Digital Operational Resilience Act
|
The JC’s Reg and Leg resource™
EU Edition
|
The Digital Operational Resilience Act — so named even though the EU doesn’t technically have “acts”, we think, because “DORA” is a neat and quite cute acronym whereas “DORR” sounds a bit intellectually challenged and “DORD” sounds like the sort of thing that blocks a Galway lavatory — is an EU Regulation aimed at strengthening the IT security of financial entities and ensuring the European financial sector remains resilient during severe operational disruption.
It comes into force on 17 January 2025.
UK equivalent
DORA was not directly copied into UK law as part of the Brexit transition because TAKE BACK CONTROL and everything, but the UK’s own regulatory framework addresses similar concerns about digital operational resilience because SILICON ROUNDABOUT and everything. This includes the UK Critical Third Parties (CTP) regime, primarily established through the Financial Services and Markets Act 2023 which aligns closely with DORA’s objectives. It allows HMT to designate third parties as “critical”, though this is done by name and not category, so the number of designated “Critical Third Parties” in the UK is relatively small. The designation process focuses on those third-party service providers whose failure could pose significant risks to the stability and resilience of the UK financial system.
Key legal provisions
It requires in-scope entities to ensure there are key provisions in legal contracts with providers of in-scope IT contracts to ensure that financial entities maintain operational resilience and can manage risks associated with ICT services effectively:
- Description of Services: A clear description of all functions and ICT services, and the locations from where these services and data processing are provided.
- Service Levels: Detailed service level agreements — gulp — specifying performance standards and uptime availability.
- Data security: Providing for data security and protection from unauthorised access.
- Audit rights: Wide-ranging audit rights for the financial entity to ensure compliance with the contractual terms and regulatory requirements.
- Termination Rights: Specific termination rights, including conditions under which the contract can be terminated and the procedures for doing so.
- Subcontracting: Conditions for subcontracting ICT services, especially for critical or important functions
- Co-operation with Authorities: Requirements for the ICT service provider to cooperate fully with competent authorities in case of investigations or incidents.
- Exit Strategies: Provisions for managing the exit and transition of services to another provider or back in-house, ensuring continuity and minimal disruption.
Business Process Outsourcers
Business Process Outsourcers (BPOs) focus on handling specific business processes for financial entities and may or may not involve ICT services
- If they provide critical or important functions that involve ICT they are deemed critical ICT third-party service providers and would fall under DORA’s scope
- Not all BPOs are ICT providers, and not all ICT providers are BPOs. A BPO could also be a third-party ICT provider if it offers ICT services as part of its business process outsourcing.
Third-Party ICT providers
Specifically provide “Information and Communication Technology” (ICT) services
- Critical vs Non-critical: In scope for DORA if they provide critical or important ICT services to financial entities.
- Critical ICT third-party service providers (CTPPs) are directly regulated and must comply with specific requirements on risk management, incident reporting, etc.
- Non-critical ICT third-party providers and BPOs are not directly regulated by DORA but in scope financial entities using their services must ensure they comply with DORA requirements through contractual arrangements