We have previously commented on what Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) will mean for third-party contracting here. In this article, we focus on how DORA is seeking to address concentration risk issues through the designation and direct oversight of certain critical information and communication technology (ICT) service providers. We also consider the associated worldwide turnover linked fines for non-compliance. Who those critical service providers are will be decided by the relevant European sectoral regulators. It is safe to assume, however, that the large cloud hosting providers and the providers of widely used critical business process IT infrastructure will be in the sights of regulators.
Who is subject to the oversight regime
DORA provides for a direct oversight regime which will apply to those ICT providers who are designated as critical. This is a relatively new departure as the previous approach in outsourcing guidelines issued by the various sectoral regulators in the financial services sector was only to seek to indirectly regulate the ICT providers. This indirect approach was achieved by imposing requirements for regulated entities to procure certain rights and obligations through contracts.
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), (together the ESAs), will lead the oversight framework. Following an assessment, the ESAs will designate ICT providers that are “critical” for financial entities, and those ICT providers will be subject to the oversight regime. The assessment for each ICT provider will be based on criteria such as:
- The impact on financial services if the ICT provider were to experience a large-scale operational failure to provide its services
- The systemic character or importance of the financial entities that rely on the ICT provider
- The reliance of financial entities on its ICT services in relation to critical or important functions of financial entities, and
- The ease of replacing the ICT provider
The ESAs will appoint one of the ESAs as a “Lead Overseer” for each critical ICT provider. The Lead Overseer will assess whether each critical ICT provider has comprehensive and effective arrangements in place to manage the ICT risk that it may pose to financial entities. The assessment will cover issues such as:
- The identification, monitoring and prompt reporting of material ICT incidents to financial entities as well as the management and resolution of ICT incidents
- Ensuring the security, availability, continuity, scalability and quality of the ICT services
- Physical security including the security of premises, facilities and data centres
- Risk management processes such as ICT business continuity policies
- Mechanisms for data portability, and
- Testing of ICT systems, infrastructure and controls
Based on this assessment, the Lead Overseer will adopt an individual oversight plan describing each critical ICT provider’s annual oversight objectives and the main oversight actions planned. The Lead Overseer can adopt recommendations on the areas of its assessment. For example, the Lead Overseer may recommend that the ICT provider refrains from entering into a further subcontracting arrangement where the following cumulative conditions are met:
- The subcontractor is established in a third country
- The subcontracting concerns critical or important functions of the financial entity, and
- The Lead Overseer deems that the use of such subcontracting poses a clear and serious risk to the financial stability of the EU or to financial entities
Timeline for implementing recommendations
Critical ICT providers have sixty days from receipt of the recommendations to either notify the Lead Overseer of their intention to follow the recommendations or provide a reasoned explanation for not doing so. The Lead Overseer will publicly disclose where the explanation provided is not deemed sufficient. In addition, relevant financial entities:
- Will be informed of the risks identified in the recommendations addressed to critical ICT providers
- May be required to temporarily suspend, in part or in whole, the use or deployment of a service provided by the relevant critical ICT provider until the risks identified in the recommendations have been addressed
- May be required to terminate, in part or in whole, the contractual arrangements concluded with the relevant critical ICT providers
Other powers of the Lead Overseer
As part of its oversight role, the Lead Overseer may:
- Conduct investigations and inspections of critical ICT providers. In addition to examining the critical ICT provider’s records, and taking copies of material, the Lead Overseer may request records of telephone and data traffic and summon representatives of the critical ICT provider to explain facts or documents relating to the subject matter and purpose of the investigation.
- Require information from a critical ICT provider. The information that can be requested is very broad and includes information relating to the ICT provider’s customers, all relevant business or operational documents, contracts, policies, ICT security audit reports and ICT incident reports. In addition, it may request reports specifying actions that have been taken or remedies implemented by the critical ICT providers in relation to recommendations issued by the Lead Overseer.
A key point to note is that DORA does not set out any triggers for these investigations or information-gathering exercises to take place. Instead, the Lead Overseer can undertake the above actions “where necessary” to carry out its duties under DORA, which arguably gives it broad discretion to exercise these statutory rights.
If a critical ICT provider fails to comply with requests arising from the Lead Overseer’s broad rights to require the provision of information, to carry out investigations and inspections and/or to be provided with reports of remedial actions then the Lead Overseer may impose daily financial penalties that will apply until compliance is achieved. These daily fines can be imposed for up to a maximum of six months and can be set at an amount up to a figure equal to one per cent of the average daily worldwide turnover of the critical ICT provider in the preceding business year. Subject to very limited exceptions, the Lead Overseer must disclose to the public every periodic penalty payment imposed.
Critical ICT providers will be charged fees in order to cover the Lead Overseer’s necessary expenditure for the conduct of its oversight tasks in accordance with DORA, including specifically the costs of appointing third-party experts. This is not a penalty and it is not linked to the Lead Overseer discovering deficient or bad practice.
The amount of these fees will be proportionate to the turnover of the relevant critical ICT provider.
Financial services businesses which use the services of a critical ICT provider will welcome these aspects of DORA. The direct oversight by European regulators will assist them when they are seeking information, reporting, audit and inspection rights from these providers. This is an issue which has caused problems in the past when financial services businesses were seeking to comply with the associated requirements in sectoral outsourcing guidelines.
The companies which are designated as critical ICT providers may not be as welcoming of these direct oversight provisions. This may be because the powers granted to the Lead Overseer align with the types of things which some providers, usually for good practical reasons, have sought to resist in their contracts with customers, e.g. detailed rights of audit, inspection, and reporting.
Coupled with this is the threat of very substantial fines and the requirement to pay the costs of the regulator. These issues mean that the relevant companies should be paying very close attention to this aspect of DORA and taking note that DORA entered into force on 16 January 2023 and its provisions will apply from 17 January 2025.