Many financial organisations are currently working flat out to implement the Digital Operational Resilience Act, or Dora for short. And with good reason, as the regulations come into force on 17 January 2025. By then, a large number of contracts will have to be reviewed and generally adapted.
The legislator has granted companies a transition period, as the requirements are comprehensive. Dora was published in December 2022. The regulation has been in force since 16 January 2023 and the two-year implementation period ends in a few weeks.
Businesses and services affected
On the one hand, the regulation is aimed at financial companies. The term “financial entity” not only covers traditional financial service providers such as credit institutions or payment service providers, but is to be interpreted broadly.
On the other hand, Dora is aimed at so-called ICT third-party service providers. These are service providers of information and communication technology services. ICT service providers include cloud computing services (IaaS, PaaS, SaaS), software providers, data analytics companies and operators of data centres, ICT project managers, ICT heldesk and incident managers as well as the providers or network equipment and network services.
Technical and regulatory requirements
Dora will require further technical development from many companies, as the monitoring and documentation requirements are detailed. When oursourcing services, financial institutions must consider a list of minimum criteria, including the location of the ICT sub-contractor or parent company, the number of ICT subs, the nature of the data shared, the location of data processing, the transferability of the ICT service to another third-party provider, the potential impact of disruptions on the continuity and availability of ICT services and others.
From a legal perspective, the requirements in Dora’s Chapter V for outsourcing contracts between financial institutions and third-party ICT service providers pose particular challenges for financial institutions. Existing third-party service provider contracts need to be reviewed and adapted, and appropriate contractual conditions need to be drafted and implemented for new contracts. The concept of ICT services within the meaning of the regulation should be interpreted very broadly. With the exception of analogue telephone services, it includes practically all telecommunications services.
Dora introduces new contractual provisions. In future, contractual agreements will have to specify how the service provider will participate in programmes to raise awareness of technological security or in training courses on digital operational resilience. For particularly critical or important functions, the contract should also include an obligation for the service provider to participate in, inter alia, penetration tests conducted by the financial institution. Further provisions regulate the agreement of participation in bundled testing of IT systems, the right of termination or the handling of ICT third-party service provider subcontracts.
Next steps
For those who have not yet reviewed their existing contracts, with particular attention to subcontracts with ICT third-party service providers and devised new contractual provisions for future contracts, the process should be speeded up as much as possible. While the regulators might not start investigating from day one, the time left to make adjustments is definitely limited.
The question remains as to what impact Dora will have on the financial and fund industry. Experience from previous major regulatory projects suggests that the increased workload is likely to result in even more asset managers, in particular, asking themselves whether they want to comply with all the requirements themselves or whether they would prefer to focus more on their group competencies and rely more on service providers, such as third-party ManCos, who can relieve them of many of the requirements.
Martin Groos is member of the management board of Universal Investment Luxembourg. The firm is a member of Investment Officer’s panel of experts.