Insights into ESAs Report on the Landscape of ICT Third-Party Providers

The interconnected financial services ecosystem in Europe is on the brink of significant transformation. The European Supervisory Authorities (ESAs) are gearing up to enforce the Digital Operational Resilience Act (DORA) – and that’s about to change the day-to-day operations of Information and Communication Technology (ICT) Third-Party Providers (TPPs) who service the financial sector.

Industry leaders must prepare their organizations for this significant shift. It will be transformative, and will require ICT service providers to navigate a new regulatory landscape backed by substantial penalties.

Why is this preparation necessary? At its core, the significance of DORA is found in its forward-thinking approach. It recognizes the pivotal role of digital services in the financial sector. And this recognition goes beyond compliance.

Let’s dive into the details of the ESAs report on the landscape of ICT TPPs and how DORA will shape the future of ICT service provision into the financial services sector.

DORA introduces an expansive and comprehensive definition of ICT services. The goal is to capture a range of digital and data services essential to the modern financial sector. This definition extends beyond the conventional scope. It covers not just software and data processing services, but also hardware, cloud services, and technical support amongst others. (It excludes traditional telephone services.)

The broad categorization significantly widens DORA’s ambit. The regulation will impact a diverse array of organizations beyond the traditional financial sector. It encompasses major technology service providers and consultancy firms involved in data management and advisory services, as well as SaaS providers and smaller operators.

That means any organization providing technology services into the European financial sector – whether directly or indirectly related to core financial operations – will be impacted by DORA. According to the ESA, around 15,000 ICT TPPs are directly serving financial sector entities across the EU. When subcontractors are added, this number goes up to around 20,000.  Organizations operating in the EU, US, UK and elsewhere who service EU financial institutions must reevaluate their operational and compliance strategies. Further, the regulation's extensive scope means there are far-reaching implications for business models and service offerings.

The landscape of ICT TPPs is layered. Services vary significantly in their criticality to financial institutions. The ecosystem can be divided into three distinct levels, each carrying different implications under DORA.  

• Level 1: Non-Critical TPPs: These TPPs offer services that, while valuable, do not directly impact the core operational functions of financial entities. They are typically supplementary technologies and support services. The goal is to enhance operational efficiency but they’re not crucial for daily functions. These providers face no direct regulation under DORA, although financial entities who engage such TPPs will still need to flow down various contractual protections onto them. 

• Level 2: TPPs whose services support critical or important functions: This is a group of TPPs offering services which support critical or core functions within the financial entities. The disruption of such services may have significant consequences. These providers are not directly regulated under DORA, but must comply with a more extensive list of requirements from their customers. 

• Level 3: Critical TPPs: These are the most significant TPPs. Their services are deemed critical and irreplaceable to the sector at large. They are an essential part of the sector’s operational framework. The criteria for defining these TPPs is in process (although the ESAs have provided some useful guidance, here); a list of such TPPs is expected by July 2024. Providers in this category will be subject to direct and stringent regulatory oversight due to their impact on the broader financial system.

The categorizations, above, underscore the varying degrees of reliance financial entities have on different types of ICT TPPs and the services they provide. The layered approach helps in understanding the depth of dependency on TPPs. It’s crucial for implementing appropriate regulatory measures. It also shows the complexity of the financial sector’s digital operations and must be managed with care and foresight. 

Based on the data provided in the ESAs Report on the landscape of ICT third-party providers in the EU, there are around 15,000 ICT TPPs identified with roughly 9,000 providing critical or important functions. That is a surprisingly high percentage, and demonstrates how conservative the regulators are likely to be when enforcing this regulation.

The ESAs report underscores the substantial extent of the reliance on ICT TPPs in the financial sector. The research suggests that nearly half of the software and application service contracts analyzed are deemed critical (i.e. would fall within Level 2, above).  For other service lines, such as network infrastructure and data center services, the percentage is much higher.  The interdependence between financial organizations and their ICT TPPs is also highlighted by the diverse nature of services offered. This includes software and applications, cloud computing, and cybersecurity, but also data analysis and other data services. Once again, the diversity reflects the complex nature of modern financial services in which digital solutions are foundational to business operations. 

Organizations must understand the timeline for the implementation of DORA. We can’t underscore the importance of this enough. 

DORA was officially enacted on January 16, 2023, but full enforcement is set to begin on January 17, 2025. 

The two-year gap is designed to give organizations time to adapt and comply with DORA’s requirements. This period is vital for conducting thorough risk assessments, updating technology infrastructure, and making operational changes. For ICT TPPs – especially those on the critical level – this is a time of significant transformation. It necessitates a proactive approach to compliance and operational resilience.

There is less than one year left until DORA comes into effect. The looming impact of DORA underscores the urgency for all parties to prepare. Organizations should look at this as a moment to not just adhere to regulations, but fortify overall operational resilience.

January 2025 is not that far away. This date is not simply a regulatory checkpoint. Instead, the full enactment of DORA means a significant shift in how financial entities and ICT TPPs must operate.

Waiting or delaying will lead to challenges in meeting compliance requirements, which may result in fines or reputational damage. Understanding and engaging with the intricacies of DORA sooner rather than later means a more managed and strategic adaptation to the new regulatory environment.

Companies must assess their operations, understand the implications of DORA, and take proactive steps toward ensuring they are not only compliant, but resilient for the future.

But you don’t have to do this alone. BugZero offers an automated platform designed to integrate with your resilience processes and help you comply with DORA faster. Learn how it works today! 

For more information on navigating your obligations under DORA and how this will impact your contracting and procurement strategy in the financial services sector, Nikhil Shah at Fieldfisher will be delighted to help.