In our latest blog post on preparing for the EU’s Digital Operational Resilience Act (DORA), entering into force on January 17, 2025, we take a look at second-level requirements under DORA covering the classification and reporting of major information and communications technology (ICT) related incidents. These requirements will need to be addressed through operational risk management frameworks and contract remediation efforts with technology vendors.
Tech & Sourcing @ Morgan Lewis
TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
Beginning January 17, 2025, financial entities based in the European Union must have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with the EU Digital Operational Resilience Act (DORA).
Starting January 17, 2025, financial entities based in the European Union must have in place processes and policies, as well as mandatory contract provisions with their third-party technology vendors, that comply with the EU’s Digital Operational Resilience Act (DORA). Financial entities are currently at varying stages of updating their operational risk management frameworks and remediating contracts with technology vendors. For banks, the European Central Bank has signaled that resiliency will be a top priority on its supervisory agenda.
Beginning January 17, 2025, the European Union’s Digital Operational Resilience Act (DORA) will require financial entities to maintain and submit to EU regulators a comprehensive register of their contractual arrangements with third-party information and communication technology (ICT) service providers. Financial entities are being given the opportunity to sign up for a voluntary reporting exercise by May 31, 2024, running between July and August 2024, to help them prepare for one of the most challenging aspects of implementing DORA.
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently released draft rules that are set to reshape how critical infrastructure companies report cyberattacks to the US government. The rules are designed to improve the country's cybersecurity by making sure cyber incidents are reported quickly and thoroughly. This could help create a clearer understanding of cyber threats and may mitigate against future cyberattacks.
New ICT incident reporting requirements under Circular 24/847 (Circular) of the Commission de Surveillance du Secteur Financier (CSSF), Luxembourg’s financial regulator, will come into effect on April 1. This introduces a new ICT-related incident reporting framework and underscores the critical importance of proactive measures in safeguarding financial institutions against ICT and cyber threats.
The European Central Bank (ECB) has published data showing that banks are increasingly using third-party providers to support their critical functions. However, more than 10% of outsourcing contracts covering critical functions are not compliant with the relevant regulations. During a key year for EU financial institutions and their critical service providers—with implementation projects for the Digital Operational Resilience Act (DORA) well underway—the ECB signals that outsourcing and resiliency, particularly risks associated with cloud outsourcing and concentration risks, will be a top priority on its supervisory agenda.
Join Pittsburgh partner Peter Watt-Morse and Philadelphia partner Barbara Melby and associate Katherine O’Keefe at 12:00 pm ET on Wednesday, January 24, 2024 as they highlight considerations for companies in the financial services and insurance industries that contract for technology and outsourcing services.
The UK government introduced its Digital Markets, Competition and Consumers Bill to Parliament for approval on April 25, 2023. The bill establishes a “pro-competition framework” for digital markets, specifically targeting a small number of tech firms with significant market power that will receive a “Strategic Market Status” (SMS) designation.
The UK government published a white paper on March 29 setting out a “pro-innovation” UK regulatory framework for artificial intelligence (AI). The framework centers upon five cross-sectoral principles, of which implementation will be context-specific to the use of AI, rather than the technology itself. The government does not propose introducing a new regulator or any new legal requirements on businesses, instead leveraging existing powers of UK regulators and their domain-specific expertise.