DORA Regulation: procurement requirements for third-party suppliers

DORA Regulation: procurement requirements for third-party suppliers

On 16 January 2023, Regulation 2022/2554 of the European Parliament and of the Council, known as DORA, entered into force. Financial institutions and ICT providers must comply with DORA by 17 January 2025.

DORA aims to strengthen digital operational resilience in the EU financial sector and ensure its resilience to disruptions. Financial institutions must have specific capabilities, mechanisms and policies in place to manage and report serious ICT-related incidents.

DORA covers EU financial institutions and ICT service providers. ESAs can designate third party providers according to criteria and impact. In addition to updating regulations, DORA introduces new obligations in four pillars to improve system security.

Entities must have an ICT risk management framework in place in accordance with Chapter V of the Regulation, under the responsibility of the management body. This body defines strategies, assesses risks and can be held accountable for non-compliance.

DORA requires reporting of ICT incidents with procedures for monitoring, classification and communication to the authorities. Entities must send an initial notification, an interim and a final report on the causes of the incident, which the competent authority will share with the specified recipients.

DORA requires annual digital operational resilience testing, including vulnerability assessments and, for critical roles, penetration testing. ICT providers must also be involved to address vulnerabilities.

Finally, third party risk management in relation to ICT, detailed in Chapter V, Section I, also applies to suppliers. Financial institutions should manage this risk by negotiating agreements, conducting audits and setting performance targets in areas such as integrity, accessibility and security.

But with reference to the providers, according to Article 31, they are designated by the European Supervisory Authorities through the Joint Committee and on the recommendation of the Supervisory Forum, which shall:

a) designate third-party providers of ICT services that are essential for financial institutions, following an assessment taking into account the criteria specified in paragraph 2;

b) designate as lead supervisor for each critical third-party ICT service provider the European Supervisory Authority that is responsible, in accordance with Regulation (EU) No 1093/2010, Regulation (EU) No 1094/2010 or Regulation (EU) No 1095/2010, for the financial institutions that collectively have the largest share of total assets of the total asset value of all financial institutions using the services of the relevant critical third-party ICT service provider, as reflected in the sum of the individual balance sheets of those financial institutions.

The designation referred to in paragraph 1.a) of the above Article is based on certain criteria set out in point 2 of the same Article, as follows:

a) the systemic impact on the stability, continuity or quality of the provision of financial services in the event of a potential large-scale operational failure of the third-party ICT service provider concerned affecting the provision of its services, taking into account the number of financial institutions and the total value of assets of the financial institutions served by the third-party ICT service provider concerned;

b) the systemic nature or importance of the financial institutions relying on the third-party ICT service provider concerned, assessed according to the following parameters:

i) the number of global systemically important entities (G-SIIs) or other systemically important entities (O-SIIs) relying on the relevant third-party ICT service provider,

ii) the interdependence between the G-SIIs or O-SIIs referred to in subparagraph (i) and other financial entities, including situations where the G-SIIs or O-SIIs provide financial infrastructure services to other financial entities;

c) the reliance of financial institutions on the services provided by the relevant third party ICT service provider in relation to critical or important functions of financial institutions that ultimately involve the same third party ICT service provider, regardless of whether financial institutions use such services directly or indirectly, through outsourcing arrangements;

d) the degree of substitutability of the third-party ICT service provider, taking into account the following parameters:

i) the lack of real alternatives, even partial, due to the limited number of third party ICT service providers active in a specific market, or the market share of the third party ICT service provider concerned, or the complexity or technical difficulty involved, inter alia in relation to proprietary technologies, or the specific characteristics of the organisation or the activity of the third party ICT service provider,

ii) difficulties related to the partial or full migration of the relevant data and workloads from the third party ICT service provider concerned to another, because of the significant financial, time or other resource costs that the migration process could entail, or because of the increased ICT or other operational risks to which the financial institution could be exposed through such migration.

In short, DORA, which became applicable on 16 January 2023, strengthens digital operational resilience in the EU financial sector. It imposes new responsibilities on financial institutions and ICT providers to manage incidents, conduct resilience testing and monitor third party risks. The European Supervisory Authorities are key in the selection and regulation of critical providers. Through four main pillars, DORA updates regulations to increase the security and stability of the sector.