On 17 January 2025, the DORA came into force, bringing major changes to financial market cybersecurity.
Below is a basic overview of how DORA may affect your company.
What does DORA regulate and to what entities does it apply?
DORA sets out requirements for the security of networks and information systems supporting business processes and other functions of financial entities and other rules related to information and communication technology (ICT) risk management.
These rules apply directly to financial entities. A financial entity is defined as most financial institutions operating in the financial services market, such as credit institutions, investment firms, central depositories, payment institutions, insurance and reinsurance undertakings, and other entities individually named in DORA. On the contrary, the personal scope of DORA exempts below-threshold managers of alternative investment funds or insurance intermediaries that are micro, small or medium-sized enterprises.
Today, financial entities often rely on outsourcing certain activities and thus cooperate with external suppliers.
DORA therefore also sets out key principles that financial entities should respect when managing ICT third-party risks. These principles are accompanied by a set of core contractual provisions to support the effective management of risks arising from the provision of ICT services by external entities.
DORA will thus ultimately also apply to ICT service providers through contractual provisions that must be included in the ICT service contract.
So-called critical ICT service providers are also directly affected by DORA. Critical ICT service providers are designated by the European Supervisory Authorities on the basis of the criteria set out in DORA. The European Supervisory Authorities also maintain a public list of such providers. Such designated providers are directly subject to certain obligations under DORA in the context of administrative supervision over them.
Outsourcing of ICT services
If you purchase or provide ICT services as part of your business, you may be significantly affected by DORA.
If you are a financial entity, you will be obliged, among others, to review the content of all contracts with ICT service providers in the light of the ICT third-party risk management requirements and, if any deficiencies are identified, ensure that they are updated as necessary.
Conversely, if you are an ICT service provider, financial entities (customers of your ICT services) are most likely to approach you with a similar amendment to your contract soon, if they have not already done so.
However, as outlined above, DORA only applies to outsourcing where:
- ICT services are provided to the financial entity; whereas
- the extent to which they are applied depends on how important the ICT service provided is to the financial entity.
So, what does an ICT service mean?
DORA defines ICT services as digital or data services provided through ICT systems to internal or external users on an ongoing basis.[1]
The definition is very general, so the range of activities that fall under it is relatively broad. This includes services such as software development and testing, data storage hardware rental, telecommunications systems operation, software rental, cloud services, hosting services, and many more.
In practice, the provision of said ICT services will be carried out on the basis of licence contracts, software development or implementation contracts, hardware rental contracts and/or data analysis contracts.
What specific obligations must be included in the contract?
The scope of contractual obligations is primarily dependent on whether the ICT service provided supports the critical or important functions of the financial entity.[2] This assessment is carried out by the financial entity itself under its own responsibility on the basis of an ICT risk analysis.
The content of each contract will vary depending on the specific ICT risks identified by the financial entity in relation to the outsourcing of the relevant functions. Where the financial entity identifies risks that, based on its own risk assessment, justify a more stringent standard for some of these obligations, the financial entity may require that more stringent standard. Ultimately, it is the financial entity that is responsible for its ICT third-party risk management, and thus for ensuring an appropriate contractual framework with a particular provider.
DORA as a challenge for financial entities and ICT service providers
DORA brings a large number of changes that affect not only financial entities. ICT service providers that cooperate with financial entities will also have to respond to the new regulatory requirements and adapt their internal operating mechanisms to them.
At HAVEL & PARTNERS we have a team of specialists who actively handle DORA-related matters. We have experience in preparing expert opinions, in particular on assessing DORA’s impact on specific ICT service providers, and in reviewing contractual amendments reflecting DORA requirements.
- [1] – The full text of the definition of ICT services is: “Digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.”
- [2] – Critical or important function means: “A function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.”
