EU: Digital Operational Resilience Act (“DORA”) regulatory technical standards (“RTS”)

Why should I read this?

The pivotal role played by information and communication technology (“ICT”) third-party service providers within the financial sector necessitates a strategic reconsideration of risk exposure.

Financial entities must address the vulnerability of their technological environment in relation to the activities of these third parties.

What do I need to know about DORA

Strategic ICT Risk Management

In light of the DORA Regulation and its accompanying technical standards, financial institutions must reassess their organisational structures and internal controls to ensure robust and ongoing risk management, particularly in relation to technology services linked to critical operations.

ICT Third-Party Influence

The increasing significance of ICT third-party service providers in finance necessitates financial services firms undertake strategic re-evaluation of risk management approaches, focusing on the susceptibility of their technological infrastructures to disruption of third-party suppliers.

Risk Mitigation Mechanisms

Financial entities must establish specialised mechanisms and procedures to manage the dependency risks on external ICT services, necessitating a thorough overhaul of organisational frameworks and a review of existing technology service outsourcing agreements.

Enhanced Supervision and Control

The new DORA regulatory landscape imposes more rigorous supervision and control responsibilities on financial institutions, requiring a comprehensive audit and monitoring of the entire technological service provider chain, including critical subcontractors involved in essential functions.

Contractual Compliance Review

Financial institutions must undertake an exhaustive mapping of all technological services and partners, assess IT security risks, and review all outsourcing contracts for technological services to ensure alignment with DORA Regulation mandates.

Subcontractor Engagement and Oversight

ICT third-party subcontractors must be carefully evaluated to ensure that they possess the necessary technical-financial capabilities to help financial services firms to meet their compliance obligations under DORA. Contractual arrangements must be reviewed so that they too reflect the financial services firms DORA compliance obligations.

Principles for Subcontracting Processes

The contracting process between technology service providers and subcontractors must adhere to the binding principles set out in DORA, including continuous monitoring, disclosure duties, and the sharing of internal audit plans and security programs for comprehensive control by financial institutions.

Potential Sectoral Impact

The increased obligations and interference with ICT providers that will follow from the necessary assumption by financial services firms of significant oversight powers to implement the DORA regulatory framework poses a risk that providers may withdraw from outsourcing agreements or discontinue their provision of certain technological solutions. DORA may lead to fewer providers, higher prices and, contrary to the aim of DORA, actually increase risk by creating greater reliance by financial services firms on an even smaller group of ICT providers.

Further reading on DORA

See our previous client briefings:

• Preparing for DORA
• Introduction to the DORA Regulations

How Eversheds Sutherland can help

We work closely with financial services clients locally and on a cross-border basis to ensure they meet regulatory requirements around operational resiliency when outsourcing material or critical services, or, if things go wrong, we support our clients in their response, to help them mitigate risk, including advising and assisting the engagement with regulators and communication with customers. In addition, we have established a multidisciplinary consortium with Grant Thornton and Trustwave to help our clients strengthen their digital resilience across four key areas: Information security; outsourcing and transactions; regulatory compliance; and data privacy. The members bring core capabilities across legal, IT assurance, digital forensics, cybersecurity advisory and strategic and technical consulting.