EU outsourcing and ICT security guidelines will coexist with DORA

Out-Law News | 16 May 2022 | 2:54 pm | 2 min. read

Guidelines on ICT security risk management and outsourcing in financial services will coexist with the EU’s Digital Operational Resilience Act (DORA) when DORA takes effect, Out-Law can confirm.

In response to a query raised by Out-Law about the status of existing guidelines produced by the EU’s supervisory authorities (ESAs) in financial services when DORA becomes law, a European Commission spokesperson said the guidelines would not be repealed – even though DORA will codify many of the guidelines’ requirements in EU law.

The spokesperson confirmed, however, that the guidelines would need to be amended, and some potentially deleted, to reflect the requirements in DORA.

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

Managing changes in the regulation of digital operational resilience and third party risk management will remain areas of priority for a significant period of time

“Once applicable, DORA will streamline and codify in one Regulation the essential ICT risk requirements for the financial entities in its scope,” the Commission spokesperson said in a statement. “Furthermore, DORA sets out a number of mandates for the three ESAs to develop [regulatory technical standards (RTS) and implementing technical standards (ITS)] which would base the future delegated and implementing acts in the area of ICT risk in finance.”

“As regards the ESAs guidelines: we can confirm that these guidelines would not be repealed just because DORA comes into application. In fact, these guidelines (level 3 acts) will have to coexist with DORA (level 1 act) and with delegated / implementing acts (level 2 acts),” they said.

“Clearly, to ensure coherence with the new rules in DORA, some parts of the existing guidelines will have to be amended (or deleted) to become fully coherent with, and aligned to, the new level 1 (DORA) and level 2 acts,” the spokesperson said.

Luke Scanlon of Pinsent Masons, a specialist in technology contracts in the financial services sector, said: “The Commission's statement has confirmed that compliance with DORA may involve a multi-staged process for many regulated financial entities.”

“First, they will need to address whether they meet the requirements of DORA, second, they will need to wait for the additional rules set out in delegated acts and regulatory technical standards, and third, they will need to wait for amendments that are made to existing ESA guidelines to address inconsistencies and overlaps,” he said.

“It is therefore clear that managing changes in the regulation of digital operational resilience and third party risk management will remain areas of priority for a significant period of time,” Scanlon said.

Operational resilience requirements in EU financial services are currently reflected in a variety of legislation and guidelines. This includes separate guidelines issued by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), which between them set out requirements around outsourcing, the use of cloud providers specifically, and on ICT and security risk management.

The Commission tabled its DORA proposals in September 2020, alongside a draft directive which would amend existing legislation concerning operational risk and risk management requirements in EU financial services. The purpose of DORA is to set a single set of strengthened, overarching rules for financial entities around ICT risk management.

Since it was proposed by the Commission, DORA has been subject to scrutiny from the EU’s two law-making bodies – the European Parliament and Council of Ministers. Earlier this week those bodies reached provisional agreement on the text, moving DORA a step closer to being finalised.

DORA addresses many of the same issues that the guidelines issued by the ESAs cover, such as requirements around business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as around management of third-party ICT risk. It sets out enhanced requirements around digital operational testing – including around penetration testing. DORA will also regulate the contractual arrangements concluded between ICT third-party service providers and financial entities, addressing issues such as audit rights, oversight of sub-outsourcing, data requirements, termination and exit strategies.

DORA also envisages direct regulation of major technology providers to financial entities for the first time, under a framework that would give powers to the ESAs to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance.

Rewiring financial services
Digital transformation is accelerating in the financial services sector, particularly in the wake of the global pandemic. We investigate the legal and regulatory landscape in financial services technology and highlight the opportunities for change.
Rewiring financial services