What Needs To Be Done?
What does DORA require?
Managing risks in relation to third party ICT service providers (including incorporating mandatory contract terms) is just one of the key requirements of DORA.
DORA requires financial entities to establish and maintain a comprehensive digital operational resilience framework - this includes:
Taking ultimate responsibility at board level for managing the financial entity's ICT risk
Having strategies, policies, procedures and tools to minimise the impact of risk
Reporting major ICT-related incidents and significant cyber threats to regulatory bodies
Conducting digital operational resilience testing
Sharing information and intelligence about cyber threats and vulnerabilities
Providing information on ICT risk to regulatory bodies if requested
Implications on Contracts
DORA applies to all contracts which include the provision of ICT services. If a contract is for a "digital or data service", and it is "ongoing", it will likely fall within the scope of DORA. This is much broader than other regulatory frameworks, such as the EBA Guidelines on Outsourcing, which are limited to outsourcing arrangements, and the EIOPA and ESMA Cloud Guidelines, which focus only on cloud services.
All contracts for ICT services must include certain contractual terms required by DORA.
It also requires additional contractual terms to be included where the ICT services support critical or important functions for the financial entity.
From 17 January 2025, the competent authorities will have supervisory, investigatory, and sanctioning powers to ensure compliance. These include:
- Carrying out onsite inspections and investigations to determine compliance;
- Ordering corrective and remedial measures for any breach of DORA;
- Issuing public notices identifying non-compliant entities and the nature of the DORA breach; and
- Levying administrative penalties and remedial measures that are 'effective, proportionate and dissuasive'
From 17 January 2025, the competent authorities will have supervisory, investigatory, and sanctioning powers to ensure compliance. These include:
Carrying out onsite inspections and investigations to determine compliance
Carrying out onsite inspections and investigations to determine compliance
Issuing public notices identifying non-compliant entities and the nature of the DORA breach
Levying administrative penalties and remedial measures that are 'effective, proportionate and dissuasive'