Share this post
Napoleon understood the importance of resilient supply chains as his Grande Armée spread across Europe. Today, payment firms are being told to improve the resilience of their operations by overseeing their ICT supply chains. The EU’s Digital Operational Resilience Act, affectionately known as DORA, is on top of the agenda.
Daunting DORA
DORA’s deadline looms large. EU banks, e-money issuers and payment institutions have until January 2025 to meet DORA’s tougher and more prescriptive standards for managing ICT risks. The regulation also impacts providers of ICT services.
A lot of ink will be spilt in the coming months. Firms must be ready to present to their regulators a package of documents evidencing their readiness to bounce back from disruption. This includes a digital operational resilience strategy, crisis communication plans and an ICT third-party risk strategy.
DORA’s impact on contracts is most likely to cause trepidation. Firms must reopen their contractual arrangements with ICT service providers to ensure they comply with DORA. The most onerous obligations relate to services that support critical functions.
The whole supply chain will be impacted. Firms are expected to use their contracts with ICT service providers to push elements of DORA onto subcontractors, including access and audit rights. Firms monitor key ICT risks down the supply chain, which means repapering contracts to include more reporting obligations.
Firms must draw up a new register about the ICT services they use. This register includes details about the contractual arrangements with third-party providers and their subcontractors. Regulators will use firms’ registers of information better to understand the ICT dependencies across the EU financial system.
DORA gives regulators another tool in their arsenal. Firms can expect more intensive supervision about protecting ICT systems, detecting anomalous activities, responding to cyber threats and managing third-party providers. Regulators plan to hold senior managers to account for how they manage ICT risks.
Mind the gap
The good news is that firms do not have a standing start regarding DORA. Several aspects of DORA should be familiar to payment service providers. For example, the regime for reporting ICT-related incidents builds on existing payments legislation. Firms can also draw on their experience of implementing EU outsourcing guidelines when tackling DORA’s contractual requirements.
But DORA goes further than the existing framework. For example, policies must be revised to reflect DORA’s remit. A wider range of incidents need to be reported under the new regime. DORA’s impact on contracts is not limited to outsourcing arrangements.
Firms should use a gap analysis to help focus their DORA implementation projects. Comparing the regulatory framework as it applies today against the higher standards set by DORA reveals the extent of the uplift, which needs to be completed before the end of the year.
Unhelpfully, firms are facing a moving target. The full suite of technical standards and delegated legislation – including the rules on subcontracting – will only be finalised six months before DORA starts to apply. Firms have no choice but to engage with their ICT service providers based on the draft texts that have been released so far.
Going global
DORA is not the only show in town. Key aspects of the UK’s operational resilience regime start to apply next year. UK payment institutions, e-money institutions and recognised payment systems will be required to remain within the impact tolerance levels they have set in case of a severe but plausible disruption. Preparing for this deadline should be the focus for firms in 2024, supported by their mapping exercises and scenario testing.
The differences between the EU and UK regimes exemplify the problem faced by payment firms with an international footprint. As well as operational and reputational risks, ICT incidents and cyber-attacks will increasingly have legal and regulatory consequences, too. Managing multiple regimes – and multiple regulators – is another element for firms to factor into their resiliency planning. Napoleon had it easy.