The EU’s Digital Operational Resilience Act (“DORA”) will become applicable from the 17th January 2025 and is meant to create a comprehensive technology risk regulatory framework for ensuring the EU financial sector’s “digital operational resilience”.
While DORA was conceived with a focus on financial institutions, its implications extend beyond the financial sector to effectively encompass or affect Information and Communication Technology (“ICT”) service providers that provide their services to the financial sector, whether directly by DORA under its Oversight Framework for Critical ICT Third-Party Service Providers, or indirectly, through contractual requirements which DORA imposes on financial entities in their arrangements with ICT Third-Party Service Providers.
Critical ICT Third-Party Service Providers
DORA establishes a regulatory Oversight Framework for ICT Third-Party Service Providers which are designated as “critical” in terms of DORA.
Such designation is made pursuant to a mechanism which considers the dimensions and nature of the financial sector’s reliance on such ICT third-party service provider, revolving around the significance of the services, their potential impact in the event of disruption, and their interconnectedness with other essential services.
The relative designation is issued by the European Supervisory Authorities (the “ESAs”), namely the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”), and the European Securities and Markets Authority (“ESMA”), through a joint committee and upon recommendation from the Oversight Forum.
Mainly the largest ICT service providers are expected to be designated as Critical ICT Third-Party Service Providers under the DORA framework.
How Does DORA Affect All ICT Service Providers that Service the Financial Sector?
DORA seeks to achieve a high common level of digital operational resilience for the financial sector by laying out of rules and obligations applicable to financial entities in relation to:
a) ICT risk management;
b) reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
c) reporting of major operational or security payment-related incidents to the competent authorities by certain financial entities;
d) digital operational resilience testing;
e) information and intelligence sharing in relation to cyber threats and vulnerabilities; and
f) measures for the sound management of ICT third-party risk.
While the above obligations are directed to financial entities, DORA also imposes rules on contractual content requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities.
In regard to the above, it should be noted that “ICT Services” are considered by DORA to refer to any “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.”
Requirements in Contracts for ICT Services
DORA establishes a minimum set of contractual requirements which apply to any contractual arrangement for ICT Services between a financial entity and an ICT Third-Party Service Provider. Such minimum contractual content requirements are mainly enshrined in DORA’s article 30(2) which sets out the following contractual content requirements:
More extensive contractual requirements are however imposed for ICT services “supporting critical or important functions” of a financial entity, that is "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law".
The detail on contractual requirements in ICT Third Party Service Provider’s contracts supporting critical or important functions is mainly enshrined in DORA article 30(3) and include further extensive provisions which may be particularly key for ICT Service Providers to consider, for example, an obligation of the service provider to cooperate with the financial entity in threat-based penetration testing, unrestricted rights of access, inspection and audit and exit strategies, such as setting an appropriate mandatory transitionary period.
ICT Service Providers: Prepare for Contractual Revisions
Albeit DORA becomes applicable on the 17th January 2025, ICT Service Providers should already be preparing to engage in discussions to amend existing contracts for compliance purposes and considering entering into new contracts bearing in mind DORA’s impending requirements.
It should also be noted that on the 25th March 2024, the Malta Financial Services Authority (“MFSA”) published the “Authority’s Minimum Expectations in Relation to Financial Entities’ Preparedness to Regulation (EU) 2022/2554 on Digital Operational Resilience”, and considered that the MFSA’s 2024 Minimum Expectations vis-à-vis sufficient DORA preparedness to include Expectation 17, namely that:
“Financial Entities have taken steps towards aligning their current written contractual arrangements with ICT Third-Party Service Providers to the key contractual provisions specifically mentioned in Article 30 of the DORA Regulation”.
DORA preparedness thus needs to commence by ICT Service Provider’s at a time where to date certain key matters remain in development, including for example adoption of DORA’s final draft technical standards – the Regulatory Technical Standards and the Implementing Technical Standards. Furthermore, standard contractual clauses are still being developed by public authorities for specific services.
Similarly, DORA correlated considerations with regards to the upcoming NIS 2 Directive (Directive 2022/2555) cannot be fully considered given that to date a national Maltese law transposing the same has not been published, nor correlated designations have been undertaken.
A further difficulty is also envisaged for ICT Service Providers in that ultimately whether a Service Provider’s contractual arrangement with a financial entity require the extensive clauses mandated for contractual arrangements supporting critical or important functions is based on an assessment and determination outside of the ICT Service Provider’s control.
For more information or assistance on Technology Law please contact Dr Ian Gauci and Dr Terence Cassar.
You may also be interested in reading: https://gtg.com.mt/dora-consultation-draft-rts-enhanced-oversight/