Pinsent Masons experts Yvonne Dunn and Luke Scanlon, who specialise in technology contracts in financial services, said the EU’s Digital Operational Resilience Act (DORA) package forms just part of an increasingly stringent regulatory regime around operational resilience and third-party risk that firms and service providers active in both the EU and UK need to navigate.
The DORA package, proposed by the European Commission in September 2020, consists of both a regulation and a directive. Both legal instruments received formal approval by the Council of Ministers, one of the EU’s law making bodies, on Monday. Earlier this month, MEPs voted in favour of the draft legislation, which is expected to be published in the Official Journal of the EU (OJEU) in the coming days.
The DORA package will amend existing legislation concerning operational risk and risk management requirements in EU financial services and effectively codify requirements around ICT security risk management and outsourcing that are contained in a suite of guidelines produced by EU authorities, enhancing requirements financial institutions face in areas such as business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as in relation to contractual arrangements they put in place with ICT third-party service providers.
DORA also provides for direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance.
Yvonne Dunn said the impact of DORA will be felt beyond the EU.
Dunn said: “Even though DORA will not apply directly in the UK, UK companies with business in Europe will be subject to its requirements. Even for those UK businesses that will be outside the scope of DORA, the legislation offers an insight into how UK policy and regulation around operational resilience is likely to develop.”
Luke Scanlon said there is a lot of work to be done in understanding where DORA fits within the overall regulatory framework for operational resilience and third party risk.
Scanlon said: “For financial institutions with business both inside and outside of the EU, consideration will need to be given to the extent to which the requirements are consistent, inconsistent or overlap with those of other jurisdictions – for example, in the UK a gap analysis will need to be made against the UK regulators’ operational resilience framework and, for PRA regulated entities, the PRA's expectations on third party risk.”
“For large technology companies that provide significant services to the sector, they will need to monitor whether or not they could fall in scope of the requirements for direct supervision by financial regulators – a concept that will be new to them. This is likely going to require that significant internal resources be allocated to address requests from regulators, investigatory actions and potentially on-site visits,” he said.
Both the DORA regulation and directive will come into force 20 days after their publication in the OJEU, though the provisions will not have effect for two years – and, in the case of the directive, until EU member states implement the provisions in national legislation.
Businesses can expect more detail on the requirements they must meet to be set out in regulatory technical standards to be developed by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).