DORA: The countdown to 2025 for financial firms and ICT service providers

The new Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA) framework focuses on information and communication technology (ICT) risk and maintaining operational resilience when ICT services are being delivered to regulated firms in the financial sector. As financial firms are increasingly dependent on external service providers for their digital solutions, that dependency creates new risks for the firms themselves and the security of the financial markets more broadly.

DORA provides a single supervisory approach across all regulated firms operating in the EU. From a contracting perspective, the emphasis is less on ensuring regulated firms are financially stable, and more about ensuring they can continue to operate through severe disruption, particularly cyber and technology disruptions. DORA enhances financial firms’ responsibilities for managing third party ICT service providers, conducting due diligence, and responding in the event of a third party incident or failure, in order to ensure their operations are as robust and resilient as possible.

Suppliers need to be aware that DORA impacts both regulated financial firms and ICT service providers themselves. EU regulators will also have new powers with direct oversight of certain critical ICT service providers to the financial sector.

Various delegated regulations and the technical standards which sit under DORA were published in 2024, and provide additional clarification of the requirements, including provisions which must be reflected in contracts for ICT services.

DORA applies from 17 January 2025.

Who's impacted?

• Firms operating in the EU financial services sector (including credit institutions, payment institutions, investment firms, insurance and reinsurance undertakings, intermediaries, management companies, credit rating agencies, alternative investment fund managers, etc)
• Group companies with intra-group arrangements which involve an EU-regulated firm, including as a service beneficiary under a group contract or framework
• ICT service providers into EU-regulated firms. Designated ‘critical’ ICT service providers (who shall be notified directly by the EU regulators that they are critical to the market) will be directly regulated

What's new?

Operational resilience and ensuring service continuity have been the focus of regulators for some time. DORA addresses many topics that already apply to financial services firms operating in the EU, but compared to the current regulations, DORA is more rigorous and prescriptive in its granularity, particularly in relation to ICT and cyber resilience. The scope is broader than existing outsourcing regulations (which continue to apply), impacting ICT procurement more widely.

DORA defines risk management requirements for how firms should identify, report and classify major ICT incidents. It sets out specific testing requirements regarding strong documentation, processes and controls. Once the processes are in place, DORA requires firms to demonstrate oversight, management, and governance around their contracting processes, testing programmes, and supply chain management.

Key contractual implications

DORA sets out five key pillars:

1. ICT risk management
2. Reporting on ICT-related incidents
3. Digital operational resilience training
4. Management of third-party risk
5. Information and intelligence sharing

DORA applies to ICT services contracts, with an additional layer of requirements for those ICT services which support a ‘critical function’ within the firm. DORA sets out the primary contractual requirements and the delegated regulations provide additional requirements for contracts with ICT service providers supporting critical or important functions. As well as the direct contractual requirements (eg procuring the ICT service provider will fully co-operate with the regulators), each firm may also require bespoke provisions which enable it to implement its own risk management framework.

What are the penalties for non-compliance?

The European Supervisory Authorities have the power to impose fines against firms and individuals for noncompliance and for failure to report a major ICT-related incident or threat. These range up to a maximum of two per cent of total annual worldwide turnover.

Next steps for compliance

Regulated firms: During the implementation period, firms have been focused on ensuring compliance in terms of their internal processes, reporting arrangements, and contractual requirements. For existing contracts, firms should be conducting a comprehensive gap assessment between existing contracts and the DORA requirements, and putting in place amendments to address any shortcomings.

Going forward, firms should be undertaking due diligence of new ICT service providers in accordance with DORA and ensuring their contract templates include the DORA requirements as standard. Ongoing contract management should then be in place to maintain strong governance and oversight of their ICT service providers.

ICT Service providers: ICT service providers can expect increased scrutiny of compliance with laws provisions, additional oversight and subcontracting controls provisions, and increasingly robust governance / reporting processes. We always recommend that service providers work closely with financial customers to understand how their services are integral to each firm’s operations and resilience.

ICT service providers should have their own standard Financial Services Addendum when doing business with regulated customers in order to address these points upfront. DORA provides an opportunity to update and develop that addendum, demonstrating market awareness and a willingness to engage with the regulatory requirements. Operationally, ICT service providers will need to ensure they can manage a consistent level of ICT and cyber resilience across their operations and effectively manage ICT risk in line with the DORA requirements.

Our content explained