On January 17, 2024, the European Supervisory Authorities (ESAs) released the initial set of final draft technical standards under the Digital Operational Resilience Act (DORA). This publication follows a public consultation conducted by the ESAs last year.
DORA stands as one of the most significant legislative frameworks for the European financial sector, with the aim of mandating operational resilience standards for financial institutions and their primary suppliers.
The recently issued final draft Regulatory Technical Standards (RTS) entail mandates for financial institutions to prepare for and mitigate the repercussions of supplier failure and the insolvency of third-party ICT service providers. This encompasses the development of comprehensive business continuity plans and demonstrably successful stressed exit plans. Financial institutions and their critical suppliers operating within the EU are required to ensure compliance by January 17, 2025.
As outlined in the draft RTS, all regulated financial service entities operating within Europe must establish and routinely test comprehensive business continuity plans for insolvency and failure scenarios. These plans must encompass all critical services, including cloud applications, and undergo annual testing to verify their efficacy in ensuring business continuity.
Article 25, section 2.b underscores the significance of testing ICT business continuity plans to ensure the continuity of critical or important functions within financial entities. Financial entities are required to assess, through testing, whether they can maintain the continuity of their critical or important functions: including testing the ICT services provided by third-party service providers, where applicable.
Article 26, section 2.b delineates requirements for the development of ICT response and recovery plans to prepare for and mitigate the impact of third-party service provider insolvency or failure. These plans should identify relevant scenarios, including those involving severe business disruptions and an increased likelihood of disruption occurrence.
To adhere to these guidelines, financial institutions should establish stressed exit plans for all significant suppliers. A stressed exit refers to contract termination due to service provider failure or insolvency, which is more unforeseen than a non-stressed exit motivated by commercial or strategic reasons. Stressed exit strategies are integral elements of business continuity plans, ensuring the continuous provision of critical services and mitigating disruption impacts on the entity, its clients, and the broader financial market.
Many global financial regulators recognise escrow solutions as vital components of stressed exit plans. By implementing Escrow agreements and Verification with all third-party software suppliers, institutions reliant on outsourced software gain access to the necessary resources for rebuilding and maintaining critical software. This ensures operational continuity in the event of software vendor insolvency or failure.
When managing and mitigating the potential impact of disruptive events, such as the insolvency of a key supplier, Escrow agreements represent the sole proportional, tried, and tested method on the market capable of providing assurance that critical functions will be sustained.
Nicholas Frasse-Sombet, EU Sales Director, comments:
"The deadline is tight, with a crucial emphasis on understanding that intragroup outsourcers are within scope. While the application extends to critical ICT third-party service providers (CTPPs), the defined list will be announced later this year. Despite escrow not being directly named as in SS2/21, MAS and OCC recognise escrow as the sole proportional solution exceeding DORA requirements. Notably, DORA mandates testing insolvency scenarios, a unique provision not seen in other global regulations. Regulated entities must prioritise addressing these risks to meet the deadline, avoiding past mistakes and objections, including contractual, proportionality, and technical limitations."