Digital Operational Resilience Act: Changes to outsourcing risk management
The Digital Operational Resilience Act, known as DORA, came into force on 16 January 2023 and will take effect on 17 January 2025. Financial institutions and ICT service providers have less than 24 months to ensure compliance of their activities with the new rules. These apply, among other things, to the management of risks associated with third parties, in particular the management of outsourcing risks.
Outsourcing by financial institutions is an area that has received considerable supervisory attention in recent years. In order to improve their services and reduce costs, financial institutions are outsourcing more activities, including ICT services – which are the focus of the DORA Regulation.
The existing legal regulation on outsourcing of activities carried out by financial institutions is fragmented, and mostly contained in special laws regulating business in individual sectors of the financial market (e.g. insurance, banking, capital market services). Specific interpretive guidance on the otherwise relatively sparse legislative regulation of outsourcing is then found mainly in the guidelines of individual sectoral supervisory authorities (e.g. EBA Guidelines on outsourcing arrangements, EIOPA Guidelines on outsourcing to cloud service providers or the CNB Opinion on the use of cloud computing by credit institutions).
The current legislation on outsourcing already imposes obligations on certain financial institutions (in particular banks and insurance companies) that are similarly harmonised by the DORA Regulation (e.g. risk assessment of outsourcing, requirements for contractual arrangements with the third-party service provider, etc.). For these financial institutions, the DORA Regulation will represent a certain adjustment to the status quo as regards the management of risks associated with third parties. For other financial entities, however, DORA will represent a completely new regulatory framework and the need to adapt their activities accordingly.
DORA Regulation and Outsourcing
The DORA Regulation unifies the regulation of outsourcing of ICT activities for the entire financial sector. In relation to the NIS2 Directive, which was also adopted at the end of 2022 and regulates general digital security requirements, DORA represents a specific regulation. Financial entities that fall under both DORA and NIS2 will therefore be primarily governed by DORA, which is thus the main digital security regulation for the financial sector.
The requirements resulting from the regulation of outsourcing for financial entities have so far mainly concerned two areas – setting up an internal system for risk management of outsourcing and the specific incorporation of regulatory requirements into contractual arrangements with third-party service providers. This concept remains unchanged under DORA.
1) Internal Risk Management System
The development of a workable internal system for managing the risks arising from the outsourcing of ICT services is the primary responsibility of the lead authority. Such authority should ensure a system is established that is proportionate to the size and business activities of the financial entity with regard to the nature of the outsourced services. In this respect, it is particularly important to assess whether the outsourced ICT service supports critical or important functions (significant ICT service) of the financial entity, as this determines the extent of the associated risk management requirements.
In terms of specific obligations, financial entities should, in particular, conduct audits of outsourced providers, keep a register of information, and report new outsourcing contracts to competent supervisory authority. In relation to significant ICT services, financial entities will also be obliged to pre-notify supervisory authority of the planned conclusion of an outsourcing contract, verify compliance of third-party service providers with security standards, and put a strategy for terminating the contractual relationship in place. Such strategy must ensure that the termination of the contractual relationship with the third-party service provider of significant ICT services does not jeopardise the financial entity’s operations and compliance with regulatory requirements or result in a deterioration in the quality of services provided to clients during the transition period. As part of the strategy, financial entities must also establish a plan to migrate to an alternative third-party service provider or to ensure their own provision of relevant services.
As part of internal risk management, financial entities will be required to make a preliminary assessment of the benefits and risks of newly outsourced significant ICT services in terms of the potential substitutability of the outsourced provider and the concentration of multiple significant ICT services with the third-party service provider or providers closely related to them. It is therefore likely to be a question of application practice how supervisory authorities will approach the justification and demonstration of sufficient digital resilience for business models where the majority of significant ICT services are outsourced to, for example, a single third-party service provider.
Financial entities will also be required to monitor whether any sub-supply chains to third-party service providers of significant ICT services lead to countries outside the European Union, whether their length or complexity pose a risk to the provision of the services agreed, or whether they undermine effective supervision of such provision.
2) Minimum Contractual Provisions
The DORA Regulation also lists the minimum contractual provisions to be included in outsourcing contracts, and this list is further extended by additional clauses where significant ICT services are outsourced. The list of minimum provisions also includes regulatory requirements for the eventual termination of the contractual relationship with the third-party service provider. The introduction of the list of contractual provisions in the DORA Regulation itself undoubtedly increases the pressure on financial entities to include them in outsourcing contracts. On the other hand, however, it provides them with concrete support in negotiating contracts with third-party service providers. Some of the provisions will be specified in an implementing regulation expected to be published in the first half of 2024.
The new obligations will also apply to critical third-party service providers of ICT services whose activities have a systemic impact on the financial sector in the European Union, as the DORA Regulation also includes robust supervision of these providers by the European Supervisory Authorities. The determination of who is a critical ICT third-party service provider will be made by the supervisory authorities themselves.
DORA in Practice: Summary of Key Changes
Financial entities will have to revise their ICT cooperation settings with third parties before DORA takes effect. In particular, it will be necessary to:
- revise (or create) their internal management and control system or similar internal documents constituting the risk management system;
- review and renegotiate contractual arrangements with third parties providing ICT services.
Third-party service providers should also take notice of this issue, especially if they may fall into the category of critical ICT third-party service providers or provide significant ICT services, as they will face a number of new obligations.
Due to the time-consuming nature of this process, it is advisable to start the review well in advance, considering the scope of the business activity and the size of the entity. If you are unsure as to what extent DORA will affect your company’s operations, do not hesitate to contact our experts to help you prepare for the changes.