The European Supervisory Authorities have published new technical advice (ESA 2023 23) in relation to the Regulation on Digital Operational Resilience for the Financial Sector ((EU) 2022/2554) (DORA / Digital Operational Resilience Act), due to come into force in the EU in January 2025.

Broadly, the aim of DORA is to provide harmonised legislation that improves the ability of financial institutions to withstand ICT-related disruptions and threats, including cyber-attacks.

Financial institutions (including in the banking and insurance sectors) and ICT providers to the financial industry operating in the EU will be interested to note the new advice. Until now, stakeholders have been waiting for detail on the process for designating which ICT providers will be deemed as critical to the stability and integrity of the EU financial system. The new technical advice sets out criticality criteria for ICT providers including a two-step indicator-based approach.

The first step involves the assessment of ICT third party providers, which provide ICT services to financial entities under the scope of DORA against six quantitative indicators, alongside respective minimum relevant thresholds. The outcome of step 1 will indicate the ICT third party providers which could proceed to further assessment under step 2.

The technical advice also gives more information on oversight fees that will be charged to those designated by the ESAs as critical ICT third party providers relating to the conduct of oversight tasks by whichever of the ESAs is its lead overseer.

DORA puts wide-ranging obligations on financial entities in respect of their ICT risk management frameworks, ICT incident reporting and digital operating resilience testing. Where financial entities outsource ICT functions to ICT providers, such ICT providers will also be impacted due to the knock-on effect of these obligations.