Financial Services

DORA’s core Commission Delegated Regulations published in EU’s Official Journal

Written by

Dr. Michael Huertas

RegCORE – Client Alert | EU Digital Single Market

QuickTake

As discussed in comprehensive coverage available from PwC Legal and PwC teams across our network, the EU’s Regulation 2022/2554, informally known as the Digital Operational Resilience Act – or DORAAvailable here.Show Footnote, is reshaping third-party risk management (TPRM) practices and the (digital) operational resilience requirements for the financial services sector, including but not limited from information and communication technology (ICT)-relate disruptions and threats.

DORA has wide-reaching effects as well as extra-territorial impact. DORA raises compliance challenges for meeting the compliance deadline of 17 January 2025 as well as with a range of other related EU legislative and regulatory rulemaking instruments and supervisory expectations, including non-EU i.e. third country frameworks of a similar nature that already exist or are in development. Often these may have differing or competing demands and compliance obligations.

On 25 June 2024, the following Commission Delegated Regulations (CDRs) were published in the Official Journal of the EU. Each of these CDRs set out Regulatory Technical Standards (RTS) that supplement DORA’s requirements. These CDRs (collectively herein the June CDRs) all enter into force on 15 July 2024:

  • CDR (EU) 2024/1772 on RTS specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out the materiality thresholds and specifying the details of reports of major incidents;
  • CDR (EU) 2024/1773 on RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; and
  • CDR (EU) 2024/1774 on RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework.
    This Client Alert assesses the impact of the June CDRs with a focus on contractual arrangements as well as legal, regulatory and supervisory expectations that apply to financial services firms being able to meet DORA’s demands.

Recap on DORA’s aims

DORA applies to a wide range of entities operating within the EU’s financial sector, including credit institutions, investment firms, insurance companies, payment and e-money institutions, crypto-asset service providers and ICT third-party service providers, among others. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to withstand, respond to and recover from ICT-related disruptions and threats.

In summary, DORA’s key requirements, as supplemented by details in the June CDRs, include financial services firms needing to ensure that they in their own arrangements as well as in contractual arrangementsEach of which are of course subject to differing composition, design, terms, governing law and jurisdictional-specific elements. In summary no two contractual arrangements may be identical even if they may have conceptual similarities.Show Footnote with services providers:

  • ICT risk management: establish and maintain robust ICT risk management frameworks. This includes the identification, classification and mitigation of ICT risks, as well as the implementation of protection and prevention measures. This framework should be reflected in the contracts with ICT providers, ensuring that the providers’ services align with the financial services firm’s risk management policies and procedures.
  • Incident reporting: maintain mechanisms to detect and manage ICT-related incidents. They are also required to report significant cyber threats and incidents to competent authorities in a timely manner. Contracts with ICT providers must stipulate the obligations of the provider to report any significant ICT-related incidents to the financial services firm in a timely manner.
  • Digital operational resilience testing and audits: perform regular testing and audits of digital operational resilience. This includes the use of threat-led penetration testing designed to assess the effectiveness of firms’ cybersecurity measures and identify vulnerabilities.For rules that are equally set by and thus specific to the breadth of firms subject to Banking Union supervision please see relevant coverage on TIBER and CROE under the tab “EU Digital Single Market, financial services and crypto-assets” available here.Show Footnote Contracts should include provisions that allow the financial services firm to conduct such testing and audits on the ICT services provided, including access to relevant data and support from the provider.
  • ICT third-party risk oversight and governance: manage and monitor the ICT third-party risk through the entire lifecycle of the relationship. Firms must maintain effective governance and oversight over their ICT third-party relationships. This includes ensuring that contracts with ICT providers are structured to provide the necessary level of control and oversight, including clear service level agreements (SLAs) and the right to conduct relevant (compliance) audits.
  • Outsourcing and sub-contracting: respecting restrictions on sub-contracting by ICT service providers. Financial services firms must ensure that their contracts with primary ICT providers include clauses that require the provider to obtain the financial services firm’s consent before sub-contracting any elements of the service, along with the right to approve the sub-contracted entities.
  • Concentration risks: complying with concentration risk requirements and diversifying use of ICT service providers where possible. Contracts should be structured to avoid over-reliance on a single provider and to facilitate the transfer of services to alternative providers if necessary.
  • Exit strategies: developing and maintaining exit strategies for the termination of ICT service arrangements. Contracts must include clear terms and conditions for exit, data retention and the transfer of services to ensure continuity and to mitigate risks associated with the end of a contractual relationship.
  • Information sharing: have plans to facilitate the sharing of cyber threat information and intelligence among financial services firms to improve collective understanding and management of ICT risks.

DORA’s precise impact may be different according to type of financial services firm and their respective ICT plus contractual arrangements, common challenges (beyond contractual (re-)drafting) can be summarised in terms of financial services firms needing to consider:

  • Compliance costs: increased costs associated with compliance, such as updating policies and procedures, investing in technology to meet the new requirements and conducting regular testing.
  • Operational changes: re-evaluating their operational processes and ICT systems to ensure they align with DORA’s requirements. This could involve significant changes to existing practices and the adoption of new technologies.

  • Vendor relationships: more stringent management of third-party vendors, requiring enhanced due diligence, contract adjustments and ongoing monitoring to ensure compliance with DORA’s standards.

  • Regulatory oversight: increased scrutiny from regulators, including the potential for on-site inspections and audits to assess compliance with DORA.

  • Cross-border considerations: how they operate across borders within the EU and outside of it. DORA provides a harmonised framework, which may simplify some aspects of compliance, however, firms will need to be mindful of the interplay between DORA and national Member State as well as third-country legislative, regulatory and supervisory requirements. 

     

The introduction of DORA may, for some affected parties, necessitate significant changes to the contractual arrangements between financial services firms and their ICT providers. Financial services firms must undertake a detailed review of existing contracts to ensure compliance with the new requirements. This may involve renegotiating terms to incorporate enhanced risk management frameworks, incident reporting mechanisms, audit rights, oversight provisions, sub-contracting controls, measures to address concentration risk and robust exit strategies.

The June CDRs provide further details on what is required of firms in terms of their internal arrangements as well as in contractual arrangements with ICT providers. In terms of practical steps, all affected firms will want to conduct a documentation inventory and establish a documentation hierarchy (as well as critical path dependencies) and look to identify, mitigate and manage conceptual gaps as they may apply across their internal policies and procedures along with (documented and undocumented systems and controls) but also external contractual arrangements.

A closer look at the June CDRs

The June CDRs all supplement DORA and thus should be read together even if they set out various different requirements. The following subsections explore the individual requirements of the June CDRs on financial services firms and their contractual arrangements:

CDR (EU) 2024/1772

This CDR sets out the criteria and thresholds for classifying and reporting ICT-related incidents and cyber threats by financial services firms, as well as the details of reports to be shared with other competent authorities. DORA and this CDR define a major incident as an incident that affects critical services and meets either one of the following conditions:

  1. the materiality threshold for the criterion ‘clients, financial counterparts and transactions’ is met; or
  2. two or more of the other materiality thresholds for the criteria ‘reputational impact’, ‘duration and service downtime’, ‘geographical spread’, ‘data losses‘ and ‘economic impact’ are met. 

The rules also consider recurring incidents that have the same apparent root cause and collectively fulfil the criteria for a major incident as one major incident.

A significant cyber threat is defined as a cyber threat that, if materialised, could affect critical or important functions of the financial entity or other financial services firms, has a high probability of materialisation and could meet one or more of the materiality thresholds for a major incident.

Financial services firms are required to report major incidents and may submit significant cyber threats to their competent authorities within the timeframes and formats specified in DORA. The competent authorities are required to share the details of major incidents with other competent authorities in other Member States where the incident is relevant for them, as well as with the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Central Bank (ECB). EBA, ESMA, EIOPA and the ECB are required to notify the relevant competent authorities in other Member States of major incidents that are relevant for them.

The CDR has implications for financial services firms and their contractual arrangements in respect of the following aspects in that it:

  • introduces a harmonised and consistent framework for classifying and reporting ICT-related incidents and cyber threats across the financial sector, which may affect the existing contractual obligations and expectations of financial services firms and their clients, financial counterparts, third-party providers and regulators. Financial services firms may need to review and update their contracts to ensure compliance and alignment with the new criteria and thresholds for reporting incidents and threats;
  • requires an assessment of the impact of incidents and threats on their critical or important functions, financial services requiring authorisation or registration, data availability, authenticity, integrity and confidentiality and economic costs and losses. Financial services firms may need to enhance their risk management and incident response capabilities and procedures, as well as their data protection and security measures, to ensure that they can identify, measure, mitigate and report the impact of incidents and threats;
  • requires the sharing of the details of major incidents with other competent authorities in other Member States where the incident is relevant for them and to receive notifications of major incidents from EBA, ESMA, EIOPA and the ECB. Financial services firms may need to ensure that they have adequate communication and cooperation mechanisms and channels with other financial services firms, third-party providers, clients, financial counterparts and regulators across the EU and its Member States and that they respect the confidentiality and sensitivity of the information shared and received.

CDR (EU) 2024/1773

This CDR requires that financial services firms adopt and regularly review, a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers, as part of their ICT risk management framework. The policy should cover all the steps of the life cycle for contractual arrangements with ICT third-party service providers, from the planning and approval to the implementation, monitoring and termination.

The policy should specify the internal responsibilities for the approval, management, control and documentation of contractual arrangements, including the reporting to the management body and the cooperation with the control functions. The policy should also ensure that the contractual arrangements are consistent with the ICT risk management framework, the information security policy, the ICT business continuity policy and the requirements on incident reporting set out in DORA.

The policy should require that a risk assessment and a due diligence process are conducted before entering into a contractual arrangement with an ICT third-party service provider, taking into account various elements such as the business reputation, the financial, human and technical resources, the information security, the organisational structure, the risk management and internal controls, the use of ICT sub-contractors, the location of the ICT third-party service provider and the data and the potential impact of disruptions on the financial entity’s activities and services.

The policy should specify that the contractual arrangements are in written form and include all the elements referred to in Article 30(2) and (3) of DORA, such as the mutual obligations of the parties, the service level agreements, the data protection and security measures, the exit and termination terms, the sub-contracting arrangements, the audit and inspection rights and the dispute resolution mechanisms. The policy should also include elements regarding requirements referred to in Article 1(1), point (a), of DORA, such as the identification and classification of critical or important functions, the ICT concentration risk assessment and the notification of contractual arrangements to the competent authorities.

The policy should specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third-party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information and the compliance of the ICT third-party service providers with the financial entity’s relevant policies and procedures. The policy should also specify how the financial entity is to assess whether the ICT third-party service providers meet appropriate performance and quality standards and how to address any shortcomings, including ICT-related incidents and operational or security payment-related incidents.

The policy should contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the exit plan. The exit plan should take into account unforeseen and persistent service interruptions, inappropriate or failed service delivery and the unexpected termination of the contractual arrangement.

This CDR has significant implications for financial services firms and their contractual arrangements with ICT third-party service providers, as it introduces detailed and harmonised rules on the content of the policy that financial services firms should adopt and implement to manage ICT third-party risk. This policy is in addition to the requirements to be set out in the contractual arrangements.

CDR (EU) 2024/1774

This CDR imposes proportionate and flexible requirements on financial services firms, taking into account their size, structure, internal organisation, nature and complexity and the corresponding risks. For example, the CDR allows financial services firms to use any documentation they already have to comply with the documentation requirements and to develop specific ICT security policies only for certain essential elements, based on leading practices and standards. This CDR also requires financial services firms to assign and maintain clear roles and responsibilities for ICT security and to ensure the segregation of duties and the consequences of non-compliance.

The CDR regulation covers various aspects of ICT security, such as ICT asset management, encryption and cryptographic controls, ICT operations, capacity and performance management, vulnerability and patch management, data and system security, ICT project and change management, physical and environmental security and access control. For each aspect, the CDR specifies the policies, procedures, protocols and tools that financial services firms should develop, document and implement, as well as the criteria, measures and processes that they should follow. The CDR also requires financial services firms to monitor, test, review and update their ICT security arrangements regularly and to report any significant changes or incidents to their competent authorities.

This CDR also sets out the requirements for the ICT risk management framework that financial services firms should establish and maintain, in accordance with Article 6 of DORA. The ICT risk management framework should enable financial services firms to identify, assess and manage the ICT risk they are exposed to and to ensure the alignment of their ICT strategy with their business strategy and risk appetite. The CDR specifies the elements of the ICT risk management framework, such as the ICT risk identification and assessment, the ICT risk mitigation and monitoring, the ICT risk reporting and the review of the ICT risk management framework. The CDR also provides for a simplified ICT risk management framework for financial services firms that are subject to Article 16 of DORA, which should include an information security policy, an identification and classification of critical or important functions and ICT assets, an ICT risk assessment and physical security measures.

The CDR further sets out the requirements for the ICT business continuity plans that financial services firms should develop and implement, in accordance with Article 11 of DORA. The ICT business continuity plans should ensure the continuity and recovery of the financial services firms’ critical or important functions and ICT assets in the event of severe business disruptions, including cyber-attacks. The CDR specifies the elements of the ICT business continuity plans, such as the ICT business continuity policy, the ICT response and recovery plans, the ICT business continuity testing and the ICT business continuity reporting. The CDR also requires financial services firms to take into account a set of scenarios for the implementation and testing of their ICT business continuity plans and to consider and implement continuity measures to mitigate failures of ICT third-party service providers.

This CDR has important implications for financial services firms and their contractual arrangements, especially in relation to the use of ICT third-party service providers. The CDR requires financial services firms to ensure that their ICT third-party service providers comply with the relevant ICT security and business continuity requirements and to monitor and verify their performance and resilience. The CDR also requires financial services firms to establish clear contractual arrangements with their ICT third-party service providers, specifying the roles and responsibilities, the service level agreements, the reporting and audit obligations, the exit strategies and the contingency plans. The CDR also requires financial services firms to notify their competent authorities of any planned or existing contractual arrangements with ICT third-party service providers that support critical or important functions and to provide relevant information and documentation.

Outlook and next steps

DORA, as supplemented by the June (and other) CDRs (and related requirements) represents a significant step in the EU’s efforts to ensure the financial sector can effectively manage and mitigate ICT risks. Financial services firms must carefully assess the implications of DORA on their operations and step-up their efforts in preparing for compliance. While both DORA and the June CDRs set out a comprehensive framework for digital operational resilience, the complexity of implementation will vary depending on the size, nature and complexity of the firm’s operations and respective (legacy, amended and new) contractual arrangements. It is essential for firms to integrate these requirements into their overall risk management strategies and to foster a culture of resilience and continuous improvement in the face of evolving digital threats.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, in addition to AI-powered solutions focusing on contractual repapering to meet DORA compliance we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.