Paulina Twarogal
Agata Tomasik
The Digital Operational Resilience Act introduces new rules for financial institutions and third-party ICT service providers. These organizations must be able to withstand, respond to, and recover from operational disruptions. This is particularly important in the context of IT outsourcing, where financial institutions rely on outsourcing critical and important functions.
Read on to understand how financial institutions and IT outsourcing providers must adapt their outsourcing practices to comply with DORA, what measures must be taken, and what key risks and challenges both parties can face.
Key takeaways:
- DORA sets strict rules for financial institutions and IT providers to keep operations secure and reliable. Institutions must carefully manage risks, establish clear contracts, and closely monitor third-party services.
- Adapting to DORA’s standards presents various risks like over-reliance on single vendors, cybersecurity vulnerabilities, inadequate incident reporting, data protection violations, and geopolitical challenges.
- Financial institutions have to assess and diversify their IT outsourcing partners. Meanwhile, IT providers must prioritize strong security measures and clear reporting.
DORA and outsourcing IT services
Outsourcing IT services has become a common practice for financial entities and has grown significantly in recent years. Such entities typically outsource:
- cloud services;
- data management solutions;
- data analytics services;
- fintech software development services;
- and other technical support.
While outsourcing IT services brings a wide range of advantages, it might also include certain risks such as data breaches, service disruptions, or system failures. The European Central Bank (ECB) tracks these risks based on the European Banking Authority’s (EBA) guidelines.
Given the EU’s relatively strict data protection regulations, it’s important to highlight that:
- Around 70% of outsourcing contracts involve the processing of personal data.
- Over 70 major banks outsource critical functions to providers outside the EU.
The Digital Operational Resilience Act sets the foundation for operational resilience in the EU financial sector and includes strict regulations for IT outsourcing.
Would you like to learn more about the DORA and its key requirements? Read our main guide on the Digital Operational Resilience Act for more insights and compliance strategies.
How does DORA impact IT outsourcing?
Both the financial institution and the IT outsourcing provider are responsible for ensuring that the IT services provided are secure and resilient. The vendor is responsible for keeping their own systems safe and reliable. However, it’s the financial institution that is ultimately in charge of making sure their entire business, including the parts handled by the IT provider, is protected from disruptions.
So, if a breach or disruption occurs, both parties may face serious consequences. The financial institution could suffer financial losses, reputational damage, and regulatory penalties. The IT provider, on the other hand, may be liable for damages, face legal action, and even lose business.
Regulatory requirements of DORA for partnering with IT outsourcing providers
Both financial institutions and IT providers have specific regulatory obligations when outsourcing IT services.
Risk assessment
Financial organizations have to manage IT and cybersecurity risks both internally and externally. Under DORA, they are required to establish a strong ICT risk management framework. This framework helps them govern IT systems effectively and ensure data security, integrity, and resilience.
This responsibility extends to outsourced IT services, where financial institutions must also evaluate and manage the risks associated with third-party vendors. When outsourcing, they should conduct thorough due diligence on vendors, assessing their:
- security measures;
- operational resilience;
- and ability to recover from ICT disruptions.
Just as internal IT systems are monitored and governed under DORA, outsourced providers must meet the same standards of risk management to ensure the institution’s overall operational resilience.
By integrating robust internal governance with careful vendor evaluation, institutions can ensure their entire IT ecosystem—whether in-house or outsourced—meets the security and operational requirements of DORA.
Contractual requirements and clauses
The Digital Operational Resilience Act requires financial institutions and IT outsourcing providers to have clear, detailed contracts to easily manage risks and ensure operational resilience.
These contracts need to:
- Clearly define the roles and obligations of both the financial entity and the ICT provider. All responsibilities should be documented in an agreement that’s easily accessible for both parties.
- Outline clear service level descriptions, including performance metrics, response times from IT provider, and data security measures. These SLAs must be also regularly updated.
- Specify the geographical regions or countries where services are provided and data is stored.
- Guarantee the institution the right to access, recover, and return its data in case of provider insolvency, termination, or service discontinuation.
- Address the confidentiality, integrity, and authenticity of data, including personal data.
- Ensure the provider’s support in case of major ICT-related incidents, either at no extra cost or a predetermined cost.
- Include clear terms for termination and ensure smooth transitions to other providers.
For contracts that cover critical or important functions, providers need to:
- Inform the financial institution of any changes that could significantly affect their ability to deliver services.
- Create and test plans to ensure that services continue smoothly, even in emergencies, following regulatory standards.
- Fully participate in tests designed to assess the security of their IT systems against potential threats.
- Give financial institutions the right to audit and inspect the provider’s performance and IT systems, including reviewing critical documents and conducting on-site checks.
Continuous monitoring and incident reporting
To manage IT outsourcing well, it’s important to keep a close watch on performance and quickly report any issues. There are a few crucial things to bear in mind.
Monitoring and reporting:
- Financial institutions need to keep a detailed list of all their IT outsourcing arrangements. As a result, auditors and internal auditors can monitor these arrangements and assess any risks of relying too much on a single provider.
- It’s also important to regularly check how well the service provider is performing, how secure their systems are, and whether they’re following the rules.
Testing and audits:
- IT outsourcing providers must report major IT problems, like cyberattacks or service disruptions, to both the financial institution and the relevant regulators. Under DORA, they must notify authorities within four hours of identifying a major incident, and no later than 24 hours after detection. A follow-up report is required within 72 hours, with a final report due within one month.
- Providers should regularly test their IT systems to make sure they’re secure and reliable. Audits should confirm they’re following the rules. What’s also crucial is to monitor any third parties or subcontractors they partner with, as they might introduce hidden risks.
Oversight of critical third-party providers
For critical ICT providers—those whose failure would seriously disrupt financial services—DORA requires a special oversight. The regulation introduces the role of the Lead Overseer, a regulatory body, supervising the relationships with critical IT providers. Financial institutions that rely on these critical providers must:
- work closely with the overseer;
- share necessary information;
- and ensure the provider meets all DORA requirements.
While financial institutions are tasked with managing their internal and external ICT risks, the Lead Overseer offers an additional layer of supervision for the most critical providers. This helps to reduce the risk of disruptions and reinforces the financial system‘s overall stability and security.
Key risk areas of IT outsourcing
In IT outsourcing, both financial entities and IT providers face significant risks that might impact their business and stability. Understanding and managing these risks is key to resilience, regulatory compliance, and strong client relationships.
Over-reliance on single vendors
Financial institutions are exposed to concentration risk when they depend too heavily on one IT provider. If that provider experiences a failure or disruption, it can impact the business severely. To mitigate this risk, financial organizations should diversify their IT outsourcing partners.
The same applies to IT providers. Serving multiple banks can stretch their resources and attention. Without strong service continuity plans, any disruption can have disastrous consequences and increase the risk of reputational damage
Cybersecurity vulnerabilities
About 50% of outsourcing contracts involve time-critical activities that are essential to the bank’s operations. Among these, 20% are hard to bring back in-house if needed, and 5% can’t be easily replaced by other providers. This means that if there’s a cybersecurity issue, like a data breach or ransomware attack, it could cause major disruptions to these critical activities. Such disruptions threaten the bank’s operations and the security of its customer data.
IT providers that fail to implement adequate cybersecurity measures may face substantial financial and reputational damage. A breach affecting a bank could result in loss of clients and legal repercussions.
Geographical and political risks
Financial entities face risks when they outsource IT services to providers outside the European Union. More than half of the banks use non-EU providers, and about 22% of their critical functions and extra services are handled by companies by non-EU member states. Relying that much on non-EU providers can expose financial institutions to geopolitical risks and potential service disruptions due to political instability or regulatory differences in these regions.
Similarly, IT providers in such areas face higher risks of service interruptions, leading to client dissatisfaction and potential loss of contracts.
Inadequate incident reporting
Delays in incident reporting are a major issue. They can prevent financial entities from effectively managing damage from IT disruptions or significant cyber threats. This can result in operational downtime and increased financial losses.
For providers, not reporting ICT incidents promptly can harm their reputation and lead to contract terminations and legal issues. Immediate and clear reporting protocols are critical for client trust and incident management.
Data protection violations
Ensuring data protection remains a critical challenge. Failing to do so leads to high fines and legal actions, putting banks at risk of reputational damage and customer loss. That’s especially true if 70% of all outsourcing contracts involve processing of personal data.
IT providers must ensure full compliance with data protection laws to avoid severe legal and financial consequences and maintain positive relationships with their banking clients.
Mitigation strategies for financial institutions and ITC providers
To manage IT outsourcing properly, financial institutions and ITC providers must have robust mitigation strategies. Let’s take a look at more details of what steps they should take:
Financial institutions |
|
IT outsourcing providers |
|
Neontri as a fintech partner for DORA compliance
Neontri is a reliable partner for organizations looking to comply with the Digital Operational Resilience Act. We offer a range of services designed to help businesses meet the new regulations:
- Adapting systems and procedures: We assist in updating systems and operational procedures to align with the latest DORA requirements.
- Automating compliance and audits: Neontri helps automate regulatory updates and conduct ongoing compliance audits to ensure organizations are always ready to meet DORA standards.
- Employee training: To increase awareness of security and compliance, we offer tailored employee training sessions. These cover important topics such as IT risk management, incident response procedures, and best practices in cybersecurity.
- Data protection and privacy: Neontri supports the implementation of robust data protection policies and ensures GDPR compliance to safeguard client data. Our encryption mechanisms and access management tools minimize the risk of unauthorized data access.
- Testing for resilience: DORA requires regular testing of systems for resilience against disruptions and failures. Neontri organizes scenario-based and stress tests to evaluate how IT systems respond to failures, cyberattacks, or service interruptions. Moreover, we develop disaster recovery strategies and business continuity plans to prepare organizations for unexpected disruptions.
Ready to ensure your organization’s compliance with DORA? Contact Neontri to discover how we can support your journey toward operational resilience and regulatory success.
Conclusion
DORA aims at making financial institutions more resilient and secure by introducing strict rules for IT outsourcing. Financial entities and IT outsourcing providers must work together to manage risk and stay compliant. By implementing thorough assessments, clear contracts and monitoring, they can overcome the outsourcing challenges and secure their operations.
FAQ
How does DORA impact the outsourcing of IT services in the financial sector?
DORA sets strict rules for IT outsourcing. Financial institutions must ensure their providers are secure and reliable. This EU regulation enforces strict rules for monitoring, contract management, and incident reporting to keep stability.
What are the key challenges financial entities face when complying with DORA’s outsourcing requirements?
Financial entities often find it difficult to manage and monitor multiple IT providers. They also struggle with creating detailed contracts and handling complex reporting and data protection requirements.