Your DORA questions answered – Extraterritoriality and interaction with existing rules

This last of a series of six articles covering a practical session organised by Ashurst focuses on how DORA will interact with existing rules as well as its extraterritorial effects.

The specialist team at Ashurst organised a helpful follow-up to their successful initial session on DORA. The number of questions from attendees of the first webinar was the primary motivation for organising a session focusing specifically on answers to practical questions posed by those attending.

A theme apparent throughout the session was that, with the January 2025 DORA compliance deadline fast approaching, key aspects of the DORA regime – including the technical standards (RTSs) – remain incomplete. As a result much of the advice from even experts remains couched in conditional language. The team was very sympathetic to the pent-up frustration from those who will be responsible for ensuring their institutions are DORA compliant apparent in both the number as well as the tenor of the questions posed.

We have tried to summarize the Ashurst team’s answers to each of the questions tackled during the session. The Ashurst team very helpfully organised the questions into broad thematic categories that are reflected in a series of bite-size articles.

2.ICT services in scope
4.ICT third party contracts
5.Business resilience

A list of the Ashurst specialists contributing is included below. Any errors or omissions are those of the GRIP team.

The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions.

What are your views on the extraterritorial scope of DORA, for example to what extent you see DORA applying to non-EU subsidiary / parent entities of EU financial entities?

DORA applies on an individual entity level. But there are some considerations that are relevant at a group level as well. The ICT strategy, for example, must be set at a group level. So while a non-EU regulated entity may not be directly captured, some aspects of DORA will apply where they must be considered at a group level.

Does DORA catch non-EU parent entities with EU regulated subsidiaries, where all IT services are provided by / contracted through the non-EU parent?

DORA applies to EU entities, but a parent may be brought in as a ICT service provider delivering a critical function through sub-contracting and sub-outsourcing provisions. The EU entity may also need to consider looking ‘behind’ the parent at the ICT sub-contractors feeding into the parent.

How far down the chain should the EU entity look to comply with DORA, for example sub-contracting chains?

The answer is ‘you don’t stop’! However, this is not quite right because at some point the chain becomes so fragmented that a failure does not affect the service in a material way.

Helpful here is the register of information RTS, which requires an entity to list the chain of sub-contractors up to the last material sub-contractor. There is some uncertainty around this at the moment and there is hope for some movement or at least more specificity on this in the final RTS in July.

What is the relationship between NIS2 and DORA, and similarly will DORA supersede EBA/ESMA requirements?

There was some hope that DORA would replace the existing rules and interpretive guidance. But it looks like the existing rules and guidance will remain in place. The regulatory intent is to line all of the rules up, but this remains a known problem at the moment and is likely going to be one in the short term at the least.

Fortunately, there is already some alignment between DORA and existing regulations on outsourcing. Some firms are already subject to incident reporting obligations for example, under the Payments Services Directive and will be familiar with such requirements.

There is some hope on the horizon because a draft ITS statement has been published, which says that the intent is to ensure a “reasonable” level of consistency and the EBA has also indicated that its guidelines will be revised to take DORA into account.

Is there a view on how many third-party service providers will be deemed to be CTPPs (and to what extent the list will be similar in the EU and the UK), who is likely to be on that list, and when designation will take place?

The regulators are holding their cards to their chest on this. It’s not going to be a big surprise to see the cloud providers on the list.

However, it is likely that the number of CTPPs will be limited, perhaps a handful or single digits initially until the new regulatory regime beds in. Certainly the regulatory capacity to deal with the more onerous requirements stemming from a provider being designated a CTPP in the UK is limited. But European regulators may well take a different tack.

For firms the fact that only a limited number of providers will be designated as CTPPs should not change how they interact with those third-party service providers. There might be more flexibility in respect of designated CTTPs over time, but currently this does not alter the requirements and should not affect implementation projects.