With regulators increasingly scrutinizing IT and security risks for fintechs, host Joseph Kamyar invites Skadden colleague Susanne Werry for a discussion about the EU’s Digital Operational Resilience Act (DORA), which becomes effective next month. 

The act is expected to compel financial entities and relevant technology providers to reexamine  existing contracts, policies, procedures and governance arrangements. Susanne, Frankfurt-based counsel in the Cybersecurity and Data Privacy and Artificial Intelligence Groups, offers important takeaways as 2025 draws near. While some companies are well on the way to DORA compliance, she notes, others are in the early stages.

💡 Meet Your Host 💡

Name: Joseph Kamyar

Title: European Counsel, Corporate at Skadden

Specialty: “Fintech Focus” host and European counsel Joseph Kamyar advises on a wide variety of corporate transactions, including cross-border private mergers and acquisitions, fundraisings, joint ventures, corporate reorganizations and general corporate matters, with a particular focus on the financial services, technology and media sectors.

Connect: LinkedIn | Email

💡 Featured Guest 💡

Name: Susanne Werry

What she does: Susanne Werry has extensive experience advising international and domestic clients on issues relating to cybersecurity, data privacy and artificial intelligence. Her work includes counseling multinational clients on strategic projects, crisis management, regulatory compliance and M&A transactions.

Organization: Skadden

Words of wisdom: “Some clients and lots of third-party providers in the markets are drawing up their DORA supplements to their contracts to address the stringent requirements and also to provide their customers with DORA packages, including information that the financial entities will request as part of their own extensive due diligence applications.”

Connect: LinkedIn | Email

Connect with Skadden

☑️ Follow us on X and LinkedIn.

☑️ Subscribe to Fintech Focus on Apple Podcasts, Spotify, or your favorite podcast app.

Fintech Focus is a podcast by Skadden, Arps, Slate, Meagher & Flom LLP, and Affiliates. This podcast is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This podcast is considered advertising under applicable state laws.

Welcome to Fintech Focus, Skadden's podcast for Fintech industry professionals. The global regulatory and legal updates you need start now.

Welcome back to Fintech Focus with me, Joe Kamyar. Today, we're looking at IT risks and fintechs, and joining me for this episode is Susanne Werry, one of our Frankfurt-based cybersecurity and data privacy experts. So Susanne, welcome to the podcast.

Thanks, Joe. Delighted be here today.

Great. So in terms of IT and security risks for fintechs, I think it's probably fair to say that it's an area that's come under increasing regulatory and legislative scrutiny over recent years. And Susanne, if we focus on Europe, the obvious example is the EU's adoption and implementation of the Digital Operational Resilience Act, which we will refer to as DORA, and that came into force in December of '22.

Very conscious there's been plenty of commentary on DORA to date, including various Skadden publications. But perhaps you could very quickly, Susanne, just remind listeners as to what DORA is aiming to achieve.

Yeah, absolutely. Thanks, Joe. I'm very happy to. So ultimately, DORA will have a significant impact on fintechs, both in their capacity as providers of financial services in the EU, but as well as third-party providers of technology services. Just at a very high level, DORA introduces a range of technology-related requirements which impact ICT risk management and monitoring; resilience testing and oversight, which may trigger financial entities and relevant technology providers to re-look at their existing contracts; policies, procedures, and governance arrangements, which will need to comply with these really strict new requirements.

So you kind of called out two capacities there. So the first, DORA applies for providers of financial services, and then the second capacity is providers of technology services to financial entities. So why don't we start by looking at the first? What impacts are you expecting on firms in their capacity as financial entities?

Yeah, good question, so the key points to note for financial entities are some of the following. I will not list everything but just give some of the key points.

So financial entities are firstly expected to have an established ICT risk management framework, identifying all ICT-supported business functions and all sources of ICT risks, cyber security threats, and vulnerabilities. And those financial entities need to demonstrate continuous monitoring and control of their ICT systems and tools to provide ongoing protection from and prevention of harm. They also need to implement advanced digital operational resilience testing of their systems and also develop a threat-led testing approach.

Another key point is also the establishment of third-party risk management function, which includes that the contracts with technology providers meet the requirements of DORA. The financial entities need to maintain a register of information related to those technology providers, and they need to implement a process for risk concentration management.

Some additional points to highlight: a incident classification and reporting framework for timely and accurate incident reporting to authorities; business continuity and IT service continuity plans; technical standards to comply with DORA. And the last, which is an extremely important point to also implement, is a clear governance structure with top management accountability for ICT risk management.

Got it. I know when we've been talking to lots of our clients in the fintech space, there's been a lot of activity around and focus on DORA implementation over the past couple of months. So what sort of timelines are we actually looking at for implementing these requirements?

I would say yesterday, but really, jokes aside, the hard deadline for all of these requirements to apply is from 17th January 2025, so very close. The European Supervisory Authorities just a few days ago published another statement reminding financial entities of this timeline. And also highlighting that they expect entities to have the registers I just mentioned of the ICT third-party providers ready in that time for the competent authorities to meet their own reporting deadlines to the European Supervisory Authorities by the end of April. And another strong focus they communicated is on incident reporting.

Okay, so that covers financial service providers. So turning to third-party technology providers, how does it look for them?

Yeah, so for technology providers, it's really important to consider both the direct and also the indirect impact flowing from DORA. And for fintech specifically, there's another key question under DORA: namely, whether a financial entity providing ICT-enabled financial service to another financial entity qualifies as a ICT third-party service provider.

So for example, think of a financial entity offering access to an online trading venue where the trading service itself is regulated. The integrated ICT components, like the mentioned engine or APIs, they blur the lines between financial services and an ICT service.

Yeah, that's an interesting point. What is the current position?

So that is changing, actually, and it's up in the air. So initially, the European Supervisory Authorities stated that these integrated ICT functionalities wouldn't qualify as standalone ICT services under DORA. However, they revised their stance, suggesting now that further formal guidance would be issued after alignment with the European Commission. Meanwhile, industry groups have pushed back, urging regulators to confirm that regulated financial services should not fall under the ICT third-party service provider requirements.

Definitely something to keep an eye on. Then I guess moving back to third-party providers more broadly, how does DORA affect technology providers?

So firstly, taking a look at the indirect impacts. So technology providers should be aware that there are DORA obligations that will be imposed on their financial services clients. So the service providers need to know them to be able to support these obligations if they want to continue providing services to these clients. To the extent to which the technology provider is supporting a critical and an important function at the client, that will determine the burden on the individual service provider.

Just to give some bit more flavor to that, so some of the key obligations that technology providers will need to support include they need to ensure that relevant contracts contain the protections required under DORA. And the aforementioned register of information related to the technology providers, there are extensive due diligence obligations.

And to also better be prepared for third-party providers, some clients and lots of third-party providers in the markets are drawing up their DORA supplements for their contracts, to address the stringent requirements and also to provide their customers with DORA packages, including information that the financial entities will request as part of their own extensive due diligence obligations.

Right, so that was the indirect impacts. How about the direct impacts?

Yeah, good question. So regulation for financial services isn't new. So different from previous regimes, for example, the EBA guidelines on outsourcing, under DORA, certain technology providers will be subject, also, to direct regulatory supervision by the European Supervisory Authorities when they are critical ICT providers.

Understood. Next question: What do we mean by critical service provider?

Yeah, very good question. Very decisive question. So there are generally two steps to determine whether a service provider is a critical provider under DORA. Providers will qualify as critical if they serve 10% or more of the financial entities or support critical functions for major financial institutions, such as globally systematic important institutions or other systematically important institutions.

Additionally, ICT services supporting critical functions for significant financial market infrastructure or also multiple significant financial service provider also qualify for a consideration.

And as part of a second step, there are more detailed qualitative assessment which uses additional criticality indicators. And they do not really have a minimum threshold but provide a deeper evaluation of the potential impact of the service discontinuation on the operations of the financial services firm. And such factors can include, for example, consequences of service disruptions or reliance on common subcontractors and also interdependencies.

So in the end, just to mention that these technology providers, they will be designated as critical based on those criteria I just mentioned by the ESF.

Thanks, that's all clear. So how does the process and timeline look for designating these third parties as critical?

Yeah, again, important to know how the process works. So in essence, it's the following. National competent authorities, they collect that information and submit the information, including that information that they collect from the register of information on financial entities, contractual arrangements with the ITC service providers, and some additional data. And based on that information, the European Supervisory Authorities, they will then review this information and publish their designation decision.

The collection of the national authorities is going to take place until the end of March and April, depending on which data sets this is. And the decision from the ESA, who's going to be designated critical is expected for the second half of 2025.

Okay, so I guess once you've got the designation in place, perhaps you could walk us through what obligations actually apply to critical providers.

Yeah, so each critical provider will have one European Supervisory Authority appointed as its lead overseer. Each of those must then ensure the critical provider is supervised, and these providers will need to have comprehensive and effective rules, procedures, mechanisms, arrangement to manage the specific ICT risks across financial entity clients. The authority's assessment will focus on the provider's ability to maintain robust operational resilience and recover, for example, risk management, governance and control, physical and security standards, incident reporting. Again, some operational resilience testing obligations, information sharing, and exit and transition methods.

So important to know in all of this is that the authorities are also empowered to audit any firms under their supervision, and the results of these audits will then form the basis of an annual oversight plan that the Authority will provide to each critical third party. And this will describe oversight objectives and action plans on an individual basis for each of these critical providers.

Okay, so I guess I mentioned earlier that I'm seeing lots of activity around clients when it comes to DORA implementation, and I'm sure, and I know you've been very busy advising clients on it. So from your perspective, where in the process are companies currently, and what should they be thinking about now and in anticipation of implementing DORA next year?

So I would say many companies are already well in their DORA compliance projects, but there are still some that are in the early stages. So the more advanced companies, they face lots of challenges in meeting the January deadline. This is often based in the uncertainties and the very late publications of required guidelines and standards from the Supervisory Authorities and the Commission. So companies are asked to prepare for the unknown, in many circumstances.

As mentioned earlier, there is a clear expectation of the authorities that financial entities are able to demonstrate compliance status and also further plans. Three topics are of particular interest here: the ICT provider register that we just talked about, incident handling, and also management involvements.

So I guess on the topic of management involvement, to what extent are regulators looking at and expecting management to be across the range of technology issues that we've been discussing today?

As mentioned, this is really one of the key focus areas in resilience regimes right now. Not only DORA, but more generally too. So in essence, under DORA, management is directly responsible for overseeing the implementation of an effective ICT risk management framework, which includes ensuring compliance with the requirements of DORA and integrating ICT risk management into the entity's overall governance.

And in addition to DORA, earlier this year, a dedicated policy was also published by the European Central Bank, requiring bank management bodies to broaden their collective understanding of and the proficiency in identifying and dealing with ICT and security risks. The policy, which came in force in March 2024, it emphasizes the needs for a bank to actively manage risks related to the increased digitalization of banking sector while also embracing technology innovation.

So in short, management bodies and boards need to be engaged with ICT risk management, and they cannot delegate this to a chief information security officer or another function any more. They must really have robust incident response plans and comprehensive regular training. Ensure that these plans are really implemented. Significant ICT incidents, for example, whether caused by a cyber attack, a tech failure, or an internal mistake, all of these are board issues. And boards must be ready and proactive in dealing with them.

I think just to mention that in order to determine how prepared bank management bodies are to recognize and address ICT security risks, the policy also states that as part of a fit and proper assessment, the ECB expects from management that they have sufficient understanding of ICT and security risks, which means that the management body and internal control functions must have sufficient knowledge about ICT and security risks, alongside data and reporting requirements.

And there should also be a board member with practical cyber experience. This is also new. Banks should have at least one non-executive board member with recent practical experience and expertise in ICT and security risks. The ECB suggests five years of this practical experience as an adequate threshold.

And the last point is that management body members should undertake regular training at least once a year to maintain an up-to-date knowledge and skills on ICT and security risks.

Susanne, we should probably call it there, but thanks very much for your time.

No problem at all. Really great being here. Thanks.

Thank you, and as always, thanks to our listeners. Bye for now.

Thank you for joining us on Fintech Focus. If you enjoyed this conversation, be sure to subscribe in your favorite podcast app so you don't miss any future conversations. Additional information about Skadden can be found at Skadden.com.