DORA Directive: What banks' IT service providers can now expect

The Digital Operational Resilience Act, or DORA for short, has been in force since January 17, imposing requirements on European financial companies, banks, insurance companies and investment firms with regard to their security measures. However, the requirements are not limited to the companies themselves; their information and communication technology (ICT) service providers may also be affected. This is because service providers are expected to maintain a comparable level of digital operational resilience so that the functionality of financial companies can be ensured at all times. This can have a significant impact on ICT service providers of financial companies, which were previously often only affected by the requirements to a limited extent as external IT service providers.

Who is an ICT service provider for financial companies?

According to the DORA definition (see EU Regulation 2022/2554, Art. 3), an ICT service provider is a company that provides "digital services and data services provided through ICT systems ... on a permanent basis, including hardware as a service and hardware services ...".

Accordingly, this includes almost all services for financial companies that involve the regular digital processing of information in connection with hardware and software.

What requirements must an ICT service provider implement?

The scope of the actual requirements for the individual ICT service providers is the responsibility of the respective commissioning financial companies. With each identified ICT service provider, the financial companies must secure contracts with content specified by DORA. This includes overarching topics such as specifications on

• Subcontracting,
• Location of service provision,
• Dealing with ICT incidents,
• termination rights,
• training for employees of ICT service providers,
• reporting,
• monitoring,
• audit rights,
• business continuation management and
• information security.

The exact scope of the requirements can vary depending on the service provided and the associated risk. In particular, the protection requirements of the information processed by the service provider and the categorization of whether the service relates to "critical or important functions" are decisive here.

The protection requirement is the need for protection of the information determined by the financial company with regard to the security objectives of confidentiality, integrity, availability and authenticity. The greater the need for protection, the greater the potential damage to the financial company and the more extensive the security measures to be taken.

The decision as to whether a service affects "critical or important functions" must also be made by each financial company for itself. All financial companies must identify their critical and important functions and processes as well as all ICT assets and ICT services that are important for the functionality, provision or implementation of these functions and processes and ensure their resilience to a particular degree.

Which requirements are likely to cause the most effort?

The requirements for business continuity and information security of ICT service providers in particular will be significant. The exact content that a financial company should require from its ICT service providers is not uniformly defined, but according to EU Regulation 2022/2554, Art. 28 (5), contracts may only be concluded with ICT service providers "that comply with appropriate information security standards". Therefore, in the area of information security, it can be assumed that the requirements of established standards such as ISO 27001 and IT-Grundschutz and, in the area of business continuity, the ISO 22301 and BSI Standard 200-4 standards should be established. Depending on the bank's risk assessment, certification may also be required.

The DORA also contains specifications for specific operational IT security issues, such as automated vulnerability management, penetration tests and automated monitoring of security events, some of which go beyond the requirements of the standards. It can be assumed that financial companies will demand a comparable level from their ICT service providers and will also set contractual requirements in this regard. An overview of the regulations required by DORA can be found in BaFin's "Documentation requirements for financial companies in accordance with DORA".

Which standards are useful for an ICT service provider?

If a financial company's ICT service provider has not yet implemented any standards for information security or business continuity, it is advisable in most cases to align with the international ISO standards. With ISO 27001 for information security and ISO 22301 for business continuity, effective management systems can be established comparatively quickly, which can be easily adapted to the needs of the respective organization in terms of scope and structure. In addition, these standards already contain basic security requirements that contribute to the information security of ICT service providers and can partially cover the requirements of financial companies.

Of course, if the commissioning financial company is based on a different standard, such as IT baseline protection, it may be advisable to aim for this right away. Early coordination between the financial company and ICT service providers should take place here.

The implementation of standards lays a solid foundation so that as many requirements as possible can already be documented as implemented in the event of current or future contract negotiations. This can reduce the ICT risk for the financial company and give it a negotiating advantage over other ICT service providers. In addition, the establishment of corresponding standards helps with reliable planning for the further implementation of measures or even certification, so that the ICT service provider can show the financial company a perspective for further development.

What other requirements can lead to additional work?

ICT service providers must ensure that their own sub-service providers also meet comparable requirements. If a financial company's ICT service provider has many sub-service providers, it must plan additional work for the management of these service providers. In this case, it may make sense to immediately identify all sub-service providers that are necessary for the provision of the ICT service for the financial company. It should then be clarified for all sub-service providers whether they can comply with the standards for information security or business continuity. If this is not the case, it should be clarified as early as possible whether implementation can be agreed with the sub-service provider or whether a new service provider may need to be commissioned.

It is also to be expected that financial companies will check the actual implementation of the requirements more closely. Increased costs for the preparation of evidence or even audits must be expected here.

What happens if the requirements cannot be implemented?

As a rule, non-implementable contract components do not automatically lead to the termination of the contract with the financial company. Depending on the financial company, there may be KO criteria that are required by law or are of particular interest, but even if such requirements cannot be implemented, a decision must be made in each individual case as to whether termination with the ICT service provider is possible or necessary.

The unimplemented parts of the contract are ICT risks for the financial companies and they can decide whether they want to accept the risks. Due to the large number of new requirements for the many service providers, financial companies are also likely to expect more extensive risk acceptances, at least for a certain period of time. The willingness of a financial company to accept and the duration of acceptance depends mainly on its risk appetite, the level of ICT risks and the competitive situation among service providers. Risk acceptance may only be valid for a certain period of time and must then be renewed.

The financial supervisory authority, such as BaFin in Germany, requires financial companies to actively manage and, if possible, eliminate ICT risks. Every ICT service provider must therefore be aware that a permanent acceptance of risks by financial companies is not advisable. The DORA requires financial companies to agree a special right of termination if, for example, there are "demonstrable weaknesses of the ICT third-party service provider in relation to its general ICT risk management and in particular in the way it ensures the availability, authenticity, security and confidentiality of data" (see EU Regulation 2022/2554, Art. 28 (7c)).

What additional requirements apply to "critical ICT service providers"?

Critical ICT service providers are service providers that generally work for a large number of financial companies and whose impairment has a "systemic impact on the stability, continuity or quality of the provision of financial services" (see EU Regulation 2022/2554, Art. 31). These are, in particular, central payment service providers, reporting service providers or cloud providers (hyperscalers).

These critical ICT service providers are determined and directly supervised by the supervisory authority. The names of the critical ICT service providers are published by these supervisory authorities. They have the right to impose fines on the critical ICT service providers for information, monitoring and auditing and can, among other things, check whether they comply with the DORA requirements for ICT risk management, which also apply to the financial companies themselves. If the critical ICT service providers do not implement the requirements, the supervisory authorities can make recommendations that they should implement. If they do not implement these recommendations, the national supervisory authorities can request the financial companies to temporarily suspend or even terminate the relevant critical ICT services. Further information on this can be found at BaFin.

Could there be further requirements in connection with DORA in the future?

It can be assumed that the requirements for ICT service providers will continue to develop over the next few years and that financial companies will want to agree these contractually. The individual financial companies are currently gaining initial experience with the security requirements and it remains to be seen what expectations the supervisory authority has of the requirements to be agreed. Additional requirements can be expected as soon as minimum requirements are established in the industry or financial companies feel compelled to make improvements following supervisory reviews.

A number of other regulatory standards will also be published. For example, regulatory standards on threat-led penetration testing and sub-service providers are planned, which may entail further requirements and expenses. As an ICT service provider, it is therefore advisable not to generally guarantee that any additional requirements will be met. Instead, there should always be the option to renegotiate the new requirements and the resulting expenses.

What other effects will these requirements have on the economy?

It can be assumed that in future, financial companies will give preference to specialized service providers that have established appropriate standards in relation to DORA and where low-risk operation of ICT services can be ensured. For ICT service providers that are unable to implement the requirements, pressure may therefore arise to offset the resulting risks with lower prices.

As a highly regulated sector, the financial industry is a pioneer in the establishment of such standards. With NIS2, for example, comparable requirements also exist for other sectors in the critical infrastructure environment. It is therefore to be expected that the requirements in other areas will also rise to the level of DORA in the medium term.

(vbr)