Your DORA questions answered – Business resilience more broadly

This fifth of a series of articles covering a practical session organised by Ashurst focuses on business resilience questions connected to DORA.

The specialist team at Ashurst organised a helpful follow-up to their successful initial session on DORA. The number of questions from attendees of the first webinar was the primary motivation for organising a session focusing specifically on answers to practical questions posed by those attending.

A theme apparent throughout the session was that, with the January 2025 DORA compliance deadline fast approaching, key aspects of the DORA regime – including the technical standards (RTSs) – remain incomplete. As a result much of the advice from even experts remains couched in conditional language. The team was very sympathetic to the pent-up frustration from those who will be responsible for ensuring their institutions are DORA compliant apparent in both the number as well as the tenor of the questions posed.

We have tried to summarize the Ashurst team’s answers to each of the questions tackled during the session. The Ashurst team very helpfully organised the questions into broad thematic categories that are reflected in a series of bite-size articles.

2.ICT services in scope
4.ICT third party contracts
6.Extraterritoriality and existing rules

A list of the Ashurst specialists contributing is included below. Any errors or omissions are those of the GRIP team.

The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions.

If an ICT third-party service provider has ISO 27001 certification, can this be used as the “most up-to-date and highest quality information security standards” and thus cover this off in a simple paragraph in the contractual provision requirements – instead of having to go through copious questionnaires from the financial entity client and lengthy reviews of the prescriptive RTSs?

Yes in terms of it being a standard considered to be high quality and up to date. The ISO standard is a good start and may be considered a ‘minimum standard’. But it would be difficult to simply rely on the ISO certification without providing the additional information that is required under DORA and the RTSs. There is a possibility though that this tactic may work for the lower risk echelon of providers.

To what extent should management companies / AIFMs check the ICT procedures and processes of their delegated portfolio managers and / or investment advisers for the purposes of the DORA?

According to the team the key question to ask is: Do you consider the relationship with the portfolio manager to be the provision of an ICT service or does that delegation / appointment support a critical function?

If the relationship does not constitute one which involves ICT services or outsourcing then it is not caught in the DORA regulatory net and is not caught on the EBA ‘hook’ either.

However, if the portfolio manager is a critical part of the delivery of the service to a client than firms should at the least ask about DORA compliance.

Also, according to the team, this question is not just one to ask in the future because it almost certainly connected to existing regulatory obligations. As an AIFM or another manager you already have fiduciary responsibilities in connection with overseeing your delegated portfolio managers. And as part of those duties you need to ensure that they comply with those regulatory obligations.

Also worth pointing out is that if the portfolio manager relies on a financial entity’s systems then the relationship may well be caught from the other side – in other words because they are subject to DORA they will need to consider their providers including the financial entity!

Is there an expectation that firms who have a critical vendor book to have backups in place e.g. investment platform firms that use a single firm for all their credit/debit card transactions?

This is both a practical challenge as well as a key question for firms.

The general regulatory expectation is that a firm relying on a third party should consider back-up procedures including substitute parties and severe outages. However, it is unrealistic to have a back-up provider for every single service because it is too expensive and impractical too. Third parties are not prepared to enter into contractual negotiations for a hypothetical situation. So although the requirements exist around back-ups, proportionality is critical in connection with these.

And the answer in many instances may well be not an alternative provider, but an alternative procedure with some creative thinking by internal teams required here.

You have to think it through in terms of risk / benefit analysis to the organisation, but planning ahead of time is key and having contingency plans in place critical.

What is your interpretation of Article 12 (for example physically and logically segregating ICT systems used when restoring backup data)?

There have been no detailed answers from ESMA on this. However, BaFIN has suggested that the backup data should be stored at least 4km away from the primary data location. Other regulators may have their own stipulations, but the key point is that there must be physical separation between system locations.

GRIP comment

Thinking creatively and focusing on alternative processes rather than a potentially never-ending series of back-up systems is good practical advice, particularly in scenarios where a back-up system provided by an external party is simply not practically feasible.

The focus of any discussion on backups should be the resilience of the financial entity and its ability to swiftly recover from an ICT-related incident and this can be by way of redundant capacity and facilities in addition to backups. (DORA, Article 10)