a high common level of digital operational resilience security across network and information systems used by financial institutions.

Specific objectives of DORA are to strengthen:

• risk management;
• incident reporting of major ICT related risks;
• digital operational resilience testing;
• information and intelligence sharing in relation to cyber threats and vulnerabilities; and
• steps for sound management of ICT third-party risk, including contracts, contracts and yes, more contracts!  These will incorporate requirements into contractual arrangements between financial firms and their ICT third-party service providers.
• A key requirement of DORA on financial institutions will be to beef up the ICT risk management framework of financial firms as part of their overall risk management systems, enabling them to react quickly to ICT risk and ensure a high level of digital operational resilience.
• Cue tools such as vulnerability assessments and scans, open source analyses, scanning software solutions, and penetration testing, which will be required in the market, with providers requiring accreditations.
• Implications could also arise for ICT providers in areas such as financial compliance services, compatibility testing, performance testing, end-to-end testing and source code reviews, which could be offset by opportunities in this area, as a growing field for IT services. Financial institutions will have to use and maintain ICT systems, protocols and tools to address and manage ICT risk, so there could even potentially be development and marketing opportunities that arise from DORA.  Another area where ICT providers could seek to offset any costs from increased contract regulation could be in the testing provider market for ongoing and comprehensive digital operational resilience testing programmes.

Detection, notification and reporting of major ICT related incidents will also be imposed on financial institutions and likely to be obligations which are flowed down to providers in outsourcing contracts.

Who does DORA impact?

DORA will apply to a wide range of financial services institutions, including to name a few: banks; pension schemes; credit rating agencies; insurance companies, and crowdfunding service providers and therefore, will have repercussions for IT providers servicing these organisations.

As above, DORA will also have direct application to those ICT service providers deemed to be ‘critical’ who will be required to have an EU subsidiary. Such critical ICT third-party service providers, including cloud computing service providers, will be drawn into and subject to ‘oversight’ requirements, which could include a “periodic penalty payment” of up to 1 % of the average daily worldwide turnover of the critical ICT third-party service provider in the previous year to compel compliance.

Financial organisations will also be required to ‘get up, close and physical’ in their contractual arrangements with their IT providers and so contracts is another area where we anticipate a substantial impact on our clients.  Faced with these requirements, ICT providers may need to consider the cost implications of complying with the DORA contract requirements at the outset of any tender or negotiations.

What exactly does DORA want?

DORA sets out specific minimum contract requirements from outsourced ICT service providers to strengthen financial provider contracts. This list of contract requirements is embedded in Article 30 of DORA and will require a level of detail and transparency, including for:

• locations of functions (such as storage);

• protection and recovery of data (including availability), not only personal data under GDPR;

• service level descriptions and updates;

• provision of assistance to the client at no cost or previously agreed cost;

• co-operation;

• specific termination rights and minimum termination notice periods as required by supervisory authorities; and

• conditions for the participation of ICT third-party service providers in their clients’ ICT security awareness programmes and digital operational resilience training.

For critical ICT providers, this list is much wider, extending to areas such as:

• notification and reporting obligations,
• business contingency plan requirements and
• involvement in ‘threat led penetration testing’ or “TLPT”, to name a few.

As a consequence, this may mean clients ‘re-opening’ or seeking to renegotiate previously agreed contracts. Variations or “addendums” may come your way from financial firm clients, seeking to firm up their contracts with requirements from DORA.  These regulated firms will also need to compile registers of information which may also mean you may receive questionnaires or see extended due diligence questionnaires when tendering for contracts, all of which may obviously result in greater resource and cost for ICT providers.

Standard Contractual Clauses (similar to the GDPR regime for data transfers abroad) could be a possible way of addressing these DORA contract requirements. Whilst this may make contract negotiation with clients easier if such standard clauses are developed by public authorities for some services, as we’ve seen with data protection requirements, this leaves the spectre of liability, lurking as a key contract issue.

With financial institutions likely to be keen to apportion risk, liability is likely to be another area of negotiation of such contracts and an area where Law 365 may be able to help.

Breaching DORA

Be aware that competent authorities under DORA will set out penalties such as fines, unless they consider criminal penalties exist already in the relevant EU country.

What about the UK?

In the UK, DORA may already have comparisons with the UK’s existing principle-based operational resilience framework for banks in case of ICT disruption. There are also UK regulatory requirements for financial regulated firms in the UK, including FCA rules on operational resilience and outsourcing and to implement appropriate security to protect outsourced data. So your customers who are already caught by UK operational resilience rules, may already require specific security levels in their contracts, but which will be subject to wider requirements under DORA.

What to do now

You could start listing any clients you think will be affected by DORA, if they haven’t already contacted you and be ready in case they do. If you see a contract from them fly into your inbox, that’s where we may be able to help. Whilst we can’t advise on DORA itself, as new EU law is no longer part of English law since Brexit, we can assist with contract changes required by EU clients where contracts are governed by English law.

And don’t forget that DORA is only one in a spate of EU and UK laws coming down the pipeline to strengthen cyber resilience of essential services. NIS2 is another and the UK already has its own NIS Regulations.

So, if you need any assistance with digital operational resilience requirements in your contracts or any requested changes to your contracts from clients, financial or other, then contact Law 365.

DORA:  Regulation - 2022/2554 - EN - DORA - EUR-Lex (europa.eu)