Written by: Haim Ravia, Dotan Hammer, Tal Kaplan
The Digital Operational Resilience Act (DORA) will become effective on January 17, 2025, significantly impacting any supplier of technology to the financial sector in the European Union (EU), regardless of their location.
This EU regulation represents a major shift aimed at ensuring that financial institutions are resilient to operational disruptions, particularly those stemming from ICT (Information and Communication Technology) vulnerabilities. DORA applies not only to financial entities such as banks, insurance companies and investment firms, but also extends to ICT third-party service providers. These include providers of cloud computing, software, data analytics, and data center services that support and provide ICT services to financial institutions within the EU.
The increasing reliance of the financial sector on ICT systems for delivering services has heightened its exposure to ICT-related risks, particularly those posed by third-party ICT providers who are not directly supervised. DORA establishes a uniform regulatory framework to mitigate these risks, mandating stricter oversight, testing, and resilience standards for both financial entities and their critical ICT providers. This global reach ensures that any technology supplier, regardless of location, must comply with DORA if they serve EU financial institutions.
DORA introduces harmonized rules for operational resilience across the EU financial sector, applying to 20 different types of financial entities and ICT third-party service providers. DORA’s goal is to unify approaches to digital operational resilience throughout the EU, assisting financial entities manage and recover from cyber threats and disruptions.
DORA sets stringent cybersecurity and ICT risk management standards for a wide range of financial entities across Europe. It mandates that these entities develop comprehensive risk management frameworks with clearly defined roles and responsibilities, enhancing their ability to effectively manage ICT risks. Additionally, DORA provides guidelines for incident reporting and regular ICT system testing to ensure financial entities remain resilient in the event of disruptions.
Key aspects of DORA are outlined below; however, please note it is not possible to provide a comprehensive overview of the entire Act in this brief client update.
Scope and definitions. DORA has a broad scope and applies to numerous kinds of financial entities. These include banks, credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and more; Importantly, DORA also applies to ICT third-party service providers.
DORA defines “ICT services” as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. This definition should be understood broadly, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. The definition excludes only a limited category of traditional analog telephone services.
Requirements for financial entities. To maintain full control over ICT risk, financial entities must have comprehensive capabilities to implement strong and effective ICT risk management framework. This includes specific mechanisms and policies for addressing all ICT-related incidents and reporting major ICT-related incidents. Additionally, financial entities should establish policies for testing ICT systems, controls, and processes, as well as for managing ICT third-party risks.
Financial entities are required to implement the rules set out in DORA in accordance with the principle of proportionality, considering their size, overall risk profile, and the nature, scale, and complexity of their services, activities, and operations. The requirements for financial entities to comply with DORA include ICT risk management; ICT-related incident management, classification and reporting; digital operational resilience testing; and information sharing. Financial entities must also follow key principles for sound management of ICT third-party risk, including mandatory contractual provisions in contractual arrangements on the use of ICT services; and an oversight framework of critical ICT third-party service providers.
Requirements for ICT third-party service providers. DORA applies to ICT third-party service providers, particularly those offering services that support the “critical or important functions” of financial institutions. DORA has extraterritorial reach: non-EU ICT third-party service providers are subject to DORA if their services are critical to the operations of EU-based financial entities.
ICT third-party service providers themselves must assess whether they are offering ICT services that support the “critical or important functions” of financial entities. “Critical or important function” is defined as “a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.”
Where ICT third-party service providers are designated as “critical” service providers by the EU, they will be subject to direct regulatory supervision by European regulators (the European Supervisory Authorities (ESAs)). Financial entities shall only make use of the services of an ICT third-party service providers established in a third (non-EU) country – and which has been designated as critical – if the latter has established a subsidiary in the EU within the 12 months following such designation.
Non-Critical ICT third-party service providers will primarily be required to assist their financial clients in the EU in complying with DORA requirements, through the DORA-mandated contractual provisions in their contracts with their financial clients.
Technical standards and guidelines. As part of its implementation, DORA mandates the development of Regulatory Technical Standards (RTS) to ensure a consistent and standardized approach across the financial sector. The European Supervisory Authorities have developed and published technical standards and guidelines for compliance with DORA, which financial entities will also need to consider and implement, and ICT third-party service providers should take into account. Such Standards include guidance and other information on subjects such as the ICT risk management framework; ICT incidents classification; Register of Information for financial entities; the designation criteria for critical ICT third-party service providers; and more.
Considering the scope and complexity of the regulation, we strongly recommend that businesses examine DORA’s applicability and prepare where necessary. We will be happy to assist you.
Cyber, Privacy, and Copyright Group – Pearl Cohen Zedek Latzer Baratz
This client update is intended for purposes of general knowledge only, does not fully cover the intricacies of the subject matter discussed, does not constitute legal advice and should not be relied on for such purposes.
