Regulatory Spotlight: DORA

Regulatory Spotlight: DORA

In this issue, we're going to spotlight one of the most important upcoming legislative proposals that will significantly change third-party risk management (TPRM) requirements for the Financial Services industry in the European Union (E.U.): The Digital Operational Resilience Act, also known as DORA[1].

What is it?

DORA is a legislative proposal that is part of the broader Digital Finance Strategy[2] and is aiming to harmonize and upgrade existing information and communications technology (ICT) risk requirements for all Financial Services companies throughout the European Union. Its objective is to ensure that all financial system participants are subject to a common set of standards to mitigate ICT risks (disruptions and threats) for their operations.

The act is predominantly focused on building a robust, holistic ICT risk management framework, including the focus on critical functions, incident reporting, resilience testing, and information and intelligence sharing.

However, given that financial institutions deal with complex architectures and rely on third parties in many of their ICT activities, a large part of DORA is focused on ICT third-party risk. This increased focus on third-party risk management underlines the need for a more holistic and end-to-end approach toward third-party risk for all Financial Services institutions.

What is the scope?

A significant change is that almost all financial entities (except from auditors) and critical ICT third-party providers active in the E.U.'s Financial Services sector are in scope and will have to fulfil the TPRM requirements laid down in the act.

Why is it important for TPRM?

The act requires participants to adopt a sound framework for managing and monitoring ICT third-party risk that will harmonize key contractual elements. A critical ICT third-party service providers oversight framework will be introduced to ensure supervisory convergence.

In short, and from a TPRM perspective, financial institutions will have to:

• Establish a framework for sound management of (critical) ICT third parties and related risks
• Adopt and regularly review the strategy on ICT third-party risk, considering a multi-vendor strategy
• Review and monitor all ICT services provided by ICT third parties in line with DORA requirements
• Maintain a register of information with all contractual arrangements on the use of ICT services provided by ICT third-party service providers
• Establish an ICT third-party supervisory oversight framework (i.e., European Supervisory Authorities to establish oversight framework and afterwards European Institutions to adhere to oversight framework requirements)

What are the risk dimensions?

ICT, cyber risks, and ICT third-party risk.

What's the current status of the regulation?

The first text has been approved by the E.U. committee and it is now awaiting the European Parliament's position (indicative sitting date November 9, 2022).

Disclaimer: based on understanding as of October 5, 2022. For indicative purposes only.

[1] https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/

[2] https://finance.ec.europa.eu/publications/digital-finance-package_en

IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.