1. The DORA legislative framework is made up of multiple sets of texts
DORA is a sector-specific legislation that covers a wide range of financial entities regulated at EU and national level, such as credit institutions, payment institutions, electronic money institutions, investment firms, managers of alternative investment funds, management companies, insurance and reinsurance undertakings, insurance intermediaries, and ICT third-party service providers, including cloud service providers.
The DORA regulatory framework consists of several layers:
- the core DORA legislation, outlining general principles and rules;
- two Commission delegated regulations which have been published in the OJEU in May 2024, namely Commission Delegated Regulation (EU) 2024/1502 specifying the criteria for the designation of ICT thirdparty service providers as critical for financial entities and Commission Delegated Regulation (EU) 2024/1505 determining the amount of the oversight fees to be charged by the lead overseer to critical ICT third-party service providers and the way in which those fees are to be paid. These two delegated regulations entered into force on June 19, 2024;
- Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) which are developed by European supervisory authorities (EBA, ESMA and EIOPA, together the ESAs) and submitted to the European Commission for final adoption. The RTS and ITS provide detailed specifications on topics such as ICT risk management, ICT third-party risk, incident reporting, digital operational resilience testing, information sharing, and the oversight of critical ICT third-party service providers. As of July 2024, the ESAs published a second batch of RTS and ITS, which has been submitted to the European Commission for review and final adoption. The remaining RTS on subcontracting ICT services are expected to be published in the upcoming weeks; and
- guidelines developed by the ESAs on topics such as estimation of aggregated costs and losses from major ICT-related incidents or on cooperation between the ESAs and competent authorities.
2. Strict regime of sanctions applies in case of non-compliance with DORA requirements
DORA leaves it to the national supervisory authorities to determine the sanctions for non-compliance. For instance, in Germany, the cabinet has initiated a new law (the Financial Market Digitalization Act, Finanzmarktdigitalisierungsgesetz – FinmadiG). This law designates the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) and, in some cases, the German Bundesbank as the competent authorities in charge of supervising that financial entities under their supervision comply with the new DORA requirements. It also sets out the supervision and investigation powers granted to the BaFin and the Bundesbank in this context as well as the administrative measures and penalties that they may impose. According to the proposal, these measures may include administrative fines of up to EUR5 billion.
3. How financial entities should prepare their DORA compliance through governance, ICT risk and third-party contracts
DORA does not grant any transitional or grace periods for complying with applicable requirements, and competent authorities will likely expect financial entities to be fully compliant as from January 17, 2025.
Therefore, financial entities need to start preparing as soon as possible, by:
- conducting a thorough mapping of their ICT systems, processes, risks, and dependencies,
- involving their top management in the governance and oversight of their digital operational resilience.DORA places a strong emphasis on a sound governance, which requires entities to establish clear roles and responsibilities, policies, and procedures, reporting and escalation mechanisms, and internal and external audit and assurance functions;
- reviewing and updating their contracts and arrangements with their ICT third-party service providers, to ensure that they comply with the requirements and standards of DORA, and that they can monitor and assess their performance and resilience. In our experience, in practice changes are required compared to agreements under existing outsourcing guidance and requirements; and
- developing and implementing robust ICT risk management frameworks, incident reporting systems, digital operational resilience testing programmes, and information sharing platforms, to ensure that they can effectively prevent, detect, mitigate, and respond to ICT-related incidents and risks.
