Digital Operational Resilience Act (DORA) – the sequel

One of the challenges regularly mentioned by international businesses operating in the UK, is the (often subtle) differences in the way in which similar risks are regulated across the EU and UK.

That was once again a theme emerging from General Counsels speaking at an RPC's 'Horizon Covered Live' event in November.  Take as just one small example, the combo of 'SS2/21' in the UK, 'DORA' in the EU and the 'EBA Guidelines on Outsourcing', where the contractual requirements imposed by those regimes are driving at the same outcomes, but are not exactly aligned in how they can be captured - making contract review and remediation exercises more complex than they might otherwise be.

That EU regulators have been taking steps to simplify and harmonise their rules and guidelines in this space is therefore a welcome development in the long run (once the transitional periods and activity required has been navigated of course).  From an insurance sector point of view, we saw this with the retirement of the 'EIOPA Guidelines on Outsourcing to the Cloud' in January this year as DORA came in effect (on the basis that those guidelines were now sufficiently captured by the requirements of the new regime).

On a similar theme, not long ago, October saw the end of the consultation period on the retirement and replacement of the 'EBA Guidelines on Outsourcing'. The EBA is proposing that those guidelines be replaced with a new set of 'Guidelines on Sound Management of Third Party Risk' which, simply put, would replicate the same approach taken in 'DORA' (in respect of ICT contracts), for non-ICT third party arrangements on which financial services firms have increasingly relied in recent years. 

That would effectively lead to a position whereby in-scope businesses could apply a consistent approach (and the same contractual principles) to their contracts and associated contract registers for both ICT and non-ICT third party arrangements. There is a great deal of logic in that.

With a proposed two-year transitional period for the remediation of existing arrangements (or exit from them if the relevant requirements cannot be catered for), the thinking is that that would also allow for businesses to review and remediate most of their third party arrangements in line with natural contract events or, if not, with sufficient notice to manage the activity required without undue disruption.

Given the context provided by DORA and the EU's simplification agenda, it would be surprising if we don't end up in the position anticipated.  So, we await confirmation of the outcome of the consultation and the date on which the new guidelines will come into effect.

Of course, there will still be a need to carry out the review/remediation exercise that inevitably comes along with changes of this kind.  That said, businesses on both sides of the fence have learned a great deal from DORA remediation projects, and so one would hope that that will at least smooth the process. 

Here at RPC, through the work we have carried out on DORA, we have developed an AI-assisted contract review process focussed on precisely these requirements, which in our experience tends not to be available 'out of the box'.  That solution provides a much faster and cost-effective way of identifying the gaps across contracts of this kind as compared to a more traditional human-only review and so helps remove some of the pain.  When planning ahead for this activity, please therefore do contact one of the team here at RPC to discover how we could use our technology to help you.