New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Importantly, DORA also provides for increased responsibility for individual members of management bodies, and provides that they can be faced with fines under DORA – as well as being individually named in public decisions by the regulator in case the competent authority finds that the non-compliance by the financial entity was attributable to the individual.

In addition, an EU Directive on digital operational resilience for the financial sector (DORA Directive) has also entered into force which amends certain existing cybersecurity requirements under existing financial services regulation such as the Payment Services Directive 2 (PSD2), the MiFID II Directive and the Solvency II Directive.

DORA’s key takeaways are as follows:

  • Scope of Application: DORA is an EU sector-specific Regulation aimed at harmonizing the cybersecurity requirements for ICT systems and services used by a number of entities in the financial services industry such as credit, payment and e-money institutions, central counterparties (CCPs), alternative investment fund managers (AIFMs), credit rating agencies and crowdfunding and crypto-asset service providers (Financial Entities).

Because of the use of ICT and the increasing reliance on ICT service providers, DORA also applies to ICT third-party service providers, which provide ‘digital and data services’ to Financial Entities using ICT systems – those services are broadly defined and could include cloud computing, software, data analytics, data center, and ‘over-the-top’ services. Competent authorities under DORA will have direct regulatory oversight over third party ICT service providers (incl. those outside the EU) that are themselves not engaged in regulated activities but deemed to be “critical” to regulated financial entities.

  • Key Obligations under DORA:
  1. For Financial Entities:
    • Implement an ICT Risk Management Framework: this includes the development and implementation of internal cyber policies (e.g. on disaster recovery, business continuity, access control, incident response, etc.) and procedures; the implementation of IT security measures to protect data and ICT assets; and mandatory cyber training for staff.
    • Implement Reinforced Incident Management Measures: this includes measures to adequately detect, record and classify incidents and report them as appropriate.
    • Implement Measures in relation to ICT Third-Party Risk Management: DORA imposes a number of new measures on Financial Entities to manage risk related to such third-party ICT service providers. This includes: (i) adopting a strategy on ICT third-party risk where risk and interdependencies on certain service providers is mapped out and assessed; (ii) having in place adequate contractual arrangements and execute the de minimis terms as required under DORA with third-party ICT service providers – in particular where the provider supports a critical or important function of the organization; and (iii) performing due diligence in line with DORA requirements prior to engaging the provider.
  2. For Critical ICT Third-Party Service Providers:
    • To minimize risk further, DORA introduces a dedicated oversight framework for critical third-party ICT service providers, which includes the designation of a dedicated authority (‘Lead Overseer’) who will be responsible for assessing the critical ICT service provider’s IT security, physical security, policies, SOPs, governance, data portability and interoperability mechanisms and whether it uses national and international standards applicable to its ICT services. Based on this assessment the Lead Overseer will establish an individual oversight plan specific to each critical ICT service provider which it will use as a baseline for regulatory oversight;
    • As part of its regulatory enforcement powers, the Lead Overseer shall have far-reaching investigation powers and can impose periodic penalty payments up to 1% of the ICT provider’s average daily worldwide turnover in the preceding business year. The Lead Overseer can also decide to publish details of the ICT service provider, its infringement, and of any individuals who it deems responsible for infringement.
    • Further, DORA has extraterritorial reach in the sense that service providers designated as critical third party ICT service providers under DORA, and that are established outside the EU but provide services to financial entities in the EU, will be required to establish a subsidiary in the EU within 12 months of their designation, to allow for effective enforcement by EU competent authorities under DORA. In addition, DORA introduces measures to allow Lead Overseers to also exercise their oversight powers outside the territory of the EU, with the consent of the third party ICT provider and the relevant authorities in the third country.
  • Penalties: The EU Member States are delegated by DORA to define all rules regarding administrative penalties and remedial measures applicable to infringements, provided that they are effective, proportionate and dissuasive; and they can also decide to impose criminal penalties for infringements of DORA. DORA does not set any minimum or maximum amounts in terms of fines – this is left up to the Member States.

Next Steps. DORA has formally entered into force on 17 January 2023 and will be fully enforceable as of 17 January 2025. Due to the complex nature of the DORA requirements, businesses should consider assessing whether they are in scope of DORA, either as a Financial Entity or as an ICT third-party service provider, and review the requirements set out in DORA, in particular in relation to third-party ICT risk management; and develop strategies for minimizing risk under DORA and other European and international cyber laws.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.