Financial Regulations for Critical Third-Party Technology Providers in the EU and UK

DORA seeks to address potential systemic and concentration risks posed by the financial sectors’ reliance on a small number of CTPs, and introduces an oversight framework for CTPs located in the EU whom the three EU supervisory authorities (ESAs) deem to be “critical to the stability and integrity of the [EU] financial system” and designate as critical TPPs. 

As an EU regulation and unlike an EU directive, DORA will bind EU business directly without the need for the individual Member States themselves to implement laws to give DORA effect.

DORA requires the EU Commission to make further delegated regulations to expand DORA’s provisions (usually described as regulatory technical standards, or RTS).

Access our table setting out DORA’s provisions and identifying where RTS are necessary and the current status of those RTS.

DORA is capable of applying to non-EU CTPs, including those in the US and UK, that provide services to EU financial sector entities because it will require those non-EU critical CTPs to establish subsidiaries in the EU. 

In the UK, the Act defines a CTP as “a person who provides services to one or more authorised persons, relevant service providers or FMI entities.” It does not specify that the CTP must be established in the UK in order for it to be a CTP. Instead, it only requires that the financial sector entity, to which the CTP provides services, be in the UK. This indicates that the CTP regime will be capable of applying to non-UK CTPs, including those located in the US and EU.

On 26 May 2023, the ESAs issued a discussion paper (DP) to consult with market participants on further criteria for determining whether TPPs are “critical.”

DORA identifies four criteria for determining whether a TPP is critical:

• The impact on the provision of financial services of the TPP’s failure
• The importance of the financial sector entities that rely on the TPP
• Reliance by many financial sector entities to support critical and essential functions
• The degree of substitutability of the TPP

The DP proposes a two-step test for determining indicators of a qualitative and quantitative nature for each of the four criticality criteria:

• Assessing TPPs against a set of quantitative criticality indicators, alongside respective minimum relevance thresholds (Step 1). Step 1 will indicate those TPPs that could potentially be considered as critical.
• Further assessment of TPPs (Step 2) based on an additional set of qualitative criticality indicators. The DP states that the Step 2 indicators are complementary to the Step 1 indicators, allowing for a more granular assessment of the TPP.

This is further discussed in our published alert. 

The regulatory framework of DORA is constructed upon a foundation of six fundamental pillars:

1. Governance & Organization: DORA places a strong emphasis on aligning the business strategies of financial sector entities with information communication technologies (ICT) risk management, necessitating active involvement from management to establish clear roles and responsibilities, continuous monitoring, approval processes, and appropriate allocation of ICT investments and training.
2. ICT Risk Management Framework: DORA establishes principles and guidelines for managing ICT risk in financial sector entities, including identification, protection, detection, response, recovery, learning, evolving, and communication. Financial sector entities are expected to maintain resilient ICT systems, minimize the impact of ICT risk, establish protection measures, promptly detect anomalies, and implement comprehensive business continuity and recovery plans.
3. ICT Incident Management, Classification & Reporting: This pillar aims to harmonize and streamline the reporting of ICT-related incidents. Financial sector entities are required to establish a management process to monitor and log incidents, classify them based on specified criteria, and report major incidents to competent authorities using a common template. Supervisory feedback and guidance will be provided by competent authorities, and the possibility of centralizing incident reporting at the EU level will be explored.
4. Digital Operational Resilience Testing: Financial sector entities will need to periodically test their ICT risk management framework for preparedness and identification of weaknesses. The testing requirements vary based on entity size, business, and risk profiles, with advanced testing using threat-led penetration testing reserved for significant and cyber-mature entities.
5. Third-Party Provider Risk Management: Financial sector entities must monitor and address risks throughout their relationship with third-party providers, and contracts with such providers should cover service descriptions, data processing locations, performance targets, security provisions, access and audit rights,  termination rights, and exit strategies. 
6. Information Sharing: Financial sector entities are encouraged to establish arrangements for exchanging cyber threat information and intelligence to raise awareness, minimise the spread of ICT risk and enhance defensive capabilities and threat detection techniques.

DORA introduces a number of mandatory contractual requirements for all arrangements between financial sector entities and their ICT third-party service providers, with additional requirements for providers supporting critical or important functions. These provisions concern descriptions of services, data processing locations, performance targets, security provisions, access and audit rights, termination rights, and exit strategies.

While there is substantial overlap with prescribed provisions from existing regulations, namely the ESA cloud outsourcing guidelines, DORA introduces additional contractual requirements with the intent to strengthen digital operational resilience and promoting robust risk management practices. For instance, ICT third-party service providers must now agree to: 

• Participate in financial sector entities’ ICT security awareness programmes and digital operational resilience training
• Participate and fully cooperate in the financial sector entity’s threat led penetration testing
• Provide assistance to the financial sector entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial sector entity occurs

Parties should also take care not to overlook slight nuances in the wording of existing rights and obligations prescribed from current regulations, as there are minor variations that go further than anticipated in the original guidelines. For example, both parties need to agree on notice periods and reporting obligations of any development that might have a material impact on the provider’s ability to support critical or important functions. The equivalent provision from ESMA’s cloud outsourcing guidelines reactively focuses on reporting after the impact of the service, whereas the language used in DORA ensures that the provider takes a proactive approach in communicating potential material impacts to its ability to effectively provide ICT services.

The new version of the NIS Directive (NIS2) aims to enhance security requirements and harmonize cybersecurity laws across EU Member States. NIS2 significantly expands the scope of its predecessor by including additional sectors, such as social network providers and manufacturers of medical devices, and imposes new cybersecurity obligations on “essential” and “important” entities (determined by the sector and size of their operations) in relation to risk management, reporting of cyber incidents, and information sharing. While there is some overlap between NIS2 and DORA in terms of cybersecurity obligations, DORA will take precedence over the general provisions of NIS2, ensuring clarity for financial sector entities operating in the EU.

The definition of “ICT services” under DORA refers to digital and data-related activities provided to internal or external users and is relevant in determining which third-party arrangements will be subject to its requirements. This broad definition of ICT services will also capture “AI systems” that fall within the scope of the new EU AI Act. Providers of AI systems should be aware that deploying their software for use by financial services entities will encompass several service types covered by DORA as ICT services, such as data processing and reporting services, data monitoring and data-based business and decision support services.

Technology providers and financial sector entities should be planning towards the alignment of their organizations’ governance with DORA’s fundamental pillars and start mapping their journey towards compliance.

Review our DORA implementation timeline for more information.

17 January 2024 — ESAs to submit all draft RTS to the Commission, including on penetration testing.

17 January 2025 — DORA becomes applicable and penetration testing begins.

To ensure compliance with DORA, companies should: 

• Understand the key dependencies between their financial sector entity and critical ICT service providers
• Conduct an initial gap assessment based on internal policies, procedures and governance frameworks with a view to updating these documents
• Benchmark existing contractual arrangements against the requirements in DORA and EU standard contractual clauses and begin plans to ensure contractual arrangements align with DORA's provisions
• Establish an incident management process for ICT-related incidents in line with DORA
• Establish an EU subsidiary for effective oversight if a critical third-country ICT service provider