DORA Demystified: Dispelling 5 Myths for ICT Service Providers

The EU’s Digital Operational Resilience Act (DORA) comes into force from 17 January 2025. Under DORA, in-scope regulated financial services (FS) businesses operating in the EU (Firms) face new cybersecurity requirements and increased management liability.

While DORA mainly targets the digital operational resilience of Firms (read our recent alert on DORA’s impact on Firms), information and communication technology (ICT) service providers (ICT Providers) need to consider their own responsibilities under this new regime, including how DORA may affect contractual obligations with FS sector clients.

Many ICT Providers are experiencing a deluge of new requirements from old and new clients. But it’s worth knowing which requirements are genuinely DORA-related. In this Client Alert, we aim to debunk five myths about how DORA impacts ICT Providers.

What, where and why DORA?

The FS sector relies extensively and increasingly on ICT, including hardware, software, cloud hosting, digital operations, AI, chatbots, blockchain, and outsourcing.

For many years, European regulators (notably, the European Banking Authority) have provided rules and guidance on banks’ and insurance companies’ use of outsourced ICT systems. And the FCA does the same for UK-regulated Firms.

But it’s widely accepted that the FS sector reliance on ICT is increasing, and vulnerabilities are growing. The European Union Agency for Cybersecurity (ENISA) reports that over 9% of identified cybersecurity threats target FS firms. In addition, over 30% of identified vulnerabilities are categorised as either “critical” or “high”. Recent cyber attacks and tech crashes have underscored the EU’s urgent need to strengthen its cybersecurity regime.

DORA is a crystallisation of the EU’s commitment to evolve the FS regulatory regime in order to ensure that the FS sector continues to operate safely and reliably when using ICT services.

Under DORA, Firms face new cybersecurity requirements and increased management liability (we go into greater detail about this in our recent alert on DORA’s impact on Firms). DORA establishes uniform requirements for financial institutions to preserve the stability and integrity of financial markets, and protect investors and consumers. Firms will have to ensure that they can withstand, adequately respond to and recover from ICT disruptions and threats. Under DORA, financial institutions will have to: (i) ensure that they have adequate ICT risk management policies; (ii) follow the ICT incident report mechanism; (iii) perform digital operational resilience tests; and (iv) share information and intelligence regarding cyber threats and vulnerabilities amongst themselves.

To comply with DORA, Firms will need to re-examine their relationships with their ICT Providers. On top of this, some ICT Providers will also have to contemplate the possibility of being classified as “critical” ICT Providers (Critical Providers) – which are subject to their own requirements under DORA. The upshot of all of this is that ICT Providers to Firms are facing an increase in the demands from clients, all of which need to be triaged and responded to appropriately.

But experience so far shows that not all DORA-related requests are created equal – and many Firms are taking the opportunity to mix in plenty of “nice-to-have” requirements among the genuine DORA‑compliant requests.

So, at whatever stage you’re at with your DORA-readiness efforts, let us help by debunking five myths about how DORA impacts ICT Providers.

Hold up – are we in-scope?

First, let’s clarify some relevant definitions:

And, yes, this does mean that there’s a difference between an ICT Provider supporting critical or important functions and a Critical Provider. It’s important to appreciate the difference. Every Critical Provider is likely to be an ICT Provider supporting critical or important functions, but conversely, not every ICT Provider supporting critical or important functions is going to be a Critical Provider.

Myth #1: DORA is an entirely new approach

Although DORA introduces a new regulatory framework, the regime is fundamentally a rewrite and relocation of existing EU guidelines and policies. Most aspects of DORA – such as outsourcing and contractual flow-downs – are not new to ICT Providers. In fact, Firms have already been managing and imposing specific contract terms in their ICT agreements for many years (e.g., based on the European Banking Authority’s Guidelines on Outsourcing). For more on how DORA interacts with other FS sector regimes, see our previous alert.

DORA acknowledges that complying with existing outsourcing guidelines is no longer enough, and a broader scope (i.e., one covering all data and digital services provided to Firms by ICT Providers) is needed with a harmonisation of obligations imposed on Firms (which, in turn, will help to align the Firms’ ICT supply chain). In short, think of it as the same product, but with a new and improved flavour.

Myth #2: DORA prescribes mandatory contractual terms for agreements with Firms

ICT Providers may believe (or be told by their FS clients) that they must comply with every contractual demand from Firms when negotiating DORA-related arrangements. This is not accurate: DORA does not require prescriptive contractual language in agreements.

Instead of prescribing exact terms, Articles 28 and 30 of DORA outline elements of contractual requirements that are flexible and intended to be considered holistically. For example, Article 30(2)(c) requires relevant contractual coverage on the availability, authenticity, integrity and confidentiality of personal data. However, it will be up to the contracting parties to check if this topic is already covered in an existing data processing agreement (in which case, it doesn’t need to be renegotiated).  

Remember that there’s a difference between an ICT Provider supporting critical or important functions and a Critical ICT Provider? Here’s one distinction: DORA Article 30 sets out some contractual elements that will apply to contracts with an ICT Provider supporting critical or important functions; it doesn’t specify an extra layer of contractual requirements for Critical Providers.

Firms and all ICT Providers should be reviewing the contractual elements set out in DORA (bearing in mind what category of ICT Provider or services are being addressed) to work out what elements of contracts are affected. And also, it’s necessary to take account of any standards further defined in the accompanying Regulatory Technical Standards (which are binding standards adopted by the European Commission to supplement EU legislation and address highly technical issues in practice). 

Interestingly, from a Privacy perspective, DORA does anticipate voluntary use of standard contractual clauses (DORA SCCs). DORA SCCs could provide standardised wording that Firms and ICT Providers can use without negotiation (similar to the use of SCCs in the data protection context). For now, there are currently no publicised plans to introduce DORA SCCs.

Myth #3: DORA only applies to Firms and ICT Providers located in the EU

All Firms, approximately 22,000 located in the EU, need to comply with DORA. In addition, the European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pension Authority, and the European Securities & Markets Authority; together, the ESAs) recently identified around 15,000 ICT Providers directly serving Firms across the EU. However, DORA can apply to any ICT Providers based outside of the EU where they offer services to or have contracts with Firms in the EU.

As mentioned in Myth #1 above, this means that certain UK-based ICT Providers with Firm clients in the EU may need to navigate two parallel regimes in practice.

In November 2024, the FCA, PRA, and Bank of England jointly published their final rules and requirements for “critical third parties”. Once designated by HM Treasury, the regulators will directly oversee the specific ICT services provided to UK Firms. The rules will require “critical third parties” to:

• provide regular assurance, information and notifications to the regulators on their ICT services;
• undertake resilience testing and scenario-based exercises; and
• report major incidents like cyber attacks and power outages.

Myth #4: ICT Providers can self-classify whether they are Critical Providers

No. There may be an element of self-classification involved in determining whether an ICT Provider supports critical or important functions. But only the ESAs can (eventually) designate certain ICT Providers as “critical”.

Any ICT Provider designated as “critical” will fall under the ESAs’ dedicated oversight framework. Each Critical Provider will be assigned a lead overseer, which will be the ESA with responsibility for the largest share of total assets owned by the Firm using the Critical Provider.  

The ESAs’ designation of Critical Providers will be based on both qualitative and quantitative factors, including:

• the systemic impact on the stability and continuity of FS if an ICT disruption occurs;
• the systemic importance of the Firms relying on the ICT Provider’s functions;
• the degree of reliance by Firms on the ICT Provider; and
• the degree of “substitutability” of the ICT Provider (i.e., how easily it can be replaced by an alternate ICT Provider).

The ESAs will obtain this data from the registers of information that Firms are required to maintain and update with all contractual arrangements involving the use of ICT services.

We expect the ESAs to begin making these designations in mid-2025. ICT Providers that are not designated as “critical” under this regime may voluntarily opt in to the oversight framework.

Myth #5: Most ICT Providers don’t have to do anything to prepare – unless they’re a Critical Provider

While DORA primarily regulates Firms, ICT Providers should remain wary. ICT Providers may face demands for additional contractual provisions from Firm clients to ensure compliance with DORA. This will mean contract amendments and renegotiations, likely on a compressed timeline. In addition, as we mention in Myth #2 above, some of these “necessary” changes may be a mechanism for Firms to impose commercially favourable positions.

Critical Providers, however, will have a longer action list and need to be particularly vigilant. The oversight framework requires extensive collaboration between the Critical Provider and the lead overseer. Critical Providers can expect their respective overseers to conduct tailored monitoring, conduct on-site inspections, request access to organisation documents, and issue remedial measures. Critical Providers will also be expected to maintain an adequate business presence in the EU to ensure enforceability of penalties. For more discussion on DORA’s obligations for Critical Providers, see our previous alert.

Non-compliance could result in daily penalty payments of up to 1% of a Critical Provider’s daily worldwide turnover. As a last resort, the relevant lead overseer may even require Firms to suspend or terminate services provided by a non-compliant Critical Provider. Additionally, Critical Providers must pay fees to their lead overseers to cover oversight costs that are proportionate to their turnover.

Next Steps to Consider

While Firms may have already completed their preparatory DORA efforts (or be close to doing so), ICT Providers may still need to actively assess which clients are Firms and whether to expect renegotiation of existing agreements (likely, yes). A gap analysis of existing contracts against the DORA requirements will prepare ICT Providers for any negotiations.

Any ICT Provider ought to assess whether it supports its clients’ critical or important functions because DORA imposes more contractual requirements on such providers. ICT Provider Marketing teams may want to increase stickiness by claiming that their services do support critical or important functions, but the Regulatory and Legal teams may want to argue exactly the opposite in order to reduce the imposition of onerous contractual terms.

We expect organisations with sizable market shares in the cloud and data analytics industries to fall under the “critical” designation, in which case they will need to establish a subsidiary in the EU within 12 months of being designated. Critical Providers may also need to participate in Firms’ annual resilience tests and a triannual threat-led penetration test. 

Although the next few months may increase the administrative burden on ICT Providers, they still have time to take proactive steps to make sure they can better navigate the complexities of DORA so that they are well prepared for the upcoming changes.

We are grateful to Safwan Akbar for his contribution to this alert.