Time for action – EU Digital Operational Resilience Act (DORA)

The EU Digital Operational Resilience Act (DORA) will come into force on 17 January 2025. By that date, financial institutions with an EU (and/or EEA) presence will be expected to have taken significant steps to comply.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

These steps include reviewing ICT service contracts for compliance with two sets of mandatory contractual requirements. One set applies only to contracts for services provided for critical or important functions of financial institutions. It includes requirements for unrestricted access and audit rights, detailed subcontracting provisions and commitments to participate in threat-led penetration testing which financial institutions undertake. 

Many financial institutions will recognise these requirements from other similar regimes such as the Prudential Regulation Authority’s recent SS2/21 and the earlier EBA Guidelines on Outsourcing. While similar, the requirements are not all the same, and therefore even contracts which have been reviewed to comply with these regulatory frameworks should be assessed for compliance with DORA.

  1. A second broader set of requirements applies to all contracts for ICT services regardless of whether they are provided for critical or important functions. These requirements include the notification of all service and data processing locations, provisions on availability, authenticity, integrity and confidentiality of data and a requirement to assist if the financial institution experiences an ICT incident.
  2. Unlike many of the previous third-party risk regulatory regimes, DORA goes beyond outsourcing, and brings all “data and digital services” provided to financial institutions through ICT systems within its scope. The starting point for many financial institutions has been to consider whether their existing contract registers sufficiently capture all contracts and not just those that relate to outsourcing or subsets such as cloud contracts. 

The EU supervisory authorities have now made available final implementing technical standards for templates for contract registers which set out the types of ICT contracts expected to be kept and the data points required to be obtained from ICT service providers and their subcontractors. Regulators will have the power to request the full contract register, or specific sections of it, at any time.

The mandatory contractual requirements set out in DORA have been supplemented by further “regulatory technical standards” that have been, or a due to be, finalised as secondary EU legislation. One set of these standards provides a prescriptive list of requirements that are to govern the subcontracting practices of ICT services providers. Financial institutions will need to ensure that their reviews of existing contracts for compliance with DORA do not consider just the mandatory requirements set out in its level 1 text but also these secondary requirements which form part of the regulatory technical standards.

With DORA’s extended application to many digital and data services not covered by previous regulatory regimes, financial institutions may need to undertake significant work to identify all contracts within its scope and conduct gap analyses to ensure compliance. Time will be needed to negotiate with suppliers, in particular, digital and data service providers that typically would not have been subject to previous regulatory change exercises. 

While the task of reviewing all contracts and remediating by January may seem daunting, it can be achieved by taking the well-trodden methodical path of streamlining gap assessments, prioritising critical vendors, and preparing standardised variation agreements that balance the need to meet regulatory requirements with the operational realities of each type of service arrangement. The time for action is now as January 2025 is only a quarter away.