DORA standards on ICT risk in financial services proposed

DORA, due to begin to apply from 17 January 2025, will effectively codify and harmonise obligations on financial services firms arising from a raft of existing regulatory standards and guidelines in relation to ICT risk and outsourcing. It will also introduce a new framework of direct regulation of major technology providers to financial entities.

The DORA package, which is made up of both an EU regulation and directive, provides for much of the detailed requirements to be set out in regulatory, or implementing, technical standards. The EU’s three supervisory authorities in financial services – the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – are jointly mandated to draft the standards.

The first set of draft standards – four in total – have now been published and concern different aspects of the DORA regime.

The first draft standard is on the topic of ICT risk management (87-page / 1MB PDF). It covers ICT security policies, procedures, protocols and tools – including on issues of governance, encryption and cryptography, ICT operations and network security, ICT project and change management, and training – as well as human resources policy and access control, ICT-related incident detection and response, ICT business continuity management, and the report businesses will have to prepare after conducting a review of their ICT risk management framework.

The second draft standard concerns criteria for the classification of ICT-related incidents (40-page / 828KB PDF).

DORA requires financial firms to classify ICT-related incidents and determine their impact based on criteria outlined in the legislation – this will require firms to consider matters such as the number of clients affected, service downtime arising from the incident, the geographic spread of the incident, whether there has been any data loss, the criticality of the services impacted, and the economic impact of the incident.

The classification requirements are designed to assist firms in identifying incidents that need to be reported to regulators under DORA’s incident-reporting provisions. The draft standard expands on the classification criteria outlined in DORA and will further help firms establish the materiality of incidents with their incident reporting obligations in mind.

Under DORA, financial entities are also required to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third party service providers. The EBA, ESMA and EIOPA are mandated to develop templates to support firms in this regard – the third draft standard (140-page / 1.8MB PDF) they are consulting on relates to those templates.

The fourth draft standard provides detail on the policy financial entities are required to develop under DORA on their use of ICT services supporting critical or important functions provided by ICT third-party service providers. DORA requires that the policy form part of a broader strategy on ICT third-party risk.

The draft standard addresses policy around issues such as risk assessment and due diligence at the pre-contractual phase, as well as the implementation, monitoring and management of the contractual arrangements. It also covers policy requirements around the exit strategy and the termination processes.

The four draft standards are open to consultation until 11 September 2023. The supervisory authorities have until 17 January 2024 to submit finalised standards to the European Commission for adoption.

A second batch of technical standards, to be prepared by the EBA, ESMA and EIOPA, are expected to be published for consultation in November or December. The final version of those standards must be submitted to the European Commission by 17 July 2024.

Luke Scanlon of Pinsent Masons, who specialises in technology contracts in financial services, said: “Financial entities will now need to ensure that their efforts to implement DORA take into account the provisions of each technical standard. As the date on which DORA will apply in full force is likely to be very close to the dates on which the standards are finalised, there is good reason to take steps as part of initial implementation activities to be become familiar with the provisions in draft in order to plan effectively for implementation within the timeframes required.”

Out-Law previously reported that the existing EU guidelines on ICT security risk management and outsourcing in financial services that are contained in a suite of guidelines produced by EU authorities would coexist with, rather than be replaced by, DORA when the legislation takes effect, though a European Commission spokesperson said the guidelines would need to be amended, and some potentially deleted, to reflect the requirements in DORA.

DORA addresses many of the same issues that the guidelines issued by the supervisory authorities cover, such as requirements around business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as around management of third-party ICT risk. It sets out enhanced requirements around digital operational testing, including around penetration testing. DORA will also regulate the contractual arrangements concluded between ICT third-party service providers and financial entities, addressing issues such as audit rights, oversight of sub-outsourcing, data requirements, termination and exit strategies.

DORA also provides for direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance. In this regard, the EBA, ESMA and EIOPA have already been asked by the European Commission to input on the preparation of delegated acts concerning criteria relevant to the designation of ICT third-party service providers as ‘critical’ – a designation that would see those providers subject to direct regulation.

In the UK, the Financial Services and Markets Bill, currently before parliament, provides for the establishment of a new ‘critical third parties’ (CTPs) regime in UK financial services, under which some service providers to financial institutions would be designated as subject to direct regulation. The Bill is being pursued at a time when UK financial regulators are increasing their expectations around and scrutiny of firms’ operational resilience.