Financial Crime World

DORA Regulation: What’s the Difference Between Outsourcing and ICT Third-Party Providers?

The Digital Operational Resilience Act (DORA) Regulation has raised questions about the distinction between outsourcing and ICT third-party providers. According to experts, DORA does not intend to regulate the definition of outsourcing and should not be seen as changing current outsourcing practices.

However, arrangements concluded with ICT third-party providers under the DORA Regulation go beyond traditional outsourcing arrangements. The regulation covers a broader array of contracts, including those that may not necessarily qualify as outsourcing arrangements.

Who is Considered the Management Body?

The management body of a financial entity is defined as the one that sets the company’s strategy, objectives, and overall direction, and which oversees and monitors management decision-making. This includes persons who effectively direct the business of the company. The definition of the management body is largely sectoral, so financial entities are advised to refer to relevant sectoral legislation.

Threat-Led Penetration Testing (TLPT) and TIBER-EU Framework

The DORA Regulation distinguishes between digital operational resilience testing and advanced testing based on TLPT. Financial entities within scope may be required to undergo TLPT, which will be selected by competent authorities based on impact factors, financial stability concerns, and ICT risk profile.

  • The TIBER-EU Framework developed by the European Central Bank (ECB) is a prominent framework for TLPT in the financial sector.
  • Regulatory technical standards on TLPT will be developed jointly with the ECB and in accordance with the TIBER-EU Framework.

Reporting Mechanisms Under DORA

DORA has three different reporting mechanisms:

  • Major ICT-Related Incidents
  • Significant Cyber Threats
  • Major Operational or Security Payment-Related Incidents

Financial entities will need to classify incidents based on qualitative and quantitative thresholds yet to be defined by an upcoming regulatory technical standard.

  • The reporting and notification templates for both Major ICT-Related Incidents and Significant Cyber Threats will be developed by the European Supervisory Authorities (ESAs) as an implementing technical standard.

Incident Reporting Mechanism Under PSD2

The DORA Regulation has introduced a new reporting mechanism for Major Operational or Security Payment-Related Incidents, which applies to credit institutions, payment institutions, account information service providers, and electronic money institutions. This report mechanism was introduced due to its relationship with the Payment Services Directive 2 (PSD2).

Preparation for DORA

In preparation for the DORA Regulation, the Supervisory ICT Risk and Cybersecurity Function (SIRC) has released DORA Podcasts to prepare authorized persons.

  • Authorized persons are encouraged to reach out to SIRC with any DORA-related queries or suggestions to be addressed on future DORA Podcasts.
  • Stay ahead of the curve by understanding the differences between outsourcing and ICT third-party providers, management body definition, TLPT, and reporting mechanisms under DORA.