Financial Regulations for Critical Third-Party Technology Providers in the EU and UK

Two new regulatory regimes will govern third-party providers of technology and other services to financial sector entities, such as banks, broker-dealers, and exchanges in the EU and UK.

The EU Regulation (EU) on the Digital Operational Resilience Act (DORA) of the Financial Sector was published in the Official Journal of the EU on 27 December 2022. DORA entered into force on 16 January 2023 and will apply starting 17 January 2025.

In the UK, Chapter 3C of the Financial Services and Markets Act (the Act), which received royal assent on 29 June 2023, extends various powers that the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England have over firms, to “critical third parties” (CTPs). The UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) are still considering the rules that help give effect to the CTP provisions in the Act. These are expected to come into force in Q4 2024. You can read our alert on Chapter 3C and the proposed regulatory rules that will supplement it to learn more.

Read more about DORA and its implications below, and access our featured insights.

Too Important to Fail?

The more significant regulatory powers to emerge from the 2007–9 financial crisis, which include the power to take firms into public ownership, typically apply where a firm has failed or is close to failure (i.e. is a gone concern), as was with some banks and other institutions that thought themselves “too big to fail” during the financial crisis. These regulatory powers are, therefore, designed to mitigate the effects of failure.

Both DORA and the UK critical third-parties regime seek, instead, to prevent or, at least, reduce the risk of failure: like those in DORA, noted above, the powers under the Act are focused, however, on CTPs as going concerns and designed to prevent failure. As such, CTPs will be subject to the same jurisdiction in effect as financial sector entities, in that the EU and UK financial regulatory authorities will have near-identical powers with the corresponding public law duties over CTPs as those they have over financial sector entities.

Too Important to Fail? Further Light on When EU and Non-EU Technology Providers Will Become Subject to DORA

Read our published alert to learn more about why DORA matters to technology providers and what regulatory criterion it sets forth.

Too Important to Fail – Part 2: The Coming Regulation of Providers of Critical Technology Services to UK Financial Institutions

Read our published alert for our insight into what UK financial institutions and CTPs can expect from the Financial Services and Markets Bill 2022.

More On Dora

DORA seeks to address potential systemic and concentration risks posed by the financial sectors’ reliance on a small number of CTPs, and introduces an oversight framework for CTPs located in the EU whom the three EU supervisory authorities (ESAs) deem to be “critical to the stability and integrity of the [EU] financial system” and designate as critical TPPs.

As an EU regulation and unlike an EU directive, DORA will bind EU business directly without the need for the individual Member States themselves to implement laws to give DORA effect.

DORA requires the EU Commission to make further delegated regulations to expand DORA’s provisions (usually described as regulatory technical standards, or RTS).

Access our table setting out DORA’s provisions and identifying where RTS are necessary and the current status of those RTS.

DORA is capable of applying to non-EU CTPs, including those in the US and UK, that provide services to EU financial sector entities because it will require those non-EU critical CTPs to establish subsidiaries in the EU.

In the UK, the Act defines a CTP as “a person who provides services to one or more authorised persons, relevant service providers or FMI entities.” It does not specify that the CTP must be established in the UK in order for it to be a CTP. Instead, it only requires that the financial sector entity, to which the CTP provides services, be in the UK. This indicates that the CTP regime will be capable of applying to non-UK CTPs, including those located in the US and EU.

On 26 May 2023, the ESAs issued a discussion paper (DP) to consult with market participants on further criteria for determining whether TPPs are “critical.”

DORA identifies four criteria for determining whether a TPP is critical:

The impact on the provision of financial services of the TPP’s failure
The importance of the financial sector entities that rely on the TPP
Reliance by many financial sector entities to support critical and essential functions
The degree of substitutability of the TPP

The DP proposes a two-step test for determining indicators of a qualitative and quantitative nature for each of the four criticality criteria:

Assessing TPPs against a set of quantitative criticality indicators, alongside respective minimum relevance thresholds (Step 1). Step 1 will indicate those TPPs that could potentially be considered as critical.
Further assessment of TPPs (Step 2) based on an additional set of qualitative criticality indicators. The DP states that the Step 2 indicators are complementary to the Step 1 indicators, allowing for a more granular assessment of the TPP.

This is further discussed in our published alert.

The regulatory framework of DORA is constructed upon a foundation of six fundamental pillars:

Governance & Organization: DORA places a strong emphasis on aligning the business strategies of financial sector entities with information communication technologies (ICT) risk management, necessitating active involvement from management to establish clear roles and responsibilities, continuous monitoring, approval processes, and appropriate allocation of ICT investments and training.
ICT Risk Management Framework: DORA establishes principles and guidelines for managing ICT risk in financial sector entities, including identification, protection, detection, response, recovery, learning, evolving, and communication. Financial sector entities are expected to maintain resilient ICT systems, minimize the impact of ICT risk, establish protection measures, promptly detect anomalies, and implement comprehensive business continuity and recovery plans.
ICT Incident Management, Classification & Reporting: This pillar aims to harmonize and streamline the reporting of ICT-related incidents. Financial sector entities are required to establish a management process to monitor and log incidents, classify them based on specified criteria, and report major incidents to competent authorities using a common template. Supervisory feedback and guidance will be provided by competent authorities, and the possibility of centralizing incident reporting at the EU level will be explored.
Digital Operational Resilience Testing: Financial sector entities will need to periodically test their ICT risk management framework for preparedness and identification of weaknesses. The testing requirements vary based on entity size, business, and risk profiles, with advanced testing using threat-led penetration testing reserved for significant and cyber-mature entities.
Third-Party Provider Risk Management: Financial sector entities must monitor and address risks throughout their relationship with third-party providers, and contracts with such providers should cover service descriptions, data processing locations, performance targets, security provisions, access and audit rights, termination rights, and exit strategies.
Information Sharing: Financial sector entities are encouraged to establish arrangements for exchanging cyber threat information and intelligence to raise awareness, minimise the spread of ICT risk and enhance defensive capabilities and threat detection techniques.

DORA introduces a number of mandatory contractual requirements for all arrangements between financial sector entities and their ICT third-party service providers, with additional requirements for providers supporting critical or important functions. These provisions concern descriptions of services, data processing locations, performance targets, security provisions, access and audit rights, termination rights, and exit strategies.

While there is substantial overlap with prescribed provisions from existing regulations, namely the ESA cloud outsourcing guidelines, DORA introduces additional contractual requirements with the intent to strengthen digital operational resilience and promoting robust risk management practices. For instance, ICT third-party service providers must now agree to:

Participate in financial sector entities’ ICT security awareness programmes and digital operational resilience training
Participate and fully cooperate in the financial sector entity’s threat led penetration testing
Provide assistance to the financial sector entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial sector entity occurs

Parties should also take care not to overlook slight nuances in the wording of existing rights and obligations prescribed from current regulations, as there are minor variations that go further than anticipated in the original guidelines. For example, both parties need to agree on notice periods and reporting obligations of any development that might have a material impact on the provider’s ability to support critical or important functions. The equivalent provision from ESMA’s cloud outsourcing guidelines reactively focuses on reporting after the impact of the service, whereas the language used in DORA ensures that the provider takes a proactive approach in communicating potential material impacts to its ability to effectively provide ICT services.

The new version of the NIS Directive (NIS2) aims to enhance security requirements and harmonize cybersecurity laws across EU Member States. NIS2 significantly expands the scope of its predecessor by including additional sectors, such as social network providers and manufacturers of medical devices, and imposes new cybersecurity obligations on “essential” and “important” entities (determined by the sector and size of their operations) in relation to risk management, reporting of cyber incidents, and information sharing. While there is some overlap between NIS2 and DORA in terms of cybersecurity obligations, DORA will take precedence over the general provisions of NIS2, ensuring clarity for financial sector entities operating in the EU.

The definition of “ICT services” under DORA refers to digital and data-related activities provided to internal or external users and is relevant in determining which third-party arrangements will be subject to its requirements. This broad definition of ICT services will also capture “AI systems” that fall within the scope of the new EU AI Act. Providers of AI systems should be aware that deploying their software for use by financial services entities will encompass several service types covered by DORA as ICT services, such as data processing and reporting services, data monitoring and data-based business and decision support services.

Technology providers and financial sector entities should be planning towards the alignment of their organizations’ governance with DORA’s fundamental pillars and start mapping their journey towards compliance.

Review our DORA implementation timeline for more information.

17 January 2024 — ESAs to submit all draft RTS to the Commission, including on penetration testing.

17 January 2025 — DORA becomes applicable and penetration testing begins.

To ensure compliance with DORA, companies should:

Understand the key dependencies between their financial sector entity and critical ICT service providers
Conduct an initial gap assessment based on internal policies, procedures and governance frameworks with a view to updating these documents
Benchmark existing contractual arrangements against the requirements in DORA and EU standard contractual clauses and begin plans to ensure contractual arrangements align with DORA's provisions
Establish an incident management process for ICT-related incidents in line with DORA
Establish an EU subsidiary for effective oversight if a critical third-country ICT service provider

How Can Goodwin Help?

We can assist you with:

Analysing whether and how DORA and/or the Act applies to your business
Setting up a local subsidiary in the EU in order to comply with DORA
Drafting and negotiating addendums to your contracts that satisfy the requirements of DORA and/or the Act
Implementing internal processes and procedures to comply with DORA and/or the Act and drafting of policies and manuals to document those processes and procedures