Ensuring Compliance with DORA: Key Requirements for EU Financial Institutions

Determine applicability: Are you affected by DORA?

DORA applies broadly across the financial industry, including entities such as banks, insurance companies, investment firms, asset managers, and payment institutions. Certain ICT third-party service providers designated by the European Supervisory Authorities (ESAs) are also subject to direct regulatory oversight under DORA. These rules aim to mitigate ICT risks and ensure a prompt response to any ICT-related disruptions.  

Implement the key requirements of DORA

Since DORA’s inception, certain key requirements have emerged as particularly important to financial institutions looking to ensure compliance from their “critical or important” ICT third-party service providers. These requirements comprise key contractual provisions that must be included in any DORA-related agreement. A function is considered “critical or important” under DORA if its disruption could significantly impact a financial institution’s 1) financial performance, 2) stability, or 3) the continuity of its services and operations.

1. Manage subcontracting and third-party risk

DORA imposes obligations on subcontracting activities. It requires a regulated entity’s prior consent before a service provider may subcontract or delegate its performance of any of its major obligations. For example, a regulated entity must explicitly approve if a cloud hosting provider delegates critical data storage services to another party.  Thus, maintaining transparency and accountability. 

This requirement also mandates the proactive monitoring of any subcontractors, as well as the assumption of liability for the acts of any subcontractor. Importantly, if there is subcontracting, DORA requires the service provider to ensure that its requirements flow down to such subcontractors. These requirements are necessary to ensure that financial institutions maintain adequate oversight regarding who provides critical services.

2. Implement governance and a robust ICT risk management framework

The regulation requires financial institutions to establish a structured ICT Risk Management Framework (IRMF). This framework needs to encompass governance, risk identification, detection, response and recovery from ICT-related incidents, as well as measures to meet the stringent incident reporting obligations set out under the regulation. These require institutions to promptly report major ICT incidents to the relevant supervisory authorities.

3. Establish access and audit rights

DORA requires regulated financial institutions to ensure that its ICT service providers grant rights of access and audit. Depending on whether a service provider is “critical or important”, such rights include the obligation to permit access to systems and records related to the provision of the services. Both customer auditors and regulatory authorities must have the right to audit a “critical or important” service provider. Practically, this means a financial institution must have contractual rights allowing its internal auditors or regulators to inspect the operations of critical ICT providers. This obligation helps promote security and stability through transparency.  

4. Develop exit strategies and transition plans

DORA requires exit strategies, in particular the establishment of a mandatory adequate transition period. A practical exit strategy might include clearly defined steps and timelines in the contract to transfer data securely to another provider without interrupting essential services. The intent of this requirement is to ensure an orderly transition of any critical or important functions, helping reduce the risk of any service disruptions. In-scope entities are also required to ensure that contractual terms explicitly address data localisation and jurisdictional considerations so as to mitigate associated risks to their exit plans.

5. Penetration testing 

DORA requires those ICT providers deemed by regulated entities to be “critical or important functions” to offer the ability to conduct threat-led penetration testing or TLPT. In practice, penetration testing would involve simulating realistic cyber threats against critical ICT infrastructure to proactively identify and address vulnerabilities. Such testing may be conducted in “pooled” arrangements with other regulated customers, to ensure that an TLPT is conducted most efficiently. This testing is key in ensuring the security and resilience of ICT systems over time. 

Strengthen your operational resilience with Talos

Adhering to these particular DORA requirements is imperative for financial institutions looking to fortify their digital operational resilience. And non-compliance with DORA may carry significant regulatory, financial, and reputational risks, including substantial penalties from regulators, operational disruptions, and potential loss of client trust. 

Talos recognizes the importance of regulatory compliance, and we take pride in providing tools and services to help our clients comply with DORA and other applicable laws and regulations. By plugging Talos’s powerful technology and infrastructure into existing operations, financial institutions can unlock the potential of digital assets while remaining compliant. 

To learn more about how Talos empowers institutions to comply with DORA and other regulatory requirements, please reach out to sales@talos.com. 

^{Disclaimer: This information does not constitute an offer to buy or sell, or a promotion or recommendation of, any digital asset, security, derivative, commodity, financial instrument or product or trading strategy. This information is not intended to constitute investment advice or a recommendation to make (or refrain from making) any kind of investment decision and may not be relied on as such. This information is subject to change without notice. It is provided only for general informational, illustrative, and/or marketing purposes, and is not intended for retail clients. The information provided was obtained from sources believed to be reliable at the time of preparation, however Talos makes no representation as to its accuracy, suitability, non-infringement of third-party rights, or otherwise. Talos disclaims all liability, expenses, or costs arising from or connected with the information provided.}