Do you already know DORA?

The DORA aims to establish a comprehensive digital operational resilience framework with rules for regulated financial service providers in the EU. Banks, investment firms, clearing houses, insurers, fintechs and other companies in the financial sector (‘financial entities’) in the EU will have to apply strict standards to prevent and limit the impact of ICT-related risks. ICT providers in Switzerland and globally that offer their services to financial entities in the EU will likely be impacted, whether they are unaffiliated third parties or group companies affiliated to an EU financial entity.

In September 2020, the European Commission published the draft Digital Operational Resilience Act (DORA) as part of its larger digital finance package. The legislative proposal largely builds on initiatives introduced by various European regulators and combines them in one regulation. DORA shifts the focus from only guaranteeing the financial entity’s financial resilience to also ensuring they can maintain resilient operations through an incident of severe operational disruption.

The need for legislative action follows from the ever-increasing dependency of the financial sector on software and digital processes which was recently further intensified by the Covid-19 crisis, starting with remote access from the home office to payment services and all sorts of complex financial services. This also means that ICT risks are inherent in finance.

What obligations does the DORA entail?

Under the DORA a number of obligations, restrictions and further rules apply, in particular:

a) requirements applicable to financial entities in relation to:

• reporting of major ICT-related incidents to the competent authorities;
• digital operational resilience testing;
• information and intelligence sharing in relation to cyber threats and vulnerabilities amongst financial entities and third-party ICT providers;
• measures for the sound management of ICT risk by financial entities;

b) requirements in relation to the contractual arrangements concluded between third-party ICT providers and financial entities and certain restrictions when working with third-party ICT service providers established outside the EU;

c) an oversight framework for certain “critical” third-party ICT providers when providing services to financial entities; and

d) rules on cooperation among competent authorities and rules on supervision and enforcement in relation to all matters covered by DORA.

What impact will DORA have on Swiss companies?

The DORA in its current draft version explicitly imposes certain additional duties on EU financial entities when they work with ICT providers located in countries outside the EU (including Switzerland). In fact, the DORA is likely to impact both ICT providers and financial entities in Switzerland:

• Swiss ICT providers (or sub-providers) will be indirectly impacted by DORA if they intend to provide ICT services to EU financial entities. According to the current draft, ICT services generally include digital and data services provided through ICT systems, e.g. data storage / cloud, data processing and reporting services, data monitoring and data based business support services.
• Swiss companies affiliated to EU financial entities that provide intra-group ICT services to their EU affiliates - i.e. group-internal outsourcings - will be equally effected (the group may likely adapt DORA compliant global minimum standards, irrespective of specific ICT services).
• Finally, financial entities in Switzerland (or any other country outside the EU) may possibly also need to apply DORA standards when dealing with other financial entities in the EU and/or their customers.

What happens if Swiss ICT providers do not react?

It is currently unclear what legal sanctions apply in the event of a violation of the law (according to the draft, this is largely left to the member states) and this will most likely not have a direct impact on Swiss companies. However, in order to remain competitive, Swiss ICT providers will inevitably have to adopt certain requirements.

What is the current legislative status and which are the next steps?

Trialogue negotiations will take place shortly between the European Commission, European Parliament and Council which will lead towards the publication of a final draft. The DORA is currently expected to enter into force around Q4 2022 or Q1 2023. Considering the 24 months’ transition period (according to the current draft version) the requirements would have to be implemented by Q4 2024.