Interview with an expert: Renate Prinz on DORA, associated challenges and how companies can face them

About Renate Prinz

Renate Prinz is a partner at McDermott Will & Emery and advises banks and financial service providers, investors and industrial companies in all areas of financial regulatory and corporate law. She has many years of experience in advising financial institutions on licensing procedures, regulatory compliance and corporate restructurings as well as on transactions and ownership control proceedings (ECB and BaFin). In addition to traditional banking and financial supervision, Renate Prinz also advises on the regulation of payment services and crypto-assets as well as on money laundering and sanctions. She is the author of numerous publications on corporate and financial regulatory law, in particular in the area of crypto-regulation. In addition to her advisory work, she is involved in various associations for equality and diversity.

‍

DORA under the magnifying glass 

How do you rate DORA in comparison to other regulations such as BAIT, EBA guidelines or NIS2?

Answer RP: DORA (Digital Operational Resilience Act) is new, but many of the contents are already familiar to companies in the financial sector and have already been implemented through previous regulation. DORA now creates a uniform framework across the EU, which is very welcome. In Germany, for example, we already had a very high security standard and requirements for IT services through BAIT (as well as ZAIT or KAIT) and with MaRisk (minimum requirements for risk management) for outsourcing in general. Additional standards and formalities have now been added for DORA. Although these are annoying, many of them can be managed in practice by established market participants once the initial implementation effort, such as adapting contracts, creating documentation, registers and processes, has been set up accordingly. I consider the goal of high cyber resilience and reporting obligations for incidents to be very good and important in principle, given the high risks of cyber attacks for the financial market.

‍

‍

What exactly are we talking about when we talk about regulation in the service provider sector?

Answer RP: In the services sector, regulation is largely indirect via the financial sector. This means that the financial institutions themselves are in principle the addressees of regulation; however, they are obliged to ensure that the services they outsource comply with the proper business organization, can be monitored and that all necessary security measures - from IT security to contractual security, e.g. with regard to termination options - are complied with. The financial supervisory authority can also carry out direct investigations of service providers as part of its review of compliance with these requirements. Under DORA, there is also the class of critical service providers, which are now directly supervised for the first time.

‍

In your opinion, what are the biggest challenges for financial institutions when implementing DORA?

Answer RP: Compliance with the formalities - a lot of documentation had to be implemented first. Comprehensive contractual adjustments with service providers, the correct classifications and creation of the information register is simply a lot of administrative work in practice, and although the contractual adjustments are mandatory, they are far from being accepted by all service providers. However, the practical review of existing processes can also be a mammoth task.

‍

What really needs to be considered with regard to the implementation of DORA-compliant processes? Are there any best practices or specific approaches that you would recommend - for example for incident response or third-party management? And what mistakes should companies avoid in your experience?

Answer RP: There is no best practice for everyone, as the requirements and challenges vary greatly depending on the size of the company. Where one institute works with 50 ICT service providers, the next may only have three. Clear contact persons, reporting structures and implementation planning are essential. In other words, there must first of all be an overview: Where do we even stand, where are our risks, what will bring us down in the worst case, i.e. what is a critical service? Reporting, for example, must then be set up on this basis.

‍

‍

In your opinion, what are the most important lessons learned since DORA came into force? Where do you see the biggest difficulties so far?

Answer RP: Contract adjustments with international service providers are difficult. The negotiation situation is often not fair here either, as there is often a lack of EU-based alternatives. Smaller IT service providers, who are often overwhelmed by regulation and its requirements, sometimes have to be replaced if adjustments are too costly or not possible. In addition, there are still many actual difficulties with timely implementation. However, the supervisory authority is also aware of this and we are seeing a lot of concessions here.

‍

Do you anticipate further regulatory requirements in this area in the coming years? If so, to what extent?

Answer RP: If financial market regulation has taught me one thing, it is that there is no end to it. There will certainly be further clarifications and improvements in the area of DORA - then further regulations in the IT sector in general will follow, I'm sure of that. Developments are currently progressing very quickly in many areas and regulation is often lagging behind. I would hope that there will also be changes that make regulation more practical and processes faster and more efficient. Regulation should enable opportunities and create security, not slow things down. The ECB is now slowly working on improving this. It also remains to be seen what the Commission's plans for a deposit and capital markets union will bring. If it does come, we are likely to see some changes in this area.

‍