- Kateřina Kubíková
DORA Regulation applies to suppliers of information and communication technology (ICT) services, which includes providers of cloud services, software, data analytics or data centre services. However, DORA also provides for one minor exception, namely the supply of traditional analogue telephone services.
New obligations of ICT service providers in the financial sector under DORA. In a time of constant cyber threats, it is crucial to increase the digital resilience of financial institutions. DORA Regulation emphasises not only the resilience of financial institutions but also the security measures of their ICT service providers, who play an important role in the cybersecurity of the entire financial sector.
Which suppliers will be affected by DORA?
ICT services are defined in the Regulation as follows: digital and data services, including hardware as a service and hardware services that include the provision of technical support through software or firmware updates by the hardware provider. ICT services are intended to be very broad and will affect almost everyone who supplies something related to information or communication technology to banks, insurance companies and other financial institutions.
Pre-contract checks on suppliers by financial institutions
Before entering into a contract with a supplier, the financial institution must carry out thorough analysis, including an assessment of the supplier's ability to meet safety standards. For key services, the assessment needs to be even more thorough. In addition to careful screening, financial institutions will have to keep a register of information on their suppliers with all contractual arrangements for the use of ICT services.
The contract may then only be concluded with ICT service providers that meet the relevant standards in information security (e.g. NIS2). However, if the ICT service is for a critical or important function, the financial institution will assess whether the suppliers apply the most up-to-date and highest quality information security standards.
Mandatory elements of supplier contracts
Under DORA, contracts with ICT service providers will now include mandatory regulatory requirements. For example, provisions relating to:
- availability,
- authenticity,
- integrity,
- confidentiality.
The obligation of an ICT service provider to provide assistance to a financial institution at no additional cost or at a cost to be determined in advance if an incident occurs that is related to the ICT service provided. Or even conditions for the supplier to participate in cybersecurity related training.
If it is a supplier of ICT services that support critical or important functions, the contract will need to include even more essential points. For example:
- the supplier's obligation to implement and test business continuity plans ( business continuity plans),
- the obligation of the supplier to participate in and fully cooperate with penetration testing based on financial institution threats.
Why should ICT service providers be interested in this news?
With the advent of DORA, financial institutions are expected to select their suppliersof ICT services more carefully and assess their ability to comply with the new standards. Readiness for these changes will play a key role in maintaining financial institutions' confidence in the ICT services they provide.
Failure to comply with the new obligations can lead tothe termination of contracts with the supplier.These will now include grounds for termination under DORA. One of these will be that weaknesses are identified in the overall ICT risk management of the ICT service provider or perhaps that ICT service providers are in material breach of applicable legislation or contractual terms.
Critical supplier according to DORA
DORA introduces a new category of suppliers, which it describes as " critical third-party ICT service providers". This lengthy designation refers to a selection of key suppliers of ICT services to financial institutions that are subject to obligations similar to those imposed on financial entities under DORA.
Who can be a critical supplier of ICT services under DORA?
The designation of a critical supplier depends on the decision of the European Supervisory Authorities: na rozhodnutí evropských orgánů dohledu:
One of these authorities will then be assigned the status of lead supervisory authority for each designated critical supplier. Thus, it is not decisive that the financial institution itself designates a supplier as critical; the key is the designation by the European Supervisory Authority. The critical supplier of ICT services will then be informed of the date from which the new obligations will apply. This will be set within one month of notification of the critical supplier designation.
Criteria for designation as a critical supplier of ICT services:
The European Supervisory Authorities will assess several key criteria:
- Systemic impact: What will be the impact on the stability, continuity or quality of financial service provision if the supplier faces an outage? The number of financial institutions to which services are supplied and the value of their assets will be taken into account.
- Systemic relevance of financial institutions
- Concentration: How many financial entities rely on these ICT services for their critical or important functions?
- Substitutability: Are there alternative suppliers of ICT services that could take over the role of the supplier?
Obligations of critical ICT service providers
ICT service providers that are identified as critical will be subject to direct oversight by financial regulators and even have to pay fees for this oversight. However, ICT service providers that have not been designated as critical also have the option of submitting to supervision. Indeed, it may even be a competitive advantage for them.
The following areas will fall under surveillance and the critical contractor will be required to comply:
- Ensuring security, availability, continuity, scalability and quality of service.
- Ability to maintain high standards for data availability, credibility, integrity and confidentiality.
- Physical security – including security of premises, facilities and data centers.
- Risk management processes – including risk management policies, ICT business continuity policies and ICT response and recovery plans.
- Governance systems – including an organizational structure with clear, transparent and consistent lines of responsibility and accountability to enable effective risk management.
- Identifying, monitoring and promptly reporting significant ICT-related incidents to financial entities and managing and resolving these incidents (especially cyber-attacks).
- Mechanism for data portability and application portability and interoperability.
- Testing of ICT systems, infrastructure and controls.
- ICT audits.
The supervisory authority pak for each critical supplier, prepare a detailed and reasoned an individual supervision plan. TThis plan will include annual targets and key measures planned for the supplier. The lead supervisory authority will be able to impose penalty, up to 1 % of the supplier's average daily worldwide turnover for the previous accounting period (penalties to be imposed on a daily basis until the measures are complied with). the penalty is intended to motivate critical ICT service providers motivovat kritické dodavatele služeb IKT to comply with the new obligations and standards.
