DORA Regulation: ICT Services and Proportional Regulatory Approach
Financial associations call on the European Commission to clarify the DORA Regulation’s ICT services definition, ensuring a proportional approach and avoiding unnecessary regulatory burdens on financial institutions.
The Digital Operational Resilience Act (DORA Regulation), set to be implemented on January 17, 2025, represents a major overhaul in how financial institutions across the European Union (EU) manage Information and Communications Technology (ICT) services and third-party risks. This regulation will introduce a unified regulatory framework specifically focused on digital resilience for financial institutions, addressing the vulnerabilities they face in an increasingly interconnected and digital landscape.
A joint statement from prominent financial associations—including FIA, AFME, EACH, ECSDA, and FESE—has called for more specific guidance on the DORA Regulation's definition of ICT services. They are urging the European Commission and the European Supervisory Authorities (ESAs) to provide clear distinctions between regulated financial services and ICT services. Without this clarity, they warn that financial services could be misclassified as ICT services, leading to redundant regulatory requirements and operational inefficiencies.
Source
[1]
[2]
DORA Regulation: Strengthening Operational Resilience
The DORA Regulation is a significant milestone in the EU’s financial regulatory landscape. It is designed to establish a regulatory framework that ensures the resilience of financial institutions in the face of operational disruptions, particularly those related to ICT systems. It applies to a wide range of financial entities, including Financial Market Infrastructures (FMIs), credit institutions, investment firms, payment service providers, crypto-asset service providers, and insurance firms. The DORA Regulation aims to harmonize how these entities manage their ICT risks, focusing on cybersecurity, incident reporting, and third-party risk management.
DORA recognises the increasing dependence of financial institutions on ICT systems and third-party service providers, such as cloud services and software vendors. As financial institutions adopt more digital services, their exposure to operational disruptions—whether from cyberattacks or technical failures—has grown. The regulation is intended to mitigate such risks by implementing stringent standards for ICT management, resilience testing, and oversight of third-party providers.
ICT Services: Definition and Scope Under DORA Regulation
At the heart of the DORA Regulation is its definition of ICT services. According to Article 3(21) of the DORA Regulation, ICT services encompass all digital and data services provided through ICT systems on a continuous basis. These include cloud computing, software, data centers, and other ICT services that support critical functions within financial institutions. The regulation is designed to ensure that these services meet the operational resilience standards required for the financial sector.
However, financial associations have raised concerns about the broad scope of this definition. In particular, there is a need to differentiate between regulated financial services—such as those provided by FMIs, credit institutions, and investment firms—and genuine ICT services. FMIs, for instance, offer critical services like clearing and settlement, which are fundamental to the stability of financial markets. These services are already subject to strict regulatory oversight under frameworks like the European Market Infrastructure Regulation (EMIR) and are not primarily ICT services.
The joint statement from the financial associations calls on the European Supervisory Authorities (ESAs) to provide further clarification on the distinction between regulated financial services and ICT services under DORA. Without this clarity, financial institutions could be required to comply with both DORA and other financial regulations, resulting in overlapping obligations that would increase their operational burden without adding meaningful improvements in risk management.
DORA Article 30: Access, Audit, and Inspection Rights
One of the most stringent requirements under DORA is Article 30, which outlines the rules for access, inspection, and audit rights over third-party ICT service providers. This provision requires financial institutions to ensure that they can access and audit the ICT services provided by external vendors. This is particularly important in cases where critical services are outsourced to third parties, such as cloud service providers.
While Article 30 aims to enhance oversight and ensure that financial institutions can maintain operational resilience even when relying on third-party providers, it also creates new challenges. Financial institutions must negotiate contractual agreements that allow for extensive access rights, including the ability to conduct inspections and audits. In practice, this can be difficult when dealing with global service providers, who may be reluctant to offer such access due to concerns over data privacy, intellectual property, and jurisdictional conflicts.
Moreover, for financial entities like FMIs that are already regulated under EMIR, the additional requirements under DORA may be unnecessary and could lead to significant operational disruptions. FMIs play a critical role in clearing and settlement, and any delays or complications arising from compliance with both DORA and EMIR could have far-reaching implications for the stability of the broader financial system.
DORA Regulation: Third-Party Risk Management
Third-party risk management is a cornerstone of the DORA Regulation. Financial institutions are required to assess the ICT services provided by third-party vendors, ensuring that these services support critical or important functions. Under Article 29, financial institutions must ensure that all ICT services critical to their operations are registered and that these services undergo regular due diligence to verify their compliance with the DORA standards.
DORA also establishes stricter rules for managing ICT third-party relationships. Financial entities must ensure that the ICT services they rely on from third parties are resilient and compliant with the regulatory framework. This includes conducting risk assessments, monitoring service-level agreements (SLAs), and ensuring that third-party providers have robust cybersecurity and operational resilience measures in place.
The Financial Stability Board (FSB) has issued guidelines aligning with DORA’s focus on third-party risk management. The FSB states that while ICT services provided by third parties are critical, many regulated financial services should not be classified as third-party ICT services under DORA, especially if they are already subject to oversight through other financial regulations. This reinforces the need for proportional regulation, as the financial associations have emphasized in their joint statement.
The Role of Proportional Regulation Under DORA
The concept of proportional regulation is central to the financial industry’s response to DORA. Financial associations are advocating for a regulatory approach that takes into account the existing oversight and regulation of financial entities. For instance, FMIs, credit institutions, and investment firms are already subject to a range of sector-specific regulations. Requiring these entities to also comply with the ICT service provisions of DORA would not enhance their risk management capabilities but instead create additional administrative burdens.
The financial industry is pushing for an entity-level exemption for regulated financial entities that are not primarily ICT-focused. This exemption would recognize the regulatory oversight these entities already undergo and prevent their regulated activities from being unintentionally subjected to DORA’s ICT service requirements. Such an exemption would ensure that financial institutions can maintain their operational efficiency while still adhering to the broader goals of DORA.
Q&A Clarifications: Industry’s Call for Guidance
A key element of the financial industry’s call to action is for the European Commission and the ESAs to provide timely Q&A clarifications on the definition of ICT services under DORA. Financial institutions are under pressure to meet the 2025 deadline, and many are struggling with the broad interpretation of ICT services under DORA. This is particularly relevant for financial entities that manage large numbers of third-party agreements, which are often bundled within global framework agreements.
Without clear guidance, financial institutions may over-interpret DORA’s requirements, leading to unnecessary regulatory burdens. For example, services that are already regulated under sector-specific financial frameworks may be mistakenly categorized as ICT services under DORA, resulting in duplicative compliance efforts. The associations argue that providing these Q&A clarifications is crucial to preventing this outcome and ensuring that financial institutions can focus their compliance efforts on genuine ICT services that are critical to operational resilience.
Industry Implications as the 2025 Deadline Approaches
As the January 2025 deadline for DORA Regulation implementation approaches, financial institutions are ramping up their efforts to meet the regulatory demands imposed on ICT services and third-party risk management. The industry welcomes the ESAs’ plan to issue Q&A clarifications, which would help alleviate concerns about potential overlaps between DORA Regulation and existing financial regulations.
Moreover, financial entities are becoming increasingly aware of the challenges posed by DORA Regulation’s broad scope, particularly when ICT services are bundled within global framework agreements. The industry is pushing for clear guidance that would exclude regulated financial services from DORA Regulation’s ICT service classification unless these services are primarily ICT-focused. This distinction is critical to preventing unnecessary disruptions in the provision of financial services and ensuring that DORA Regulation’s operational resilience goals are met without inadvertently impacting essential financial functions.