The Digital Operational Resilience Act (DORA) – Information and Communication Technology (ITC) Service Providers
DORA is due to take effect in January 2025. The effect of DORA on ICT service providers goes to the heart of the third-party risk management objective of DORA. We discussed this from the financial entity’s point of view in a previous article.
Effect of “Critical” Designation
Under Article 31 of DORA, ICT third-party service providers may be deemed “critical” which brings them within the scope of DORA’s new oversight framework. This places one of the European Supervisory Authorities (the EBA, EIOPA and ESMA) (the “ESAs“) in the position of ‘Lead Overseer’ of that service provider, who will oversee the creation and administration of an oversight plan regarding that service provider. A designation of “critical” may be onerous for many service providers so the criterion for designation is paramount.
Designation Criteria
While DORA contains 4 overarching criteria, further detail is expected within a delegated act to be adopted by the European Commission. In December 2022, the European Commission requested that the ESAs provide technical advice on the criteria required for the designation of critical ICT third-party service providers. The ESAs, following a discussion period which occurred over late autumn, have published their joint technical advice dated 29 September 2023 (the Technical Advice) (accessible here). The Technical Advice informs the European Commission as to the appropriate contents of the delegated act. The delegated act is expected by January 2024, with a hard deadline within DORA of July 2024.
The Technical Advice
The Technical Advice adopts a two-step indicator-based approach to perform a multi-factor criticality assessment, based on the criteria established by DORA. The ESAs have included:
– 6 new quantitative indicators which include relevant minimum triggering thresholds; and
– 5 additional indicators which are to be used to allow the ESAs to engage in a more granular examination of service providers.
The new indicators require a consideration of the pan-European footprint of relevant service providers. How reliant the financial services sector, as a whole, is upon them will be too. This will have a particular focus on service providers supporting critical or important functions.
Unfortunately, the Technical Advice is not clear as to how these indicators are to be applied collectively in practice. The European Commission only requested advice on the relevant thresholds to be used. We can expect to see further detail on how the criteria and indicators will be applied within the European Commission’s draft delegated act.
Conclusion
The possible designation as ‘critical’ is a topic which will be closely watched by organisations including prominent cloud service providers who are providing critical or important services to financial services undertakings across the common market. More generally, DORA will affect financial entities caught directly within scope, but also the service providers who support those entities, be it directly or indirectly. With DORA due to take effect in January 2025, the time to think about compliance is now. If you wish to discuss any of the issues highlighted above, or want to reach out with a query, please contact any of the Key Contacts listed or your usual William Fry contact.
Contributed by
Conor Forde