DORA and ICT Service Providers

The EU’s Digital Operational Resilience Act (“DORA”) which will come into effect on the 17th January 2025, seeks to establish a harmonized regulatory framework for digital resilience within the financial sector. Whilst its primary focus is on financial entities, ICT Service Providers have also been directly or indirectly impacted by DORA.

This article shall explore the boundaries of DORA’s applicability to ICT Service Providers.

Does DORA Apply to ICT Service Providers?

DORA effectively directly applies only to a limited number of ICT Service Providers, namely  those ICT Service Providers which through DORA’s Oversight Framework will be designated as “Critical”.

Such designation is made pursuant to a regulatory process, involving considerations on the dimensions and nature of the EU financial sector’s reliance on such service providers, revolving around the significance of the services, their potential impact in the event of disruption on the financial industry, and their interconnectedness with other essential services.

The relative designation is issued by the European Supervisory Authorities (the “ESAs”), namely the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”), and the European Securities and Markets Authority (“ESMA”), through a joint committee and upon recommendation from the Oversight Forum. Oversight and supervision is in turn established through the Lead Overseer.

To this end, the ESAs, in collaboration with national financial authorities of the Member States, are applying a process of collecting information from financial entities regarding their ICT Service Providers. Financial entities are being obliged to submit detailed registers including reporting certain information in regards to contractual arrangements with their ICT Service Providers. This process is envisaged to enable the designation of “Critical”, which process is expected to occur later on in the second half of 2025.

Mainly the largest ICT Service Providers are expected to be designated as Critical ICT Third-Party Service Providers under the DORA framework. Therefore, it is envisaged that DORA shall not directly apply to many ICT Services Providers. This is especially relevant in the local Maltese context, where even ICT Service Providers which may be large by local standards, are likely not going to be captured as “critical” in view of their comparatively smaller size / financial industry reliance on their services.

Why is DORA Still Relevant Then to Many ICT Service Providers?

Although DORA is not itself expected to directly apply to many ICT Service Providers, ICT Service Providers who service financial entity customers will still be ultimately impacted.

This will inevitably occur in practice because their financial entity customers are in turn directly required to comply with DORA and the compliance obligations imposed upon the financial entities include that financial entities are obliged to impose upon their ICT Third Party Service Providers certain contractual conditions in their arrangements for the provision of ICT Services to the financial entity. These conditions vary from the financial entity’s compliance with DORA perspective, depending on whether the respective ICT Third Party Service Provider is deemed to be supporting other otherwise critical or important functions of the financial entity.

As a result, while financial authorities would not have direct regulatory supervision upon such ICT Third Party Service Providers, nor would such be directly obliged by Law to comply with the obligations arising under DORA, in practical terms Third Party ICT Service Providers are still being impacted in view of the new conditions which they are expected to consider in arrangements with financial entities, be it in the context of negotiating a new contract, or in context of updating existing contractual arrangements to bring them in line with what the financial entity customer may require for his own compliance.

Thus, it should be observed that the manner in which DORA shall apply to most ICT Services Providers, is ultimately from an ICT Service Provider’s point of view, dependent upon the contractual conditions which such ICT Service Provider is ultimately willing to agree towards its respective financial entity customers. Key expectations of a financial entity deriving from DORA, such as on exit planning, business continuity, service levels will thus ultimately be a matter for potential negotiations for an ICT Service Provider.

This is the first article in our series “The DORA Edge: Empowering ICT Providers in Financial Services”. Over the coming weeks we will be delving deeper into DORA’s key principles and implications for ICT Service Providers.

For information or assistance please contact us at info@gtg.com.mt

Author: Dr Terence Cassar

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content