DORA Is Now Applicable – Key Implications for ICT Service Providers

D&I Alert

EU’s Digital Operational Resilience Act (2022/2554, “DORA”) became applicable on 17 January 2025. This regulation strengthens the digital resilience of the financial sector and addresses outsourcing risks, as previously detailed in our Quarterly article. While financial entities are the main focus of DORA, it applies also to ICT service providers providing services to the financial sector.

DORA affects ICT service providers both directly through specific requirements imposed on ICT providers and indirectly through its requirements on financial entities. The level of requirements is ultimately built on a risk-based approach. Consequently, to fully understand DORA’s impact on an individual ICT service provider, it is essential to assess the three categories of ICT Third-Party Service Providers (“TPP”) regulated under DORA and identify which category that service provider falls under.

TPP Categories and Key Implications

  • Critical ICT Third-Party Service Providers (“CTPP”):
    CTPPs are ICT service providers that have been explicitly designated as CTPPs by EU authorities based on, for example, such service providers’ limited substitutability, systemic impact on financial services, and key role for financial entities’ critical or important functions. CTPPs are directly subject to a stringent oversight framework under DORA. A lead overseer, one of the European Supervisory Authorities (ESAs), will be assigned to oversee these entities based on a separate assessment. According to the Finnish Financial Supervisory Authority (“FIN-FSA”), it is currently unlikely that any Finnish TPPs will meet the criteria for designation as a CTPP.
  • TPPs Supporting Critical or Important Functions:
    This category of TPPs, while not designated as CTPPs as described above, play a vital role in supporting important or critical functions of financial entities. Financial entities are responsible for including stringent, highly specific contractual obligations into agreements with such TPPs to ensure the security and continuity of services. These TPPs may also be subject to Threat-Led Penetration Testing (“TLPT”) and audits conducted by competent authorities under DORA.
  • Other TPPs:
    TPPs not belonging to the above categories (i.e., TPPs supporting financial entities’ non-critical and non-important functions) will be subject to less stringent contractual obligations. Nevertheless, financial entities must still ensure that these TPPs commit to certain obligations. For example, DORA does not necessarily require audit rights for competent authorities regarding such TPPs but emphasises a general obligation of cooperation. For this category of TPPs, the NIS2 Directive‘s requirements for Digital Infrastructure and ICT Service Management (B2B) sectors (as specified in Annex I of the NIS2 Directive) constitute the primary obligations, to which financial entities should contractually bind their TPPs.

DORA introduces significant changes for ICT service providers offering services to financial entities. To ensure smooth negotiations and cooperation between the ICT providers and financial entities, it is essential for both sides to understand the key aspects of the new regulatory framework and its implications and constraints for different types of ICT providers. Negotiations become more straightforward when both parties understand the minimum expectations for their respective roles.

We are happy to discuss the implications of the requirements. For further information and advice, please contact the Head of our Data Protection & Cyber Security practice group, Jukka Lång.

* For more information on the requirements applicable to Digital Infrastructure and ICT Service Management (B2B) sectors, see Commission Implementing Regulation (EU) 2024/2690.

More by the same author

Chambers Fintech 2025: Finland – An Introduction to Fintech Legal

The fintech industry stands at the crossroads of innovation and regulation, continually reshaping the financial landscape. It is currently experiencing unprecedented growth globally, propelled by technological advancements and evolving consumer preferences, which are also influencing the fintech industry in Finland.

New Cyber Security Requirements for Connected Products

The new EU regulation complementing the cyber security regulatory framework − the Cyber Resilience Act (EU) 2024/2847 (“CRA”) − has been adopted and published in the Official Journal of the EU. The CRA aims to improve cyber security of the connected products at the EU market. It will have significant implications for manufacturers, importers and distributors of products with digital elements across the EU.

Implementation of the NIS2 Directive in Finland: New Cyber Security Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cyber security legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cyber security measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cyber security and positioning the review and supervision of cyber security risks as a top management issue.

Latest insights

Government Proposal on New Tax Credit for Large Industrial Investments in Finland

Article / 20 Dec 2024
Reading time 2 minutes

Takeaways on Connecting Offshore Wind Power to the Finnish Grid

Article / 18 Dec 2024
Reading time 2 minutes