QA Financial Forum New York | 15 May 2024 | BOOK TICKETS
Close this search box.

‘Two step approach’ for DORA as EU unveils details on critical providers and fees

(Source: ESCO)
(Source: ESCO)

The European Commission has formally adopted a number of stipulations related to its major new piece of regulation, the EU Digital Operational Resilience Act (DORA).

The EU’s executive body has issued a whole set of secondary legislation that sets out detailed, technical rules specifying some of the key provisions of DORA, which will come into force on 17 January of next year.

Firstly, it has now been confirmed that DORA will introduce an ‘oversight framework’, which did not exist under pre-existing outsourcing regulations.

ICT third-party service providers that are designated as ‘critical’ will be made subject to regulatory scrutiny, largely overseen by the European Supervisory Authorities (the ESA), which are the European Securities and Markets Authority (ESMA), European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA).

This approach allows the ESA to investigate and inspect providers in relation to IT security, risk management and governance issues.

The framework also gives ESA the power to make recommendations and issue fines of up to 1% of the ICT third-party provider’s annual worldwide turnover.

Moreover, the EC also detailed the criteria “for the designation of ICT third-party service providers as critical for financial entities.” In other words, it set out what ‘critical ICT providers’ are. In addition, the EU body also introduced a vast and fairly complex structure for oversight fees.

What does DORA cover?

Last month, the ESA published consultation papers on their latest batch of draft standards relating to DORA.

The draft standards covered topics including stipulating timeframes for IT incident reporting. An initial report is required within 4-hours of the classification of a major incident, followed by an intermediate report within 72-hours and a final report within 1-month.

Draft standards were also set out concerning the management of critical third-party IT providers and security testing. Responses are accepted until next week, 4 March, although the EC has now moved ahead and introduced a ‘two step approach’ for critical third-party providers.

Two step approach

To determine whether an ICT third-party service provider is ‘critical’ for banks, insurance firms and other financial entities, the ESAs will use sub-criteria in a two-step approach assessment.

Firstly, the ESAs will take into account important ICT services and the diversity and number of financial institutions that use those services.

This is primarily done to “filter the population of ICT third-party service providers and identify the most critical ICT third-party service providers.”

After this ‘first selection’ of ICT third-party service providers, a further in-depth analysis will be carried out that focuses on a range of sub-criteria. So far, the EC has not set out these standards but has hinted that, in some cases, it will be left to individual member states to fill these gaps.

‘Huge challenge’

Implementing DORA will be a huge challenge for many financial services players, a task that many banks and other finance firms may underestimate as it may require an overhaul of their current culture.

Steve Rackham, CTO for Financial Services at NetApp
Steve Rackham

That warning came last week from industry insider Steven Rackham, currently the chief technology officer for Financial Services at NetApp, based in London.

Rackham, who is also a financial services council member at industry group TechUK said that “preparing for any change in regulation is hard enough, but with the European Banking Authority yet to publish the final technical specification or a list of critical IT providers, businesses are effectively still in the dark in terms of the detail,” he said.

“Gambling by taking a ‘wait and see’ approach is unlikely to impress the regulator.”

“For many, DORA will require going against conventional wisdom and accepting that DORA is primarily a business challenge and not just a technology issue.”

Steve Rackham

Rackham stressed that a cultural change is needed within any financial services firm to fully understand and implement DORA.

“The reality is that the whole business needs to get behind it, and everyone in the organisation will have some role to play. This means a cultural change at every level and the recognition that flexibility will be important at a time of momentous change for financial services,” he stated.

EU’s own central bank

Interestingly, the EU’s own central bank will also be subject to DORA scrutiny, particularly since it is rapidly introducing AI tools to monitor and supervise banks across the bloc.

For the first time, the European Central Bank has confirmed it is using artificial intelligence in its daily operations to monitor the activities of banks across Europe.

Elizabeth McCaul, who is a top Eurozone monetary policymaker and member of the ECB supervisory board, said the ECB has started integrating AI to improve the efficiency and effectiveness of supervisory processes.

Elizabeth McCaul, a member of the ECB supervisory board
Elizabeth McCaul

“Currently, our AI applications enable us to query supervisory data and employ chatbot functionalities for supervisory regulations and methodologies,” McCaul revealed, writing in French trade publication Revue Banque.

McCaul stressed the “unprecedented pace at which data is being generated in today’s digital era” has prompted the bank to turn to AI.

She added that to analyse vast amounts of data, improve risk identification, support decision-making, and automate repetitive tasks AI can “significantly bolster the work of banking supervisors.”

Just like Rackham, McCaul acknowledged the need for a major re-think within the financial services space, as she warned for risks associated with AI, which “remain not fully understood.”

This is “a clear dilemma” for banks, as the ECB insider put it.


Meanwhile, some efforts are underway to help businesses make sense of the upcoming rules.

At the end of last year, the German Federal Financial Supervisory Authority, BaFin, launched an information site designed to provide guidance to financial institutions on DORA.

The site provides an overview of DORA, as well as giving updates on the current state of DORA consultations being carried out by the European supervisory authorities – the EU regulatory advisory body comprised of the EBA, EIOPA and ESMA.

Other regulators are expected to roll out similar websites in the next few months.

Want to stay up to date and receive our news, features and interviews for free? As well as all the latest info about our global events.

Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.

  • DORA is coming into force in January of next year

    DORA test coming as EU watchdogs want to see ICT contracts

  • Mav Turner

    Tricentis integrates GenAI in new testing tool to boost productivity

  • Long Read: The risk of neglecting API functional testing

  • Industry on a mission: the long road to uniform AI testing