EU’s Digital Operational Resilience Act (2022/2554, “DORA”) became applicable on 17 January 2025. This regulation strengthens the digital resilience of the financial sector and addresses outsourcing risks, as previously detailed in our Quarterly article. While financial entities are the main focus of DORA, it applies also to ICT service providers providing services to the financial sector.
DORA affects ICT service providers both directly through specific requirements imposed on ICT providers and indirectly through its requirements on financial entities. The level of requirements is ultimately built on a risk-based approach. Consequently, to fully understand DORA’s impact on an individual ICT service provider, it is essential to assess the three categories of ICT Third-Party Service Providers (“TPP”) regulated under DORA and identify which category that service provider falls under.
TPP Categories and Key Implications
- Critical ICT Third-Party Service Providers (“CTPP”):
CTPPs are ICT service providers that have been explicitly designated as CTPPs by EU authorities based on, for example, such service providers’ limited substitutability, systemic impact on financial services, and key role for financial entities’ critical or important functions. CTPPs are directly subject to a stringent oversight framework under DORA. A lead overseer, one of the European Supervisory Authorities (ESAs), will be assigned to oversee these entities based on a separate assessment. According to the Finnish Financial Supervisory Authority (“FIN-FSA”), it is currently unlikely that any Finnish TPPs will meet the criteria for designation as a CTPP.
- TPPs Supporting Critical or Important Functions:
This category of TPPs, while not designated as CTPPs as described above, play a vital role in supporting important or critical functions of financial entities. Financial entities are responsible for including stringent, highly specific contractual obligations into agreements with such TPPs to ensure the security and continuity of services. These TPPs may also be subject to Threat-Led Penetration Testing (“TLPT”) and audits conducted by competent authorities under DORA.
- Other TPPs:
TPPs not belonging to the above categories (i.e., TPPs supporting financial entities’ non-critical and non-important functions) will be subject to less stringent contractual obligations. Nevertheless, financial entities must still ensure that these TPPs commit to certain obligations. For example, DORA does not necessarily require audit rights for competent authorities regarding such TPPs but emphasises a general obligation of cooperation. For this category of TPPs, the NIS2 Directive‘s requirements for Digital Infrastructure and ICT Service Management (B2B) sectors (as specified in Annex I of the NIS2 Directive) constitute the primary obligations, to which financial entities should contractually bind their TPPs.
DORA introduces significant changes for ICT service providers offering services to financial entities. To ensure smooth negotiations and cooperation between the ICT providers and financial entities, it is essential for both sides to understand the key aspects of the new regulatory framework and its implications and constraints for different types of ICT providers. Negotiations become more straightforward when both parties understand the minimum expectations for their respective roles.
We are happy to discuss the implications of the requirements. For further information and advice, please contact the Head of our Data Protection & Cyber Security practice group, Jukka Lång.
* For more information on the requirements applicable to Digital Infrastructure and ICT Service Management (B2B) sectors, see Commission Implementing Regulation (EU) 2024/2690.