The EU regulation on digital operational resilience for the financial sector (DORA) was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and will apply from 17 January 2025. As an EU regulation and unlike an EU directive, it will bind EU businesses directly without the need for individual member states to implement laws to put DORA into effect.

DORA seeks to address potential systemic and concentration risks posed by the financial sector's reliance on a small number of information and communication technology (ICT) third-party providers (TPPs) and introduces an oversight framework for EU TPPs that the three EU supervisory authorities (ESAs) deem to be "critical to the stability and integrity of the [EU] financial system" and designate as critical TPPs.

Importantly, DORA is capable of applying to non-EU critical TPPs, including those in the US and UK, that provide services to EU financial entities, such as banks, broker-dealers, and insurers, because it will require those non-EU critical TPPs to establish subsidiaries in the EU.

On 26 May 2023, the ESAs issued a discussion paper(DP) to consult with market participants on further criteria for determining whether TPPs are "critical." (The DP also addresses the question of the amount of the fees levied on critical TPPs.)

DORA identifies four criteria (discussed below) for determining whether a TPP is critical:

  • The impact on the provision of financial services of the TPP's failure
  • The importance of the financial entities that rely on the TPP
  • Reliance by many financial entities to support critical and important functions
  • The degree of substitutability of the TPP

DORA requires the EU Commission to make further delegated regulations to expand DORA's provisions (usually described as regulatory technical standards, or RTS), and the DP addresses the advice on the RTS that the Commission asked the ESAs to provide.

Following the consultation in the DP, which closes for comment on 23 June 2023, the ESAs are required to provide the advice by 30 September 2023.

Why DORA Matters To Technology Providers

DORA is revolutionary because it will extend a form of financial services regulatory oversight to critical TPPs, such as large cloud companies and data storage providers, that do not themselves offer financial services and are not subject to direct financial services regulatory oversight. Currently, these businesses are subject to what can be best described as indirect regulatory oversight because the contracts under which they provide services (deemed to be critical) to banks and other regulated financial services providers must contain provisions prescribed by EU regulation and ESA guidance. (See, for example, our alert ESMA Cloud Outsourcing Guidelines - Practical Points for Cloud Service Providers and Regulated Entities.)

The main impact of a designation as a critical TPP is that the critical TPP becomes subject to oversight by a "lead overseer" that will have the power to assess whether the critical TPP has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risk that it may pose to financial entities. The lead overseer will also have powers to conduct general investigations and inspections.

The question of whether or not a TPP is deemed to be critical will, therefore, be vital to any technology provider that provides services to EU financial entities.

A Two-Step Test

The DP proposes a two-step test for determining indicators of a qualitative and quantitative nature for each of the four criticality criteria:

  • Assessing TPPs against a set of quantitative criticality indicators, alongside respective minimum relevance thresholds (Step 1). Step 1 will indicate those TPPs that could potentially be considered as critical.
  • Further assessment of TPPs (Step 2) based on an additional set of qualitative criticality indicators. The DP states that the Step 2 indicators are complementary to the Step 1 indicators, allowing for a more granular assessment of the TPP.

Criterion 1: Impact on Provision of Financial Services

DORA describes this as follows: "the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant TPP faces a large scale operational failure to provide its services, taking into account the number of financial entities and the total value of the assets of the financial entities to which the TPP provides its services."

The DP sets out the following Step 1 indicators:

  • The number of financial entities using ICT services provided by the same TPP (both per type of financial entity and in percentage terms): the more financial entities using ICT services provided by the same TPP, the higher the impact on the stability, continuity, or quality of the provision of financial services.
    The DP proposes a minimum relevant threshold of 10% or more of the total number of financial" entities in the EU.
  • The share of financial entities directly or indirectly using ICT services provided by the same TPP, measured by the total value of assets or total assets equivalent of financial entities: the higher the share of financial entities using ICT services provided by the same TPP, the higher the TPP's level of criticality for the EU financial sector.
    The DP proposes a minimum relevant threshold of 10% or more of the total value of assets/total assets equivalent of financial entities in the EU.

The DP sets out the following Step 2 indicators:

  • The share of financial entities for which a large-scale operational failure of the same TPP directly or indirectly providing ICT services would imply a substantial negative impact on their services, activities, and operations, measured by the total number of financial entities in the EU and by the total value of assets of financial entities: the more financial entities affected by a discontinuation of ICT services provided by the TPP, the higher the TPP's level of criticality for the EU financial sector.
  • The number of designated critical TPPs using the same subcontractors to directly or indirectly provide ICT services to financial entities supporting critical or important functions: the more critical TPPs using the same subcontractors to provide ICT services, the more important those subcontractors are for the EU financial sector. Those subcontractors thus might have to be designated as critical TPPs themselves.

Criterion 2: Importance of Financial Entities

DORA describes this as follows: "the systemic character or importance of the financial entities that rely on the relevant TPP, assessed in accordance with the following parameters: (i) the number of global systemically important institutions (G-SIIs) or other systemically important institutions (O-SIIs) that rely on the TPP; and (ii) the interdependence between the G-SIIs or O-SIIs referred to in point (i) and other financial entities, including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entities."

The DP sets out the following Step 1 indicators:

  • The number of G-SIIs and O-SIIs directly or indirectly using ICT services provided by the same ICT TPP: the more financial entities classified as G-SIIs and O-SIIs that use ICT services provided by the same TPP, the higher the TPP's level of criticality for the EU financial sector.
    The DP proposes minimum relevant thresholds of at least one G-SII, or at least three O-SIIs, or at least one O-SII with an O-SII score above 3,000. (SIIs are given a score from 0 to 10,000 representing their systemic riskiness.)
  • The number of financial entities, identified as systemic by competent authorities, other than G-SIIs and O-SIIs, using ICT services provided by the same ICT TPP (in absolute terms) or the more financial entities identified as "systemic" that use ICT services provided by the same TPP, the higher the TPP's level of criticality for the EU financial sector.
    The DP proposes a minimum relevant threshold of at least one financial entity (other than a credit institution) identified as "systemic" by competent authorities.

The DP sets out the following Step 2 indicator:

  • The level of interdependence between G-SIIs or O-SIIs and other financial entities, including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entities: the stronger the interdependencies are between systemically important financial entities relying on ICT services provided by the same TPP and other financial entities, the higher the TPP's level of criticality for the EU financial sector.

Criterion 3: Critical or Important Functions

DORA describes this as follows: "the reliance of financial entities on the services provided by the relevant TPP in relation to critical or important functions of financial entities that ultimately involve the same TPP, irrespective of whether financial entities rely on those services directly or indirectly, through subcontracting arrangements."

The DP sets out the following Step 1 indicator:

  • The share of financial entities directly or indirectly using ICT services provided by the same TPP that support critical or important functions, measured by the total number of financial entities in the EU and by the total value of assets of financial entities: the higher the share of financial entities using ICT services provided by the same TPP to perform critical or important functions, the higher the TPP's level of criticality for the EU financial sector.
    The DP proposes minimum relevant thresholds of 10% or more of the total value of assets/total assets equivalent per type of financial entity in the EU, or 10% or more of the total number of financial entities in the EU.

The DP sets out the following Step 2 indicator:

  • The level of criticality of ICT services directly or indirectly provided to financial entities by the same TPP: this is designed to capture the different levels of criticality of ICT services provided to financial entities by the same TPP.

Criterion 4: Degree of Substitutability

DORA describes this as follows: "the degree of substitutability of the TPP, taking into account the following parameters: (i) the lack of real alternatives, even partial, due to the limited number of TTPs active within a specific market, or the market share of the relevant TPP, or the technical complexity or sophistication involved, including in relation to any proprietary technology, or the specific features of the TPP's organisation or activity; (ii) difficulties in relation to partially or fully migrating the relevant data and workloads from the TPP to another TPP, due either to significant financial costs, time, or other resources that the migration process may entail or to increased ICT risk or other operational risks to which the financial entity may be exposed through such migration."

The DP sets out the following Step 1 indicators:

  • The share of financial entities reporting that no alternative TPPs are available or have the required ability and/or capacity to (fully or partially) provide the same ICT services as directly or indirectly provided by the existing TPP, measured by the total number of financial entities in the EU and by the total value of assets of financial entities: the more difficult it is to substitute an ICT TPP, the higher the ICT TPP's level of criticality for the EU financial sector.
    The DP proposes minimum relevant thresholds of 10% or more of the total value of assets/total assets equivalent per type of financial entity in the EU, or 10% or more of the total number of financial entities in the EU.
  • The share of financial entities reporting that it is highly complex/difficult to migrate or reintegrate ICT services directly or indirectly provided by a TPP to support critical or important functions, measured by the total number of financial entities in the EU and by the total value of assets of financial entities: the more difficult it is to migrate or reintegrate ICT services, the higher the ICT TPP's level of criticality for the EU financial sector.
    The DP proposes minimum relevant thresholds of 10% or more of the total value of assets/total assets equivalent per type of financial entity in the EU, or 10% or more of the total number of financial entities in the EU.

The DP sets out the following Step 2 indicator:

  • Market share of TPPs directly or indirectly providing ICT services to financial entities, measured by the total number of financial entities in the EU (total) and by the annual expenses or estimated costs of the contractual arrangements (per type of ICT service and in percentage terms): the higher the market share of a TPP (per type of ICT service), the higher the potential dependency to the respective TPP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.