If a Council vote takes place around the same time and both institutions adopt the text, it is possible that DORA will then enter into force in October 2022. DORA would start to apply 24 months after its entry into force. Thus, in the scenario where it would enter into force in October 2022, it would start to apply from the corresponding date in October 2024.
Scope of the regulations
The majority of DORA is aimed at regulated financial entities. Entities covered by the scope are generically referred to as “financial entities” in the legislation, and the long list includes regulated businesses in banking, insurance, investment, electronic money and payments, including account information service providers, as well as in the crypto-asset and crowdfunding sectors.
Providers of critical information to the financial services industry such as credit rating, critical benchmarking and data reporting services are also affected, as are providers of financial market infrastructure such as central depositories securities, central counterparties and trading venues.
Third-party ICT service providers are also affected by DORA. They fall within the scope of the Regulation in two ways: as providers of services to financial entities, or when they are designated as “critical” third-party ICT providers, in which case they are subject to a separate oversight framework. .
The regulation also establishes a list of entities that fall outside the scope. The list includes institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total. It also includes insurance intermediaries, reinsurance intermediaries and auxiliary insurance intermediaries who are micro, small or medium-sized enterprises.
The contracts concerned
DORA defines contractual requirements for contracts between financial entities and third party ICT service providers.
ICT services are defined as “digital and data services delivered through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services that include technical support through software or firmware updates by the hardware vendor, excluding traditional analog telephone services”.
There are important differences between this definition and the one commonly used to define outsourcing. For example, it does not refer to “recurring services”, only those which are “ongoing”, and there is no need to consider whether the service is something that the financial entity would not normally undertake. herself. If a contract is for a “digital or data service” and is “ongoing”, it will fall within the scope of DORA.
The requirements for contracts for ICT services supporting critical or important functions are more prescriptive than those applicable to other contracts.
A critical or important function is defined in accordance with the legislation in force as “a function the interruption of which would materially harm the financial performance of a financial entity, or the soundness or continuity of its services and activities, or whose Interrupted, faulty or failing performance would materially adversely affect the financial performance of a financial entity. the continued compliance by a financial entity with the conditions and obligations of its authorization, or with its other obligations under applicable financial services legislation”. No other criteria are provided.
The impact of DORA on group agreements
The regulation follows the existing regulatory principle that the intra-group provision of ICT services “should not be considered less risky than the provision of ICT services by providers outside the financial group, and should therefore be subject to the same regulatory framework”.
It further provides that “undertakings which are part of a financial group and provide ICT services primarily to their parent undertaking, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should also be considered as third party ICT service providers under this Regulation”.
Financial entities are required to assess ICT risk “based on any potential impact on the continuity and quality of financial services at individual and group level, as appropriate”.
Intra-group service providers will not be designated as “critical” ICT service providers or subject to the oversight framework applicable to such providers.
Differences in contractual requirements
DORA establishes contractual requirements for all contracts for ICT services with more prescriptive requirements applying to contracts that support critical or important functions. Contracts must be in writing and available as “a single written document”…”on paper, or in a document with another downloadable, durable, and accessible format”.
DORA’s contractual requirements are closely aligned in structure and substance with those of the European Banking Authority (EBA) guidelines on outsourcing, with some additions. Additions to all contracts include requirements for vendors to assist when a service-related ICT incident occurs “at no additional cost or at a cost that is determined ex ante”, and to participate more “in security ICT of financial entities”. awareness programs and training in digital operational resilience”.
For ICT contracts for critical or important functions, financial entities must determine whether the supplier has “the latest and highest standards of information security”. The provider is required to “fully participate in and cooperate with a penetration test conducted by a financial entity threat”. The contract must also include a “mandatory adequate transition period”.
DORA is not as prescriptive as the EBA Outsourcing Guidelines and other existing frameworks when it comes to outsourcing requirements. At the pre-contractual stage, financial entities must carry out an “in-depth analysis of outsourcing agreements, in particular when they are concluded with third-party ICT service providers established in a third country” according to the recitals and “weigh the advantages and risks that may arise in the context of subcontracting. For critical or important functions, financial entities should assess “if and how potentially long or complex outsourcing chains may impact their ability to fully control outsourced functions and the competent authority’s ability to effectively monitor the financial entity”.
The only contractual requirements for outsourcing set out in DORA are that the contract specify whether outsourcing is permitted, the terms of outsourcing and the locations of outsourced functions, ICT services and data processing activities. data.
The EBA, together with the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – the other European supervisory authorities – have the power to develop regulatory technical standards relating to subcontracting.
DORA’s relationship to existing regulatory requirements
DORA does not supersede sourcing requirements set out in existing EU legislation and guidance, such as those established under the CRD, MiFID II and Solvency II frameworks. Pinsent Masons has received confirmation from the European Commission that there is no intention to repeal the existing laws and therefore at this stage the position is that DORA will exist alongside the current requirements.
DORA directly addresses the overlap with the Network and Information Security Directive and its soon to be released successor, NIS2.
The supervisory framework and its impact on financial entities
DORA establishes a framework for the direct oversight of large ICT service providers who must be designated by EU supervisors as “Critical ICT Third Party Providers” (CITPP). Once designated, these service providers will have to create a subsidiary in the EU if they are not already present there.
Although it is mandatory to have a subsidiary in the EU, there is no direct obligation for financial entities to contract only with the EU entity of the designated CITPP. If CITPP does not incorporate as an entity in the EU within a specified period of time after its designation, financial entities will be prohibited from using its services.