How tech firms can prepare for new EU operational resilience rules on ICT risks This blog post was authored by Karter Klumpyan and Laura Moore, Director Risk and Compliance on The Protiviti View.The big picture: A two-step indicator-based approach proposed by EU supervisory authorities will be used to assess ICT services providers to determine whether they should be designated as critical and subjected to oversight under the Digital Operational Resilience Act (DORA).Why it matters: For many technology firms designated as critical, meeting the requirements of DORA and financial services regulators will be challenging. Demonstrating compliance and giving regulators access to premises will create complexities, and there are potential financial penalties as well as the risk of being publicly disclosed.What’s next: Technology companies should prepare for the new rules by understanding the requirements and engaging in the consultation processes. Even if an ICT services provider is not designated to critical under DORA, aligning with DORA’s standards can provide a competitive advantage.The oversight framework and compliance obligations for financial services companies specified in the European Union’s Digital Operational Resilience Act (DORA) have generated significant attention since its formal adoption in November 2022. But there has been less focus and clarity on DORA’s impact on information and communication technology (ICT) services providers that do business in the EU financial sector. This, in part, may be because the criteria for designating critical ICT services providers that come under the oversight framework took a while to be ironed out. While they were published in late September 2023, the details of the designation procedure are yet to be defined. Topics Cybersecurity and Privacy Risk Management and Regulatory Compliance Industries Technology, Media and Telecommunications Financial Services About DORADORA is part of the EU’s digital finance package, a body of measures meant to enable and support innovation and competition in digital finance while mitigating related risks. It is the first financial regulation in the EU that applies to ICT services providers, which include cloud service providers, information security and cybersecurity providers, network infrastructure providers, data center providers, software development firms, and data analytics firms. Under DORA, the European Supervisory Authorities (ESAs) — including the European Banking Authority — are responsible for directly supervising ICT services providers deemed to be “critical” to the operations of financial entities. The regulation creates a universal and binding ICT risk management framework and standards for all financial institutions in the EU — including banks, credit institutions, insurers, payment processing firms and nontraditional entities such as crypto-asset service providers — to implement into their ICT systems by January 17, 2025.A holistic approach to assessing criticalityThe ESAs have proposed a two-step indicator-based approach for ICTs to perform a holistic criticality assessment. As part of Step 1, an ICT company falls under the oversight framework if it provides critical or important functions support to:10% or more of the total number of financial entities in the EU.10% or more of financial entities in the EU as measured by the financial entity’s total value of assets or an equivalent metric.At least one globally systemically important institution or least three other systemically important institutions.At least one financial market infrastructure identified as systemically important or at least three financial entities identified as systemically important.Financial entities in an area of service where there is no alternative service provider, as identified by 10% or more of those entities.Financial entities in an area of service that is highly complex or difficult to migrate or reintegrate from the service provider, as identified by 10% or more of those entities.ICT services providers that exceed a certain number of minimum relevance thresholds across all six Step 1 indicators could be subject to further assessment under Step 2. A methodology for the collective application of Steps 1 and 2 (described in the graphic below) is being developed.The two-step indicator-based approach to performing a holistic critical assessment. Image What it means to be deemed ‘critical’An ICT services provider deemed critical can expect to be assessed annually by a lead overseer, which could be a regulator or independent experts. Based on the assessment, the lead overseer will produce an annual oversight plan and objectives, and the company has a short turnaround window of 15 days to respond to the draft plan.Additionally, the critical ICT services provider should be prepared to receive direct inquiries about audits from its EU financial services clients. The clients can send auditors to assess how the ICT services provider is managing and operating activities related to operational resilience as outlined by the regulation. While these types of requests may not be new, clients may require more detail or access than they have in the past.Critical ICT services providers can also expect to be charged fees to cover expenses incurred by the lead overseer in relation to the conduct of oversight tasks. The amount of fees and the way in which they are to be paid have yet to be determined. There is also a potential penalty of up to 1% of daily turnover, which is charged daily for up to six months for noncompliant critical ICT services providers. While not defined in the regulation, noncompliant ICT services providers may also face public disclosure of noncompliance and, in more egregious instances, limitations on their ability to work with financial services clients.Finally, ICT services providers that are not within the EU territory will need to set up a subsidiary in the EU within 12 months of being designated as a critical provider. In addition to the cost implications, the EU entity will need to be an active part of management and be accountable to EU regulators and customers.How to prepare for DORAFor many technology firms or ICT providers, meeting the requirements of DORA and the expectations of financial services regulators in the EU will be a heavy lift. For instance, demonstrating compliance (e.g., compiling and providing documentation on business models, controls and systems) and giving regulators access to premises and on-site reviews will create complexities for many firms. ICT services providers can take proactive steps now to prepare for the new rules, including:Understanding DORA’s requirements, as outlined, and determining whether what the business provides might be categorised as systemically important to the financial services sector.Creating a centralised, consistent process, with documentation, for responding with speed and ease to audit and assessment requests from financial services clients and regulators.Conducting a gap assessment against the current version of DORA to understand whether any fundamental gaps exist and how to address them (e.g., will the business need to stand up a meaningful presence in the EU, and how long will that take?)Engaging in the consultation processes related to DORA to stay apprised of developments and providing input through lobbying and proactive advocacy.Proactively reaching out to financial services clients in the EU to explain what the business is doing to meet DORA requirements, including for digital operational resilience testing (e.g., vulnerability assessments, network security assessments).Even if an ICT services provider is not designated as critical under DORA, it’s likely that its financial services clients will take a more critical eye toward that ICT services provider’s operations. Financial services companies will question whether an ICT services provider’s current practices and policies could potentially put their operational resilience at risk. These inquiries may lead to financial services companies taking appropriate actions, especially in cases where the ICT services provider supports an EU regulated entity’s critical or important function. ICT services providers also run the risk of being designated critical in the future if their financial services market share grows to a point where it meets the EU’s criteria.Aligning with DORA’s standards can provide tech firms a competitive advantage by demonstrating that they prioritise risk reduction and operational resilience regardless of whether they are required to do so. Those companies not operating in the EU will be wise to also prepare given the strong possibility that other jurisdictions such as the United Kingdom and the United States will seek to create similar regulatory regimes. Find out more about our solutions: Operational Resilience Improve resilience through a robust testing program, building on existing business continuity management activities, IT disaster recovery, and cybersecurity incident response. We bring knowledge across the four domain areas of operational resilience: business, technology, cyber, and third-party. Business Continuity and Resilience We help organisations minimise and mitigate the risks associated with unplanned events. We revisit business continuity plans and develop comprehensive technology resilience strategies to protect your people, brand, operations, revenue, and remain compliant. Operational Risk Management Build an effective ORM program to reap both immediate and long-term benefits. It isn’t enough to be focused merely on understanding the status and limiting known risks; ORM objectives must evolve as business drivers change. Risk Management Consulting Protiviti helps organisations around the world assess risk and develop tech-enabled solutions to manage risk in an agile manner and minimise potential losses. We bring leading insights and innovative capabilities to help you meet future challenges. Leadership Hirun Tantirigama Hirun is a managing director with 15 years’ experience in providing risk and regulatory advisory services across a variety of clients and industries. He has led complex, transformational programs across areas such as operational risk, regulatory remediation, operational ... Learn More Mark Burgess Mark is a managing director and Protiviti’s risk and compliance solution lead. With over 17 years of risk and regulatory compliance experience in the financial services industry, he has a proven track record delivering deep insights for his clients.Mark has spent a ... Learn More Ruby Chen Ruby is a director with over 12 years of experience in the financial services industry, of which about ten years worked in the Big Four banks before transitioning into consulting. She has had a broad range of experience providing advisory services and secondments across ... Learn More CPS 230 – APRA’s new standard to improve operational risk and resilience On 17 July 2023, the Australian Prudential Regulation Authority (APRA) released the final new prudential standard CPS 230 Operational Risk Management, which is mostly aligned to requirements in other jurisdictions, including the United States, the United Kingdom, Hong Kong, and Singapore. Read more Driving Operational Resilience From the C-Suite The actions and decisions of C-suite leaders are typically driven by strategies designed to guide businesses toward growth and success. These plans invariably contain many assumptions. Read more Operational Resilience: Considerations For Boards, The C-Suite and Enterprisewide Implementation Resilience is not about preventing operational outages or shocks but about how organisations prepare themselves to absorb events so they can recover quickly and continue to function or operate effectively. In a post-pandemic environment, technology will still create opportunities and vulnerabilities. Read more