The Impact of DORA on ICT Third-Party Service Providers in the Financial Sector | Poland

January 2025 is the date of the entry into force of the EU Digital Operational Resilience Act (DORA) for the financial sector. This new, complex and widely applicable Act sets parameters in the following key areas:

DORA will apply directly only to the above-mentioned critical ICT third-party service providers. Regardless, the impact of the regulation for service providers will be much broader than it may seem at first glance. This is especially in the Polish market, with its long tradition of regulating outsourcing in the financial sector, and its peculiarities. Thus, reasonable steps should be taken by ICT providers in order to manage relations with financial entities in advance.

ICT third-party service providers are simply those that externally provide ICT services in terms of the meaning set out in DORA, which is very broad. As the legislature has revealed within recitals to DORA, this was deliberate: “To address the complexity of the various sources of ICT risk (…) this Regulation should cover a wide range of ICT third-party service providers” (Recital 63). The definition of ICT services focuses on the following prerequisites: digital and data services provided via ICT systems, on an ongoing basis. The definition also covers hardware services, which includes the provision of technical support via software or firmware updates by the hardware provider. Considering the breadth of the definition, it is believed that the prerequisite of an “ongoing basis” will have a decisive role in determining whether a given third-party provider falls into the category of providers under DORA.

Regardless of the misleadingly worded scope description in DORA (Article 2, item 1, letter u), it does not apply directly to ICT service providers unless they have been formally appointed as so-called critical ICT third-party service providers. It is clearly stated in Recital 77 of the regulation that “The Oversight Framework should apply only to critical ICT third-party service providers”. The appointment as critical provider will be decided by the supervisory authorities based on criteria such as the systemic impact on the stability, continuity or quality of the provision of financial services, the reliance of financial entities on the services provided by the relevant ICT third-party service provider or the degree of substitutability of the ICT third-party service provider.

The impact of DORA for critical ICT third-party service providers is quite obvious. Thus, this article will not focus on these aspects of the regulation. More interesting is the indirect impact of DORA for apparently unaffected non-critical service providers.

Financial entities (i) broadly engage and depend on third-party service providers in their operations and (ii) currently need to achieve compliance with DORA. These two drivers will surely result in shifting at least part of the burden of implementation to providers. The trend in the market can already be observed, and it seems certain that closer to the effective date, the expectations and demands of financial entities will only grow.
Given the specificity of the Polish market, the phenomenon might be reinforced here by the legacy of the local outsourcing regulations. For years, prior to any similar EU regulations, there have existed strict outsourcing regulations and supervisory requirements in Poland, for example in the banking sector. In 2020, The Polish FSA also decided to separately regulate application of cloud services by Polish financial entities. The regulation remains in force. With each new or extended regulation, financial entities knocked on the door of the service providers asking whether they provide compliance with the given regulation. No different is expected with the current regulation.

DORA introduces many requirements where the service provider’s assistance might be of help or even necessary, with lists of technical and organisational controls, implementation of back-up policies, business continuity or even security testing. Although it is the financial entities’ obligation to perform testing, it is obviously easier to perform testing basing on the preliminary results and outcomes of prior (service providers’) testing programmes.

Since, in this case, the future is known, it is better to actively face it than passively wait. The best providers can do is to proactively offer compliance with DORA to financial entities before the latter come up with their own vision of compliance and requirements; even worse, each financial entity with its own distinct version of implementation. ICT third-party service providers identifying that they fall under the scope of DORA regulation should be already working on their ability to present to financial entities that DORA is already dealt with and the entity can smoothly move on to another provider without wasting resources.