Alert
29 July 2024

ESA Publications on Digital Operational Resilience: A Reminder That DORA is Less Than Six Months Away and Will Apply to US and UK CTPPs

The publication by the Joint Committee of the European Supervisory Authorities (ESAs) on (a) 17 July 2024 of the second batch of implementing materials and (b) 26 July 2024 of the sub-contracting of information and communication technologies draft regulatory technical standard (RTS) under [the Regulation on digital operational resilience for the financial sector Publications Office (europa.eu)] (DORA) are reminders that the need for DORA compliance is less than six months away.

DORA came into force on 16 January 2023, and will apply starting on 17 January 2025.

DORA Revisited

In previous alerts, Digital Markets Act: Mandatory Compliance for Big Tech Companies | Insights & Resources | Goodwin (goodwinlaw.com), What DORA Means for Fund Managers | Insights & Resources | Goodwin (goodwinlaw.com) and Too Important To Fail? Further Light on When EU and Non-EU Technology Providers Will Become Subject To DORA, we have discussed the EU Digital Operational Resilience Act (DORA). We have also set up a microsite to address DORA and the similar regime in the UK: Financial Regulations for Critical Third-Party Technology Providers in the EU and UK.

DORA seeks to address potential systemic and concentration risks posed by the financial sectors’ reliance on a small number of critical third-party providers (CTPPs), and introduces an oversight framework for CTPs located in the EU whom the three EU supervisory authorities (ESAs) deem to be “critical to the stability and integrity of the [EU] financial system” and designate as critical TPPs.

Main Obligations for EU Financial Entities

DORA’s main requirements for EU financial entities, such as banks, broker-dealers, and insurers, are summarised below:

Requirement Description
Risk Management Implement policies and procedures to identify and manage risks associated with ICT.
Incident Management Develop processes for identifying, reporting, responding to, and recovering from ICT-related incidents.
Resilience Testing Conduct regular testing of systems and processes, including threat led penetration testing, at least every three years.
Third-party ICT Risk Management
Maintain a register of third-party ICT service providers, focusing on critical suppliers, to ensure compliance with contractual obligations.
Information Sharing
Engage in information-sharing arrangements on cyber threats with other financial entities.

Application Outside The EU: US and UK Third Party ICT Providers Beware

In addition to the provisions of DORA that apply to EU financial entities, DORA will also apply to CTTPs that provide services such as information and communication technology to EU financial entities. As we have noted before, DORA can apply to non-EU CTPPs, including those in the US and UK, that provide services to EU financial entities.

The 17 July ESA Implementing Materials

As an EU regulation and unlike an EU directive, DORA will bind EU business directly without the need for the individual Member States themselves to implement laws to give DORA effect. DORA does require the EU Commission and ESAs to make further measure to expand DORA’s provisions: the ESA implementing materials are part of this.

These materials consist of four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS) and 2 guidelines.

The package addresses the reporting framework for ICT-related incidents (content, format, templates and timelines) and threat-led penetration testing, while also introducing requirements on the harmonisation of the oversight framework to ensure continuous and uninterrupted provision of financial services to customers and safety of their data.

The ESAs have published the following final draft technical standards:

  • RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats; 
  • RTS on the harmonization of conditions enabling the conduct of the oversight activities;
  • RTS specifying the criteria for determining the composition of the joint examination team; and
  • RTS on threat-led penetration testing.

The set of guidelines include:

  • Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
  • Guidelines on oversight cooperation.

The 26 July Draft RTS

The JC 2024 53 Final Report on draft RTS on subcontracting DORA (europa.eu) sets out requirements for the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers In particular, the draft RTS requires financial entities to assess the risks associated with subcontracting during the precontractual phase. This includes the due diligence process. The draft RTS also sets out requirements for the implementation, monitoring and management of subcontracting conditions for the use of ICT services supporting critical or important functions. This is designed to ensure that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions.

Likely Further Developments

The guidelines have already been adopted by the Boards of Supervisors of the three ESAs. The final draft technical standards have been submitted to the European Commission, which will begin their review with the objective to adopt these policies in the coming months. The remaining RTS on Subcontracting is expected to be published in due course. A draft version of the Subcontracting RTS is available here.

Next Steps for Financial Entities and Third-Party Providers

Ahead of the 17 January 2025 deadlines, financial institutions will need to:

  • Assess current ICT frameworks including identifying existing policies, procedures, and controls, and conducting GAP analyses to consider essential changes with robust governance measures and ultimate board responsibility.
  • Identify responsibilities and roles of current management and other staff, including consideration of roles that can be delegated internally and roles that require additional expertise across all relevant departments, such as ICT, legal, compliance, client/investor relations, and general operations.
  • Recognize key external contacts and service providers to ensure procedures, communications and reporting are well established and contractual arrangements are reviewed and renegotiated, as necessary. 
  • Implement regular testing for digital operational resilience as well as the mandatory penetration tests. 
  • Consider internal and external communications practices to ensure open and transparent communication for warning, disclosing and reporting, including local regulator contact. For example, in Luxembourg the CSSF has already launched a DORA dry run exercise until the 31st of August on eDesk for the registers of information regarding third-party ICT service providers and CSSF Circular 19/721 has placed the obligation on fund managers to stay informed as to any transmissions required to the CSSF. 
  • Finalise your Digital Resilience Strategy which should cover all the above, including: risk assessments, incident response plans and reporting, management of external service providers, internal procedures, monitoring, and compliance with updates.

How Can Goodwin Help?

We can assist you with:

  1. Analysis of whether and how DORA applies to your business;
  2. Setting up an EU subsidiary in order to comply with DORA;
  3. Conducting a review of your key procedures and contracts to ensure DORA compliance;
  4. Drafting and negotiating addenda to your contracts that satisfy the requirements of DORA; and
  5. Helping you prepare and implement internal processes and procedures and draft or amend policies and manuals for DORA compliance.

To discuss the contents of this alert, please contact the authors or your usual Goodwin contact.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.