If you provide information and communication technology services (ICT service provider) such as cloud computing or SaaS services to financial institutions (banks, insurance companies, etc.) or crypto entities (crypto asset service provider as definer under MiCA regulation – please see our overview) it is likely that you are impacted by EU Regulation n°2022/2554 on digital operational resilience for the financial sector (the “DORA Regulation”) which will apply across the European Union from January 17^th, 2025.

DORA’S SCOPE OF APPLICATION

• Covered financial entities are directly impacted by DORA Regulation. DORA Regulation is designed to strengthen the digital operational resilience of financial entities across the EU, it brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities (as listed under Article 2 of the regulation), among which credit institutions, payment institutions, electronic money institutions, investment firms, trading venues, crowdfunding service providers and crypto asset service providers.

• ICT service providers fall within the scope of DORA Regulation when they provide services to covered financial entities.
  • A key addition to the DORA regulation is the introduction of obligations relating to third-party ICT service providers and their subcontractors because of the potential risk they represent for financial entities.
  • Regardless of geographical location, any ICT service provider serving a covered EU financial entity is affected by DORA.

ICT SERVICE PROVIDER CLASSIFICATION

DORA Regulation defines three different classifications of ICT service providers with a risk-based approach:

General obligations applicable to all relations between an ICT service provider and a financial entity DORA Regulation introduces new obligations impacting contractual relationships, which must be formalized in a written contract, with:

• Mandatory clauses relating toservices provided, their location, service level and data security, termination conditions,…
• Obligations arising from mandatory clauses: authorize audits carried out by the financial entity, assist it in the event of ICT-related incident,…

Extended obligations if the ICT service provider supports critical or important functions of a financial entity  

Where the ICT service provider supports a function whose interruption could significantly affect the financial performance or compliance with the legal obligations of the financial entity, the content of mandatory clauses is broader with, namely :

• Higher level of security standards to be met
• Obligation for the ICT service provider to participate in the threat-led penetration testing made by the financial entity
• Unlimited access, inspection and audit rights for the financial entity

Additional regime for ICT service provider designated as “critical”

The European supervisory authorities (EBA, ESMA, EIOPA) will designate critical ICT service provider based on qualitative and quantitative criterion (e.g. number of financial entities services are provided to and total value of assets of financial entities) to assess their level of risk:

• Critical ICT service provider will be subject to a separate supervisory framework operated by European supervisory authorities, the lead supervisor assigned to them may impose various obligations.
• Critical ICT service provider are directly responsible under DORA Regulation.

NEXT STEPS

With the regulation being fully applicable from January 2025, ICT service providers should adopt a proactive approach:

• Identify financial entity clients and related services: ICT third-party service providers should check whether their client base include covered financial entities and identify the services provided to determine whether they support critical or important functions. ICT providers should also assess the risk of being designated “critical” on the basis of the assessment criteria (see delegated regulation here).
• Check obligations associated with ICT qualification and review agreements: covered ICT third-party service providers are advised to review ongoing agreements with covered financial entities to include new mandatory contractual clauses.

It should be noted that supervisory authorities’ oversight activities are expected to start from 2025, notably with the designation of critical ICT service provider.

🖋️ Jean-Sébastien Mariez, Laure Meysonnet and Inès Lalet