The EU regulation on digital operational resilience for the financial sector (DORA) was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and will apply from 17 January 2025. As an EU regulation and unlike an EU directive, it will bind EU businesses directly without the need for individual member states to implement laws to put DORA into effect.
DORA seeks to address potential systemic and concentration risks posed by the financial sector’s reliance on a small number of information and communication technology (ICT) third-party providers (TPPs) and introduces an oversight framework for EU TPPs that the three EU supervisory authorities (ESAs) deem to be “critical to the stability and integrity of the [EU] financial system” and designate as critical TPPs.
Importantly, DORA is capable of applying to non-EU critical TPPs, including those in the US and UK, that provide services to EU financial entities, such as banks, broker-dealers, and insurers, because it will require those non-EU critical TPPs to establish subsidiaries in the EU.
On 26 May 2023, the ESAs issued a discussion paper (DP) to consult with market participants on further criteria for determining whether TPPs are “critical.” (The DP also addresses the question of the amount of the fees levied on critical TPPs.)
DORA identifies four criteria (discussed below) for determining whether a TPP is critical:
DORA requires the EU Commission to make further delegated regulations to expand DORA’s provisions (usually described as regulatory technical standards, or RTS), and the DP addresses the advice on the RTS that the Commission asked the ESAs to provide.
Following the consultation in the DP, which closes for comment on 23 June 2023, the ESAs are required to provide the advice by 30 September 2023.
DORA is revolutionary because it will extend a form of financial services regulatory oversight to critical TPPs, such as large cloud companies and data storage providers, that do not themselves offer financial services and are not subject to direct financial services regulatory oversight. Currently, these businesses are subject to what can be best described as indirect regulatory oversight because the contracts under which they provide services (deemed to be critical) to banks and other regulated financial services providers must contain provisions prescribed by EU regulation and ESA guidance. (See, for example, our alert ESMA Cloud Outsourcing Guidelines – Practical Points for Cloud Service Providers and Regulated Entities.)
The main impact of a designation as a critical TPP is that the critical TPP becomes subject to oversight by a “lead overseer” that will have the power to assess whether the critical TPP has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risk that it may pose to financial entities. The lead overseer will also have powers to conduct general investigations and inspections.
The question of whether or not a TPP is deemed to be critical will, therefore, be vital to any technology provider that provides services to EU financial entities.
The DP proposes a two-step test for determining indicators of a qualitative and quantitative nature for each of the four criticality criteria:
DORA describes this as follows: “the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant TPP faces a large scale operational failure to provide its services, taking into account the number of financial entities and the total value of the assets of the financial entities to which the TPP provides its services.”
The DP sets out the following Step 1 indicators:
The DP sets out the following Step 2 indicators:
DORA describes this as follows: “the systemic character or importance of the financial entities that rely on the relevant TPP, assessed in accordance with the following parameters: (i) the number of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that rely on the TPP; and (ii) the interdependence between the G-SIIs or O-SIIs referred to in point (i) and other financial entities, including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entities.”
The DP sets out the following Step 2 indicator:
DORA describes this as follows: “the reliance of financial entities on the services provided by the relevant TPP in relation to critical or important functions of financial entities that ultimately involve the same TPP, irrespective of whether financial entities rely on those services directly or indirectly, through subcontracting arrangements.”
The DP sets out the following Step 1 indicator:
DORA describes this as follows: “the degree of substitutability of the TPP, taking into account the following parameters: (i) the lack of real alternatives, even partial, due to the limited number of TTPs active within a specific market, or the market share of the relevant TPP, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the TPP’s organisation or activity; (ii) difficulties in relation to partially or fully migrating the relevant data and workloads from the TPP to another TPP, due either to significant financial costs, time, or other resources that the migration process may entail or to increased ICT risk or other operational risks to which the financial entity may be exposed through such migration.”