Managing of ICT third-party risk – new obligations under the Regulation on Digital Operational Resilience
Monitor Prawa Bankowego 2023/11 Listopad
On 16 January 2023 the Regulation on Digital Operational Resilience for the financial sector[1] entered into force[2], and shall apply from 17 January 2025[3]. The regulation lays down uniform requirements concerning the security of network and information systems[4] supporting the business processes of financial entities[5]. This includes requirements applicable to financial entities in relation to measures for the sound management of ICT third-party risk[6] and requirements in relation to the contractual arrangements concluded between ICT third-party service providers (ICT TPSPs) and financial entities[7]. I fully concur with the view that the term „contractual arrangement”, which is repeatedly used in DORA in the context of the requirements of this regulation, should be understood as „an agreement” („a contract”)[8].
Bartosz Wyżykowski
The purpose of this article is to establish the scope of applicability of DORA in terms of subjects and material scope, and discuss how it relates to sectoral regulations governing outsourcing, using banking[9] and payment[10] outsourcing as an example, as they are closest to me professionally. Next, the key responsibilities of financial entities in their relationship with ICT TPSPs, and, in particular, those set forth in articles 28-30 DORA (Section I of Chapter V of this act) will be listed. Finally, the impact of these regulations on agreements (including outsourcing agreements) concluded between financial entities and ICT TPSPs will be discussed. In this article, when using the term ‘outsourcing’, I generally mean sectoral outsourcing regulated by EU or national law, such as banking or payments outsourcing. The oversight framework of critical ICT third-party service providers (Section II of Chapter V DORA) remains outside the scope of analysis[11].
Financial entities
The closed catalog of financial entities is defined very broadly in DORA[12], and includes entities such as credit institutions, payment Institutions (including payment institutions exempted pursuant to PSD2[13]), account information service providers, electronic money institutions, including electronic money institutions exempted pursuant to EMD[14]), investment firms, insurance and reinsurance undertakings, as well as insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries[15]. However, it does not include all categories of providers which EU legislation has come to accept as providers of financial services in the broadest sense of the term[16].
At the same time, article 2(3) DORA provides for specific subjective exemptions. As a result, the regulation does not apply, for example, to insurance and reinsurance undertakings as referred to in article 4 of Directive 2009/138[17] or insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises[18]. In this context, two problematic issues become apparent.
First, the question arises as to whether it was the intention of the EU legislator that the exemption provided for in article 2(3) DORA should apply to the activities of the entities designated therein, only to the extent that the entity in question is a financial entity, or also to the extent that the entity is a TPSP ICT, if this is the case. By way of example, let us assume that an insurance intermediary[19] (insurance agent[20]/insurance distributor[21] under Polish law) meets the prerequisites of a medium-sized enterprise, and therefore DORA does not apply to it under article 2(3) of the act. At the same time, in addition to its core business of such insurance intermediation, the entity also provides ICT services to an insurance undertaking (or other financial entity), to which DORA is applicable. Lege non distinguente, it could be argued that in such a case DORA also does not apply to the insurance intermediary in the capacity of its relationship with the insurance undertaking. Alternatively, it could be argued that since DORA does not apply to such an entity, it consequently cannot be classified as a TPSP ICT at all. However, such an interpretation is contrary to the ratio legis of the regulations in question. The fact that the said insurance intermediary is a medium-sized enterprise is irrelevant if he provides ICT services to the insurance undertaking that are relevant from the perspective of DORA. From the financial entity’s perspective, precisely those risks that it is required to manage under DORA are emerging (provided, of course, that we consider that the fact that DORA does not apply to the insurance intermediary does not exclude it being classified as an ICT TPSP under the said regulation). The drawback of this interpretation is the conclusion that in such a case DORA will in fact apply to an insurance intermediary, despite the fact that it remains formally excluded from its scope. An additional drawback is that article 2(3)(d) DORA provides a subjective exemption for instance for entities that are not financial entities under DORA. By way of example, this provision refers to natural or legal persons exempted under articles 2 and 3 of Directive 2014/65/EU[22], which include members of the European System of Central Banks (ESCB) (article 2(1)(h) of that directive), and therefore central banks (which are not financial entities within the meaning of DORA[23]). This correlates with recital 63 in fine DORA, which states that central banks when operating payment or securities settlement systems, and public authorities when providing ICT-related services in the context of fulfilling State functions, should not be considered to be ICT TPSPs (although it is worth mentioning that in light of the same recital, other participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should be considered to be ICT TPSPs). It can be inferred from this that it was the intention of the EU legislator that the inapplicability of DORA under article 2(3) DORA, at least insofar as this provision refers to entities other than financial entities, means that such an entity should not be classified as an ICT TPSP. Consequently, the relationship (contract) of such an entity itself with a financial entity will not actualize obligations under DORA on the latter (arising out of this relationship). As indicated above, it is not entirely clear whether the same conclusion can be reached with respect to financial entities exempted under article 2(3) DORA, which simultaneously provide ICT services to another financial entity within the meaning of DORA.
Secondly, there are doubts about the proper interpretation of the terms „ micro[24], small[25] and medium-sized enterprise”[26]. It is true that each of these terms has its own legal definition specifying the number of employees and annual turnover or balance sheet that determine which category of enterprise we are dealing with. However, DORA does not explain at what point and during what period these prerequisites should be met. In principle, the key date is the date from which DORA applies, i.e. 17 January, 2025. If, on that date, a financial entity referred to in article 2(2)(e) DORA does not meet the prerequisites of the provision (i.e. is not a micro, small or medium-sized enterprise), DORA will be applicable, and such an entity should, as of 17 January, 2025, ensure compliance with DORA. In theory, for the purpose of interpreting and applying the definitions of micro, small and medium-sized enterprises as set forth in EU law, one could and even should refer to the Commission Recommendation[27] and the User's Guide on the definition of SMEs[28]. However, DORA does not refer to these documents either in its regulations or in its recitals. In the meantime, there are legal acts in force that contain very detailed definitions of micro, small and medium-sized enterprises. In fact, they are based precisely on the aforementioned Commission Recommendation. Annex I to Regulation 651/2014[29] is an example. As a result, authorities and courts might argue that since in certain legal acts the EU legislator has explicitly introduced provisions based on the aforem (...)