The Digital Operational Resilience Act (DORA), effective since January 17, 2025, is the EU's latest effort to strengthen digital operational resilience across the financial sector by harmonizing rules for managing information and communication technology (ICT) risk. While primarily focused on financial entities, DORA significantly impacts IT vendors that provide services to this sector, given their crucial role in the financial ecosystem.
This article highlights 7 common challenges IT vendors face regarding DORA compliance and offers insights into what they need to consider.
Key Challenges for IT Vendors:
Defining "ICT Services": DORA's broad definition of "ICT services" (digital and data services provided via ICT systems) can lead to interpretation challenges, particularly regarding "through ICT systems" and "on an ongoing basis," and the lack of a materiality threshold.
Direct Obligations: Generally, DORA directly obligates only regulated financial entities and "critical ICT third-party service providers" (CTPPs) – systemically important vendors whose service disruption would significantly impact the financial system. Most IT vendors face indirect impacts through enhanced oversight from financial entities and new contractual requirements. Non-compliant vendors risk losing business.
In-Scope Customers: All regulated EU financial entities are subject to DORA. IT vendors must also consider indirect service provision as subcontractors, as DORA obligations extend throughout the supply chain.
Distinguishing DORA from Existing Regulations: DORA expands upon previous EU regulations like the EBA Guidelines on outsourcing. Key differences include a wider range of in-scope financial entities and services, direct obligations for CTPPs (a first for financial regulators overseeing IT vendors), and broader contractual requirements.
"Critical or Important Functions": DORA imposes stricter obligations for ICT services supporting a financial entity's "critical or important functions" – those whose disruption would materially impair the entity's performance or compliance. Disagreements between vendors and customers on this classification can pose significant challenges.
Required Contract Terms: Contracts for ICT services must specify service locations, provide for vendor assistance during incidents, ensure appropriate security measures and data recovery, include staff operational resilience training, and allow for specific termination rights. More stringent terms apply to services supporting critical or important functions, including business continuity, participation in Threat-Led Penetration Testing (TLPT), audit rights, exit provisions, and subcontracting conditions.
CTPP Designation: The European Supervisory Authorities (ESAs) are responsible for designating CTPPs based on detailed criteria (e.g., organizational size, reliance by systemically important institutions). Once designated, a Lead Overseer ESA will monitor the CTPP's ICT risk management, conduct assessments, and may impose fines for non-compliance (up to 1% of average daily worldwide turnover).