{{slotProps.result.Title}} {{slotProps.result.Title}} {{slotProps.result.Title}} {{slotProps.result.Title}}
Home > Our Thinking > Blogs > Tech & Sourcing @ Morgan Lewis > Preparing for DORA: Compliance Deadline Arrives
Tech & Sourcing @ Morgan Lewis
BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Preparing for DORA: Compliance Deadline Arrives

Starting as of Friday, January 17, 2025, financial entities must now be compliant with the EU’s Digital Operational Resilience Act (DORA). Implementation efforts have accelerated in recent months to meet the deadline and in many cases are still ongoing. The European Supervisory Authorities (ESAs) published a joint statement last month emphasizing the importance of financial entities adopting a robust, structured approach in order to meet their obligations in a timely manner.

Below we examine some key trends seen from implementation efforts and, in particular, how some technology providers have proactively supported their customers’ implementation efforts.

Background

DORA applies to financial institutions, investment firms, fund management companies, insurance undertakings, and other regulated financial entities regulated in the EU. One of DORA’s key objectives is to strengthen operational resilience by ensuring prudent risk management of information technology and communication (ICT) services, including an organization’s cloud, software-as-a-service, digital data, and IT infrastructure arrangements.

DORA harmonizes various preexisting EU requirements, and introduces new requirements, around the following key pillars:

  • ICT risk management framework: Financial entities must adopt a comprehensive and well-documented ICT risk management framework that is reviewed on an ongoing basis. The requirements cover cybersecurity training, business continuity planning, ICT asset management, data, monitoring of ICT systems, vulnerability management, ICT change management, and more.
  • Digital operational resilience testing: Financial entities must conduct appropriate testing on ICT systems and tools. Systemically important entities must conduct threat-led penetration testing at least every three years.
  • ICT-related incident management and reporting: Financial entities must have in place a comprehensive framework for detecting, classifying, and reporting ICT-related incidents in line with prescribed timescales.
  • ICT third-party risk management: Financial entities must ensure that all contracts with third-party ICT service providers—both intragroup and external—include mandatory contract provisions, covering, among other areas, service locations, data and confidentiality, business continuity, reporting of ICT-related incidents, and compliance with appropriate ICT security standards. More prescriptive requirements apply for ICT service providers that support critical or important functions. Firms must also maintain a register of all third-party ICT services arrangements and adopt a policy addressing compliance with the third-party risk management requirements.

Registers of Information Are a Priority

Under DORA, financial entities must maintain and submit to their national competent authority in the EU a comprehensive register of contractual arrangements with ICT service providers. The ESAs highlighted this obligation as a priority for early 2025 as national authorities must themselves report registers of information up to the ESAs by April 30, 2025.

The final templates for the registers of information were published on November 29, 2024 and throughout 2024 the ESAs ran a “dry-run” reporting exercise for financial entities to prepare for submissions.

Over recent months technology providers have received multiple requests for information on the data fields that must be reported. This includes a description of the ICT services provided to EU-regulated entities, locations of data storage, subcontracting arrangements, and compensation arrangements.

Key Trends from Contract Remediation

As implementation efforts have accelerated, the following key trends have emerged:

  • Scoping challenges: DORA applies to a broad array of ICT services. Certain technology providers are being treated by financial entities as “ICT service providers” that may not consider themselves as service providers. A key debate is the extent to which any services are provided on an ongoing basis and/or through ICT systems, both of which underpin DORA’s definition of ICT services. Moreover, whether ICT services support critical or important functions is a determination of the financial entity, and some service providers, if their ICT services are deemed to support critical or important functions, have sought validation of such a determination.
  • Focus on criticality: Many organizational requirements under DORA around ICT risk management and major incident reporting flow from identifying critical or important functions and many remediation efforts have rightly prioritized those third-party ICT services that support such functions over “noncritical” ICT services.
  • Proportionality is important for all ICT services: The principle of proportionality is expressly built into the application of DORA’s contractual requirements based on the nature, scale, and complexity of services. Therefore, in addition to focusing on criticality, it is important to recognize that the relevance of contract requirements will vary by types of ICT services, such as data and reporting obligations, and the types of ICT-related incidents that might pose a risk to the financial entity.
  • Leveraging existing terms: Many financial entities and their ICT service providers may have previously remediated contracts in order to comply with existing requirements around outsourcing. As such, there may only be a ”gap” that requires addressing which can streamline remediation efforts. Some technology providers have prepared their own contract templates, creating terms that are appropriate for their services, and this has been a differentiating factor to which financial entities are becoming more attuned.
  • Flowing down terms to subcontractors continues: DORA requires financial entities to have visibility of their supply chain for ICT services that support critical or important functions and require certain rights and obligations to flow down to the same. This is one area in particular in which remediation continues across the compliance deadline, not least because the EU’s final legislation on subcontracting requirements under DORA is yet to be published. The draft subcontracting requirements and the register of information templates both place emphasis on those subcontractors that “effectively underpin” the ICT services supporting critical or important functions (i.e., the failure of which would impair the continuity or security of those services), and this principle can help frame contractual obligations.
  • Challenges to implementing a global approach: Nuances in the detail of various new and recently updated third-party risk management regimes for the financial sector, including DORA, the UK’s operational resilience rules, and outsourcing guidance from the Monetary Authority of Singapore, pose challenges to operationalizing controls at a global level both for financial entities and global service providers. While contract terms can adopt a modular form that streamlines key principles, differences in areas such as incident reporting, data classification, and subcontractors leads to local divergence of controls.