Napoleon understood the importance of resilient supply chains as his Grande Armée spread across Europe. Today, payment firms are being told to improve the resilience of their operations by overseeing their ICT supply chains. The EU’s Digital Operational Resilience Act, affectionately known as DORA, is on top of the agenda.
DORA’s deadline looms large. EU banks, e-money issuers and payment institutions have until January 2025 to meet DORA’s tougher and more prescriptive standards for managing ICT risks. The regulation also impacts providers of ICT services.
A lot of ink will be spilt in the coming months. Firms must be ready to present to their regulators a package of documents evidencing their readiness to bounce back from disruption. This includes a digital operational resilience strategy, crisis communication plans and an ICT third-party risk strategy.
DORA’s impact on contracts is most likely to cause trepidation. Firms must reopen their contractual arrangements with ICT service providers to ensure they comply with DORA. The most onerous obligations relate to services that support critical functions.
The whole supply chain will be impacted. Firms are expected to use their contracts with ICT service providers to push elements of DORA onto subcontractors, including access and audit rights. Firms monitor key ICT risks down the supply chain, which means repapering contracts to include more reporting obligations.
Firms must draw up a new register about the ICT services they use. This register includes details about the contractual arrangements with third-party providers and their subcontractors. Regulators will use firms’ registers of information better to understand the ICT dependencies across the EU financial system.
DORA gives regulators another tool in their arsenal. Firms can expect more intensive supervision about protecting ICT systems, detecting anomalous activities, responding to cyber threats and managing third-party providers. Regulators plan to hold senior managers to account for how they manage ICT risks.
The good news is that firms do not have a standing start regarding DORA. Several aspects of DORA should be familiar to payment service providers. For example, the regime for reporting ICT-related incidents builds on existing payments legislation. Firms can also draw on their experience of implementing EU outsourcing guidelines when tackling DORA’s contractual requirements.
But DORA goes further than the existing framework. For example, policies must be revised to reflect DORA’s remit. A wider range of incidents need to be reported under the new regime. DORA’s impact on contracts is not limited to outsourcing arrangements.
Firms should use a gap analysis to help focus their DORA implementation projects. Comparing the regulatory framework as it applies today against the higher standards set by DORA reveals the extent of the uplift, which needs to be completed before the end of the year.
Unhelpfully, firms are facing a moving target. The full suite of technical standards and delegated legislation – including the rules on subcontracting – will only be finalised six months before DORA starts to apply. Firms have no choice but to engage with their ICT service providers based on the draft texts that have been released so far.
DORA is not the only show in town. Key aspects of the UK’s operational resilience regime start to apply next year. UK payment institutions, e-money institutions and recognised payment systems will be required to remain within the impact tolerance levels they have set in case of a severe but plausible disruption. Preparing for this deadline should be the focus for firms in 2024, supported by their mapping exercises and scenario testing.
The differences between the EU and UK regimes exemplify the problem faced by payment firms with an international footprint. As well as operational and reputational risks, ICT incidents and cyber-attacks will increasingly have legal and regulatory consequences, too. Managing multiple regimes – and multiple regulators – is another element for firms to factor into their resiliency planning. Napoleon had it easy.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
