The big picture: A two-step indicator-based approach proposed by EU supervisory authorities will be used to assess ICT services providers to determine whether they should be designated as critical and subjected to oversight under the Digital Operational Resilience Act (DORA).
Why it matters: For many technology firms designated as critical, meeting the requirements of DORA and financial services regulators will be challenging. Demonstrating compliance and giving regulators access to premises will create complexities, and there are potential financial penalties as well as the risk of being publicly disclosed.
What’s next: Technology companies should prepare for the new rules by understanding the requirements and engaging in the consultation processes. Even if an ICT services provider is not designated to critical under DORA, aligning with DORA’s standards can provide a competitive advantage.
The oversight framework and compliance obligations for financial services companies specified in the European Union’s Digital Operational Resilience Act (DORA) have generated significant attention since its formal adoption in November 2022. But there has been less focus and clarity on DORA’s impact on information and communication technology (ICT) services providers that do business in the EU financial sector. This, in part, may be because the criteria for designating critical ICT services providers that come under the oversight framework took a while to be ironed out. While they were published in late September 2023, the details of the designation procedure are yet to be defined.
DORA is part of the EU’s digital finance package, a body of measures meant to enable and support innovation and competition in digital finance while mitigating related risks. It is the first financial regulation in the EU that applies to ICT services providers, which include cloud service providers, information security and cybersecurity providers, network infrastructure providers, data center providers, software development firms, and data analytics firms. Under DORA, the European Supervisory Authorities (ESAs) — including the European Banking Authority — are responsible for directly supervising ICT services providers deemed to be “critical” to the operations of financial entities. The regulation creates a universal and binding ICT risk management framework and standards for all financial institutions in the EU — including banks, credit institutions, insurers, payment processing firms and nontraditional entities such as crypto-asset service providers — to implement into their ICT systems by January 17, 2025.
A holistic approach to assessing criticality
The ESAs have proposed a two-step indicator-based approach for ICTs to perform a holistic criticality assessment. As part of Step 1, an ICT company falls under the oversight framework if it provides critical or important functions support to:
- 10% or more of the total number of financial entities in the EU.
- 10% or more of financial entities in the EU as measured by the financial entity’s total value of assets or an equivalent metric.
- At least one globally systemically important institution or least three other systemically important institutions.
- At least one financial market infrastructure identified as systemically important or at least three financial entities identified as systemically important.
- Financial entities in an area of service where there is no alternative service provider, as identified by 10% or more of those entities.
- Financial entities in an area of service that is highly complex or difficult to migrate or reintegrate from the service provider, as identified by 10% or more of those entities.
ICT services providers that exceed a certain number of minimum relevance thresholds across all six Step 1 indicators could be subject to further assessment under Step 2. A methodology for the collective application of Steps 1 and 2 (described in the graphic below) is being developed.
The two-step indicator-based approach to performing a holistic critical assessment.
What it means to be deemed ‘critical’
An ICT services provider deemed critical can expect to be assessed annually by a lead overseer, which could be a regulator or independent experts. Based on the assessment, the lead overseer will produce an annual oversight plan and objectives, and the company has a short turnaround window of 15 days to respond to the draft plan.
Additionally, the critical ICT services provider should be prepared to receive direct inquiries about audits from its EU financial services clients. The clients can send auditors to assess how the ICT services provider is managing and operating activities related to operational resilience as outlined by the regulation. While these types of requests may not be new, clients may require more detail or access than they have in the past.
Critical ICT services providers can also expect to be charged fees to cover expenses incurred by the lead overseer in relation to the conduct of oversight tasks. The amount of fees and the way in which they are to be paid have yet to be determined. There is also a potential penalty of up to 1% of daily turnover, which is charged daily for up to six months for noncompliant critical ICT services providers. While not defined in the regulation, noncompliant ICT services providers may also face public disclosure of noncompliance and, in more egregious instances, limitations on their ability to work with financial services clients.
Finally, ICT services providers that are not within the EU territory will need to set up a subsidiary in the EU within 12 months of being designated as a critical provider. In addition to the cost implications, the EU entity will need to be an active part of management and be accountable to EU regulators and customers.
How to prepare for DORA
For many technology firms or ICT providers, meeting the requirements of DORA and the expectations of financial services regulators in the EU will be a heavy lift. For instance, demonstrating compliance (e.g., compiling and providing documentation on business models, controls and systems) and giving regulators access to premises and on-site reviews will create complexities for many firms. ICT services providers can take proactive steps now to prepare for the new rules, including:
- Understanding DORA’s requirements, as outlined, and determining whether what the business provides might be categorized as systemically important to the financial services sector.
- Creating a centralized, consistent process, with documentation, for responding with speed and ease to audit and assessment requests from financial services clients and regulators.
- Conducting a gap assessment against the current version of DORA to understand whether any fundamental gaps exist and how to address them (e.g., will the business need to stand up a meaningful presence in the EU, and how long will that take?)
- Engaging in the consultation processes related to DORA to stay apprised of developments and providing input through lobbying and proactive advocacy.
- Proactively reaching out to financial services clients in the EU to explain what the business is doing to meet DORA requirements, including for digital operational resilience testing (e.g., vulnerability assessments, network security assessments).
Even if an ICT services provider is not designated as critical under DORA, it’s likely that its financial services clients will take a more critical eye toward that ICT services provider’s operations. Financial services companies will question whether an ICT services provider’s current practices and policies could potentially put their operational resilience at risk. These inquiries may lead to financial services companies taking appropriate actions, especially in cases where the ICT services provider supports an EU regulated entity’s critical or important function. ICT services providers also run the risk of being designated critical in the future if their financial services market share grows to a point where it meets the EU’s criteria.
Aligning with DORA’s standards can provide tech firms a competitive advantage by demonstrating that they prioritize risk reduction and operational resilience regardless of whether they are required to do so. Those companies not operating in the EU will be wise to also prepare given the strong possibility that other jurisdictions such as the United Kingdom and the United States will seek to create similar regulatory regimes.
Protiviti Managing Director Bernadine Reese contributed to this blog post.