Will DORA make cooperation between business and Software House difficult?

We wrote about DORA, or Digital Operation Resilience Act, in an earlier post: “Watch out, DORA is coming. Will it shake up the financial sector?”, where we presented the biggest changes that the regulation will introduce to the functioning of European financial institutions (and ICT service providers, even if their headquarters are outside the EU). However, it is worth going a step further and considering how the new regulations will affect cooperation between the financial industry and technology companies (including Software Houses). Can anyone already say that they are ready for the arrival of DORA and how to verify it if necessary? 

At the outset, we would like to point out that one of the assumptions of DORA is the regulation of ICT policy and regulations at European Union level. This is due to the inconsistency of legal requirements between Member States, which exposes financial institutions (operating cross-border) to the risk of having to take multiple regulations in this area into account. For this reason, the baseline situation for DORA will differ by country and because of its internal regulations. The following text is written mainly from the Polish perspective and may not reflect the reality of our European neighbours (including the United Kingdom, which left the EU, but many financial institutions still cooperate with its internal entities). 

However, there are common and universal elements for each Member State and non-EU companies that will want to do business in Europe in the future. Therefore, we invite you to read and share your own perspective on our LinkedIn.

The article is particularly important from the perspective of: Credit, payment and electronic money institutions; crypto asset service providers and issuers, asset-linked token issuers, central securities depositories, insurance and reinsurance companies, crowdfunding service providers and all third party ICT providers.

Read on to find out:

Is Poland ready for the DORA regulation? 

At the outset, an important issue must be raised: Poland is recognised as one of the leaders in the field of digital banking channel development and digital transformation of the financial sector. For example, PKO Bank Polski won the Finnoscore 2020 ranking, becoming the European leader in digital banking, and as many as 95% of banking leaders have already implemented advanced cloud services. At the same time, the financial sector is one of the most heavily regulated by internal regulations, the task of which are to ensure the security, stability and transparency of the financial market in Poland. 

The modern approach of the financial sector also means strict cybersecurity regulations. Developed risk management strategies, quick reporting of security incidents, resistance tests, readiness for audits and controls – none of these are news for financial entities and technology companies cooperating with them, especially software houses working with key IT systems. 

[su_service title=”Interestingly: ” icon=”icon: lightbulb-o” icon_color=”#bbe2ef” size=”36″]Polish technology companies with experience in cooperation with the financial sector can be potential partners for foreign entities in this industry. Polish law already has a restrictive approach to the issue of security and supervision over ICT services, so DORA and its regulations won’t be a particular surprise for our region.[/su_service]

Will the new regulations bring some co-operations to an end? 

DORA highlights several important aspects regarding the contracts that financial entities conclude with ICT service providers. According to the regulation, the problematic issues are:   

  • Financial industry companies often face problems with negotiating contractual provisions that match the actual regulatory requirements that the sector is subject to; 
  • Service providers are reluctant to agree to contractual provisions that allow access to or audit of activities carried out. Even if the contract provides for such a procedure, there is a problem with its enforcement; 
  • Supplier contracts do not provide for sufficient guarantees regarding the monitoring of works and processes taking place, and therefore financial companies cannot assess the related risks; 
  • External ICT service providers often provide standardised services to multiple partners and therefore their contracts may not be tailored to the individual needs of the financial sector.  

Thus, the regulation will require that the rights and obligations of the financial entity and the external ICT service provider are clearly stated in writing. DORA also formulates the minimum that must be specified in such a document including, inter alia, aspects such as:  

  • A complete description of all functions and services to be provided by the third party service provider; 
  • An indication of the locations where the functions and services will be provided, as well as where the data will be processed; 
  • Provisions on access, availability, integrity, security and protection of personal data, and guarantees of access, recovery and return in the event of failure of external ICT service providers; 
  • Complete service level descriptions with quantitative and qualitative performance targets; 
  • Notice periods and reporting obligations of the external ICT service provider; 
  • An obligation for an external ICT service provider to provide assistance in the event of an ICT-related incident, free of charge; 
  • The right to monitor the performance of the external ICT service provider on an ongoing basis); 
  • The right of withdrawal and the associated minimum notice period, as well as exit strategies. 

Will the new restrictions that DORA imposes on contracts be a reason to end current activities or not undertake new co-operations in the future? Taking into account the previously described contractual problems that, according to the regulation, affect the financial sector, this could be expected. Until now, it was a matter of agreeing terms between the partners, but when the new regulations come into force, ICT service providers will either accept the imposed obligations and reformat existing contracts, or financial institutions will have to terminate their cooperation with them (or reject them at the start of their search). 

[su_service title=”Our point of view: ” icon=”icon: user” icon_color=”#bbe2ef” size=”36″]“As a Software House experienced in cooperation with the financial industry, we don’t see any threats in the new guidelines for contracts and respecting the rights of financial entities to audit, control and risk assessment that result from the cooperation. Working with banking and insurance systems, most of the above-mentioned elements were previously regulated by contracts, and the possible supplementation of the provisions with guidelines resulting from DORA should not be a problem in the future”.

Piotr Pisarek, Head of PMO Team [/su_service]

DORA and ISO 27001 

The DORA regulation will impose obligations on companies from the financial sector aimed at more effective and more informed risk management related to ICT. In particular, the new guidelines cover aspects such as operational digital resilience testing and risk management from external service providers. And since financial actors will be responsible at all times for complying with DORA obligations, they need to be sure that their suppliers also adhere to the guidelines and ensure an adequate level of digital security.  

Undoubtedly, one element of this approach is in ensuring information security. Many technology companies (and others) have been consciously investing in the protection of information resources and appropriate control mechanisms for several years. The guarantee of such activities is the implementation of the international standard ISO 27001 (or ISO / IEC 27001). The standard specifies the requirements for the establishment, implementation, maintenance and continuous improvement of the information security management system. It also provides guidance on how to assess and deal with the risks associated with the security of information assets. 

With the entry into force of DORA, ISO 27001 certified ICT providers may be the first choice for companies in the financial sector. It is a confirmation that the provider supervises the information processing and is prepared to act in the face of a security incident. 

[su_service title=”ISO 27001 certificate” icon=”icon: check-circle” icon_color=”#bbe2ef” size=”36″]The implementation of the ISO 27001 standard guarantees that the organisation has properly identified threats related to information security and has introduced appropriate preventive measures. For the financial sector, this is a confirmation that the partner meets their legal requirements and that the information assets are well protected.[/su_service]

DORA and cloud computing 

In the case of legal regulations, the most inaccuracies and doubts always relate to cloud services. The specificity of cloud computing implies its dispersed nature, and therefore makes it difficult to precisely define the place where personal data are processed. Nevertheless, banking and other branches of the financial sector already operate in the cloud to a large extent, and the statements of the board members of various companies and institutions indicate that the industry sees a further future with it. 

In the face of the new regulations, it is worth taking a look at the official positions of the largest providers of public cloud services regarding DORA. AWS Cloud, Google Cloud and Azure Cloud all issued statements and in each of them we can find assurances that cloud services comply with the security guidelines that will be imposed by DORA. As the texts show, each of the providers positively assesses the assumptions behind the regulation, seeing it as an opportunity to accelerate the digitisation of the EU financial sector and improve digital resilience for this region. 

Both AWS and Azure and Google Cloud emphasise that their infrastructure and the provided tools are ready to support the financial sector, and the contracts are tailored to the specific needs of enterprises in this industry, including the possibility of audits and regulatory controls. 

[su_service title=”Situation in Poland: ” icon=”icon: cloud-upload” icon_color=”#bbe2ef” size=”36″]: The Polish financial sector is controlled by the KNF Office (Polish Financial Supervision Authority), which in 2020 issued a special Communication on the processing of information by supervised entities in a public or hybrid cloud. The document strictly defines the rules under which the financial sector can use cloud services, without blocking further development in this direction, but rather setting out regulations regarding the supervision and security of the services provided. The provisions largely coincide with the assumptions of DORA (also in terms of concluding contracts), which will certainly make it easier for Polish companies from the financial sector and their technological partners to adapt to the new regulations. [/su_service]

DORA and the choice of an ICT provider 

From the business point of view, after the entry into force of the DORA regulation, one of the most important aspects in the field of outsourcing ICT services will be the choice of a trusted and experienced partner. Some technology companies may not be ready for the requirements that DORA will impose on the financial industry, or not be aware of the obligations resulting from the regulation. 

Therefore, if in the near future you plan to use support in the field of creating, developing or maintaining systems and applications (including cloud-native applications and other cloud services), remember to check whether your potential partner has: 

  • ISO 27001 standard implemented; 
  • Previous experience in cooperation with the financial industry; 
  • Partner certificates of cloud service providers; 
  • Individually prepared contracts, taking into account the possibilities of audit and control.