In a recent webinar forming part of DLA Piper’s ‘Digital Evolution in conversation with’ series, Kristof de Vulder caught up with Alessandro Ferrari, Linzi Penman and Conor McEneaney to discuss the scope and impact of the upcoming Digital Operational Resilience Act (DORA). They offered practical guidance to organisations dealing with one of the most comprehensive gap analysis and remediation exercises to face the EU financial services sector in recent years. The date for compliance is 17 January 2025 so read below for a summary of their insights.
The main impact of DORA
DORA is bringing a significant shift to the financial services sector in terms of how organisations must manage operational risk and ensure they can continue to deliver critical operations during a disruption. The regulatory focus has moved from protection to ‘resilience’. This is a much broader concept that encompasses preventing disruption, mitigation of an incident, and how to address the consequences of, and recover from, a disruptive event.
For financial entities, DORA introduces a structured set of requirements that will force organisations to re-evaluate:
- Data, cyber and contractual governance;
- risk management policies and processes;
- technology estates and testing approaches;
- incident management framework; and
- tech and data contracts.
These organisations are subject to extensive regulation already but DORA’s new requirements will bring yet more scrutiny and operational adjustment, adding another layer of rigour and cost. DORA also has a wide reach, applying to both intra-group and external ICT service providers and creating a dual-compliance requirement. The principle of proportionality, which is central to DORA, allows financial entities to adapt their compliance programmes according to the criticality and risk level of their services.
However, compliance strategies must be actively assessed to demonstrate that proportional measures are appropriate. To meet these requirements, some uplifts with be legal (e.g. contract risk tolerance and scope). Others will be operational (e.g. policy, procedure and risk and resilience). This will involve strategically prioritising critical functions and leveraging existing controls and processes where possible.
Firms in violation of DORA may face fines of up to 2% of their total annual worldwide turnover.
Certain ICT service providers to the sector will be designated as critical. They will be subject to direct scrutiny and oversight by financial regulators for the first time, which could involve onsite supervision, being directed to take remedial action, and potential direct regulatory penalties for non-compliance. This will be a huge shift from a governance and control perspective. DORA will still impact other ICT service providers and their supply chains, through the DORA-mandated contract clauses.
The impact on contractual arrangements
There is a lot of focus in the market now on the contractual requirements provisions of DORA. We are actively advising both financial entities and service providers in the review and negotiation of DORA addenda to remedy DORA compliance gaps that have been identified from a contractual requirements perspective.
We are seeing several different approaches in the market. At one end of the spectrum, there are all-encompassing projects where a gap analysis due diligence exercise is carried out and then, based on the output of that, tailored addenda for each in-scope contract are prepared. At the other end of the spectrum, a ‘one size fits all’ addendum is being rolled out to the market. Those that have been through similar contract remediation exercises such as for the EBA Guidelines on Outsourcing or for the GDPR will be familiar with the common negotiation issues we are seeing in the market. For example, whether suppliers can charge for assistance provided to customers and whether the use of endeavours qualifications are acceptable.
We are also seeing some customers look for additional contractual commitments from their suppliers beyond those expressly called out as contractual requirements in Articles 28(7) and 30 of DORA. An example of this is the confidentiality implications of sharing cyber threat information with peers under Article 45 with some customers looking for express carves out from their confidentiality commitments for such sharing.
There are a number of supply chain practical considerations for services providers in relation to how they respond to DORA’s contractual requirements. This includes the need to flow-down specific contractual provisions to sub-contractors for critical or important functions.
There is no transitional period under DORA for the remediation of existing contracts and this poses a major bandwidth and volume challenge for financial entities. In our experience, most larger organisations have started their DORA ‘repapering’ projects already. Some customer side entities are opting to remediate contracts for all ICT services now, while others are prioritising those services supporting critical or important functions, given the volume of affected contracts and the resource commitment involved. DORA defines ICT services broadly and includes services that were previously excluded from regulatory requirements or guidance (such as data analytics and data feeds), often necessitating a more nuanced exercise to determine which services are in scope. For regulatory purposes, financial entities will want to document how they arrived at their definition and determination of in-scope ICT services. This should be reflected in their ICT risk management processes for on-going adherence.
Except for large cloud service providers, our experience is that suppliers are generally not as far forward. We see some suppliers communicating to customers that they are not engaging with customers on contract remediation until all of the regulatory technical standards under DORA have been adopted. This could begin to hinder sales.
Preparing for 17 January 2025 – key takeaways
For financial entities:
- If you have not yet started thinking about DORA compliance, there is still time to remediate your contracts for DORA but the time for action is now. Regulatory authorities are already starting to investigate levels of compliance by financial entities with DORA.
- Initiate a comprehensive DORA applicability assessment and gap analysis – including a review of existing processes, risk management and operational structures (including roles and responsibilities), and especially ICT contracts. Document your plan to translate that analysis into action. Focus on services that support critical and important functions and have third party dependencies, as that will help you to identify elements needing the most attention. Regulators will be looking to see what steps you have taken towards compliance and your analysis of priority areas.
- Do not assume that your ICT contracts will be DORA compliant if they comply with the EBA’s outsourcing guidelines. DORA is broader in scope and, while not everything in DORA is new, it does introduce new requirements and these are often detailed. Every financial entity will have to do a gap analysis of its ICT contracts against DORA.
For service providers:
- There is no escape from DORA, even for large service providers to the sector who are used to operating on their standard terms. Certain contract provisions must be included for in-scope services to financial services clients. Taking a proactive approach, by integrating minimum DORA requirements into contract terms and producing contract playbooks, will help to put you on the front foot. Failure to comply could be a revenue blocker, especially at contract renewal phases or during due diligence onboarding.
- Look at what remediation exercise is needed with your own suppliers and supply contracts, to ensure that all links in the supply chain are aligned with DORA requirements and adequately prepared. Consider stress testing service levels to check if the current levels and performance standards are equipped to withstand the increased scrutiny from financial entities.
- You may already have (some) security and incident management structures including disaster recovery planning, penetration testing and vulnerability assessments. These should be revisited to confirm that your operational processes map to what you commit to contractually.
- DORA introduces new requirements that may bring additional cost and complexity for your wider organisation (such as additional processes and controls, participation in training and change, and testing services). Consider what the costs to you might be during the contract term, so that you are not caught out.
DORA’s extensive scope can seem daunting, with significant changes needed for compliance, even applying the proportionality principle. Enforcement is looming in just a few months. Our view is that responding to DORA can be targeted, and defensible compliance is possible before enforcement commences. DLA Piper offers integrated advice and implementation support to define and meet a proportionate level of compliance. We can help you comply without overextending resources or changing excessively to address gaps and emerging issues to meet DORA obligations quickly.
If you missed the webinar, you can view the recording and find out more about our upcoming events in the series here: Digital Evolution in conversation with | DLA Piper