EU Digital Operational Resilience Act Priorities for 2025

At a Glance

• The Digital Operational Resilience Act (DORA) sets out prescriptive requirements for contracts between financial entities and their third-party IT service providers. Many financial entities are seeking to implement the required changes through contractual addenda that align existing supplier contracts with the requirements of DORA.
• DORA does not provide for a grace period for implementation. Nevertheless, many areas of uncertainty remain, particularly the nature of information and communication technology services within DORA’s scope; and the accompanying regulatory guidance has been slow to emerge.
• It is crucial for both financial entities and IT providers to be proactive in addressing DORA compliance. Financial entities should take immediate steps to clarify their compliance obligations, as delays in this process could lead to missed deadlines or unnecessary regulatory challenges.

Background

The Digital Operational Resilience Act (DORA), a European Union (EU) regulation that is set to transform how financial entities and their information technology (IT) service providers manage operational risks, will apply from 17 January 2025. Aimed at enhancing the information and communication technology (ICT) security of financial institutions in the EU, such as banks, insurance and investment firms, DORA introduces a harmonised framework to bolster digital resilience, operational continuity, and risk management of those entities and their ICT service providers.

DORA’s scope extends beyond the EU. For example, financial entities outside the EU that offer financial services in the EU market are potentially within its scope. Similarly, ICT service providers that provide services to entities which are within the scope of DORA may also need to comply. DORA can also apply to intra-group arrangements. For example, if a U.S. parent company provides intra-group ICT services to an EU entity that is within the scope of DORA, the U.S. parent could be categorised as an ICT provider.

DORA does not provide for a grace period for implementation. Nevertheless, many areas of uncertainty remain, particularly the nature of ICT services within DORA’s scope; and the accompanying regulatory guidance has been slow to emerge. While many financial services entities and their service providers are working towards meeting the 17 January deadline, relatively few will have fully implemented all of the required documentation, processes and procedures; and the process is likely to continue for at least the first quarter of 2025.

Under DORA, financial entities and their IT service providers must take the steps and implement the policies and procedures summarised below, which fall under five key pillars:

1. ICT Risk Management

• Establishing a comprehensive framework to address ICT risks swiftly.
• Assigning oversight to an independent control function.
• Conducting regular reviews and continuous improvements.

2. Incident Management and Reporting

• Implementing an ICT incident management process.
• Classifying and reporting major incidents to authorities, including significant cyber threats.

3. Digital Operational Resilience Testing

• Implementing a risk-based programme for ICT systems supporting critical functions.
• Conducting annual tests, involving both independent parties and internal resources.

4. ICT Third-Party Risk Management

• Integrating third-party risk into the overall ICT risk framework.
• Regularly reviewing third-party risk strategy and maintaining a register of contractual arrangements.
• Reviewing and implementing changes to contractual arrangements in the ICT supply chain.

5. Information Sharing Between Financial Entities

• Sharing cyber threat information within trusted communities to enhance resilience.
• Ensuring compliance with data protection and other application regulations.

The European Supervisory Authorities (ESAs), who are responsible for overseeing financial entities’ implementation of DORA, have the power to impose significant fines for noncompliance. For financial entities this can be up to 2% of their total annual worldwide turnover, and for third-party IT providers of ‘Critical or Important Functions’ (CIFs) this can be up to €5 million. Other possible penalties include sanctions for board members and potentially criminal penalties for noncompliance.

Managing the Supply Chain: DORA Addenda

DORA sets out prescriptive requirements for contracts between financial entities and their third-party providers. Many financial entities are seeking to implement the required changes through contractual addenda that align existing supplier contracts with the requirements of DORA. They define the responsibilities, obligations and operational safeguards between financial entities and third-party IT providers. Financial entities and their providers are facing a number of practical issues in drafting, negotiating and implementing effective DORA addenda, including those in the following section.

Categorisation Issues

Determining whether the services provided by an IT provider qualify as CIFs under DORA can be difficult. The criteria for classification remain complex, and some IT providers resist being categorised as CIFs due to the additional compliance burdens this entails. CIF status depends on a number of factors, including the impact and time sensitivity of disruption to the services being provided.

Inevitably, the lack of clarity in the text of DORA, and the limited guidance to date from the ESAs, gives financial entities a considerable degree of discretion, but also inevitably requires prioritising the most critical providers as the deadline approaches.

Many financial entities have drafted and are implementing separate addenda for CIFs and non-CIFs, although this can create delays and complicate compliance efforts.

Regional Inconsistencies

The implementation of DORA across the EU has revealed significant regional inconsistencies, particularly with the alignment between local financial entities and the approach of their corporate parents. In some regions, local institutions are not adhering to the strategies set by their parents, leading to a fragmented approach to compliance.

There are also differences in approach emerging in the market between EU member states. In some countries, financial services institutions are taking the lead; whereas in others, IT providers are being proactive in negotiating addenda to keep the focus as narrow as possible and avoid re-opening commercial terms. The lack of alignment across regions makes the drafting of DORA addenda particularly challenging, as different countries and institutions require tailored solutions, complicating efforts to achieve standardised compliance.

Lack of Clear Guidance

A significant challenge in drafting DORA addenda is the absence of clear guidance on how far down the supply chain the addenda should be applied. Financial entities are adopting varying approaches to this issue. Some are applying addenda only to their immediate service providers, whilst others extend these obligations to subcontractors further down the chain. This inconsistency leads to a fragmented approach across the industry.

Furthermore, group affiliates could qualify as IT providers if they provide services intra-group, adding another layer of complexity. In the DORA register, subcontractors further down the chain only need to be included if they provide CIFs, a provision which does not apply to group affiliates. As a result, financial entities must navigate different compliance obligations depending on the structure of their supply chain.

DORA and the UK’s Cybersecurity Bill

In response to the EU’s evolving digital regulatory landscape, the UK is aligning its legislative approach to prioritise cybersecurity, particularly through the introduction of the upcoming Cyber Security and Resilience Bill. The bill, which is set to advance through Parliament in 2025, will play a pivotal role in strengthening the UK’s cybersecurity framework.

You can read more about the UK Cyber Security and Resilience Bill on the Discerning Data blog.

Who Should Act Now?

It is crucial for both financial entities and IT providers to be proactive in addressing DORA compliance. Financial entities should take immediate steps to clarify their compliance obligations, as delays in this process could lead to missed deadlines or unnecessary regulatory challenges.