When ICT Service Providers are subject to financial Oversight: An Overview of the DORA Supervisory Framework

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) places a comprehensive set of obligations on financial entities to strengthen their cyber-resilience (see our Insight Digital Operational Resilience Act (DORA) and its Significance for the Financial Sector). The legislation further sets out requirements for certain ICT service providers and subjects them to an “oversight light”. This is due to the fact that the European legislators consider certain ICT service providers to be so relevant for the functioning of the financial system due to their increasing interconnection with the financial sector and the growing interdependence of ICT systems, so that a public supervision is necessary (CTPP).

Accordingly, pursuant to Article 28 of DORA et. seq., managing ICT third-party risk is considered to be a key principle for sound ICT risk management by financial entities. This entails financial entities agreeing on certain contractual provisions with their service providers. Furthermore, DORA also demands a lot from service providers. If they support critical or important functions, they must use “the most up-to-date and highest information security standards.” (see recital (66) and Art. 28(5) DORA).

Which ICT third-party service providers are critical?

The supervising authorities’ job is to determine which ICT third-party service providers are to be classified as critical. According to Article 31 section 11 of DORA, service providers can also request to be designated as critical themselves.

The authorities’ classification is based on a number of criteria, which can essentially be summarised as follows:

• Customer structure: Firstly, the authorities will include in their materiality assessment which financial entities the service provider supplies and whether these include systemically important financial entities. It must be taken into account whether and what systemic effects and consequences a disruption of the service provider’s services would have on the financial sector.
• Importance of the services: Secondly, the authorities also take into account the specific services provided by a service provider that could potentially be categorised as CTPP. In particular, it examines the dependency of critical functions of financial entities on those ICT services and the substitutability of the ICT third-party service provider.

In Delegated Regulation 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council, the EU Commission substantiated the criteria for the designation of ICT third-party service providers as critical for financial entities. These specify the criteria above.

However, there are also exceptions (Article 31 section 8 DORA). For example, intra-group ICT service providers or service providers that only operate in one EU Member State country cannot qualify as CTPP.

What are the implications of being designated as a CTPP?

The Lead Overseer possess information, control and audit rights towards the CTPP.

Specifically, this means that from January 2025, the Lead Overseer will have the right to inspect CTPP and to

• request information and conduct general investigations and audits, including on-site audits
• issue recommendations on IT security, General Terms & Conditions and planned subcontracting
• in the event of full or partial non-compliance with the measures imposed on the critical ICT third-party service provider, to impose penalty payments of up to 1% of the average worldwide daily turnover generated by the CTPP in the previous financial year until compliance is achieved
• publicly disclose when a supervised entity fails to comply with these recommendations and when penalty payments have been imposed.

Also of practical relevance is the new requirement that financial companies may only utilise the services of a CTPP based in a third country if the service provider establishes a subsidiary in the EU within twelve months of being classified as a CTPP.

What standards do the authorities use for monitoring?

The Lead Overseer’s monitoring criteria (Article 33(3) of DORA) provide a good indication of what the authorities expect from ICT third-party service providers.

As a rule, ICT service providers will also be subject to the (new) requirements of the transposing laws for the NIS2 Directive, while DORA is the more specific law for Financial Entities (Article 1 section 2 DORA). For the CTPP, compliance with the risk-management measures under Article 21 of the NIS2 Directive will overlap extensively with the following requirements (see also the more specific requirements under NIS2 here):

• ICT requirements: Ensuring the security, availability, continuity, scalability and quality of services as well as data integrity and confidentiality. This must also include regular tests and audits.
• Physical security: Protection of premises, facilities and data centres to support ICT security. This may also become important under the KRITIS Umbrella Act for service providers.
• Risk-management processes: Strategies for ICT risk management, business continuity and recovery plans.
• Governance: Clear and transparent responsibilities and accountability for effective ICT risk management.
• Incident management: Detection, monitoring and immediate reporting of significant ICT incidents, especially cyberattacks, and their resolution.
• Data portability and interoperability: Mechanisms to ensure data and application portability. This will ultimately also be relevant under the Data Act.

What are the implications for financial entities?

If the Lead Overseer identifies violations, they can issue recommendations that the CTPP must implement. Otherwise, the Lead Overseer has the option of instructing financial entities to partially or completely suspend the use of the service provider in question until the irregularities have been remedied. In addition, certain measures can also be published on the authorities’ websites.

It will be of interest to observe the extent to which the Lead Overseer make use of this right, particularly with regard to the right of the Lead Overseer pursuant to Article 35 section 1 lit. d (ii) of DORA to issue recommendations on the conditions and terms. Overall, the recommendations could lead to a reduction of not rarely to be observed negotiation-power imbalances between major service providers and Financial Entities.

Summary and outlook

DORA represents a further milestone in financial market regulation at EU level. For the first time, a supervisory framework is being created for ICT third-party service providers that are classified as particularly critical for companies in the financial sector – regardless of their categorisation as, for example, a credit institution, investment services company or insurance company – which will be filled in by financial supervisory authorities. This is not a supervision comparable to that of financial companies. However, the practical consequences for CTPP should not be underestimated, as the supervisory authorities are provided with instruments to enforce their expectations of ensuring effective ICT security – possibly indirectly via their customers, the Finical Entitles – and thus promote the stability of the financial market. This is an approach that, at least in part and in terms of ratio, corresponds to the approach already chosen by the German legislator with the FISG, when BaFin was granted the option of issuing orders to enforce supervisory requirements against outsourcing companies to which key activities and processes have been outsourced. It will be interesting to see how the European supervisory authorities make use of their new powers and how the self-confident market-leading ICT third-party service providers adapt to the new regulatory framework.