ICT

The current draft of the lacking regulatory technical standards (RTS) for DORA still contains some ambiguities, particularly regarding the classification of financial entities as ICT third-party service providers. EIOPA has now issued interpretation notes to reduce these ambiguities. There has also been movement on the subject of RTS for subcontracting. An overview.

From January 2025, DORA will introduce uniform requirements for ICT security, but exceptions for smaller financial institutions will provide a degree of relief. Nevertheless, differences between EU member states will remain due to national implementation leeway.

DORA places new demands on the digital resilience of financial companies, while the distinction between financial and ICT services raises questions in detail. Clear principles for interpreting the regulations are urgently needed to create legal certainty for the industry.

The DORA significantly restricts the contractual freedom of financial companies and ICT third-party service providers by imposing a number of mandatory requirements on the drafting of contracts. This could put medium-sized financial companies in particular in a stronger negotiating position, while even large ICT providers will be obliged to implement the new requirements.

DORA obliges financial institutions to manage the ICT third-party risk through appropriate contract design. To this end, DORA specifies minimum content that is intended to strengthen the position of the financial institution and increase security. But what consequences does this have for future and existing contracts?

DORA imposes a number of new obligations on financial companies. This can be particularly burdensome for small companies. But who actually falls within the scope of the regulation and are the rules the same for everyone affected?