28.3.2023

The EU regulation on digital operational resilience for the financial sector poses new obligations for boards of financial entities

The Digital Operational Resilience Act DORA governing both digital operational resilience and the use of information and communication technology (ICT) in the financial sector entered into force in the European Union in January. The regulation is part a larger digital finance package and will apply to EU Member States from January 2025 onwards.

Regulated industries and operators

DORA applies to various financial entities, including banks, insurance companies and investment firms. The regulation also applies to service providers that provide financial entities with critical ICT services, such as cloud computing services and data analytics services.

New obligations for boards of financial entities

One of the aims of the regulation is to ensure that the boards of financial entities take on a pivotal and active role in steering and adapting the overall strategy concerning ICT risk management and operational resilience. Under DORA, the board is ultimately responsible for the entity’s ICT risk management.

First, the board must define, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. DORA lays down the concrete minimum requirements for risk management frameworks in more detail, but they must include at least strategies, policies, procedures, protocols and tools that are necessary to protect all ICT assets (such as computer software, hardware and servers) and infrastructures (such as premises and data centres) against ICT risks including damage and unauthorised access or usage. In practice, this includes the following:

As part of their ICT risk management framework, financial entities must also define a strategy for the risks related to the use of third-party ICT services. This requires that the board members of financial entities regularly review the risks concerning contractual arrangements on the use of ICT services supporting critical or important functions.

Board members of financial entities are also required to keep up to date with sufficient knowledge and skills to understand and assess the entity’s ICT risk. Under the regulation, maintaining sufficient knowledge requires, among other things, regular participation in specific training on ICT risks and their effects.

Liability for non-compliance

Under DORA, Member States must ensure that the national authorities have the power to apply different administrative penalties and remedial measures in case the obligations are breached. It must be possible to direct these administrative penalties and remedial measures at board members of financial entities and other natural persons who are responsible for the breach of DORA under national law. However, the final form of these sanctions will not be known before the national law is amended as required by the regulation. Authority initiative on this matter has not yet begun in Finland.

Preparing for the future

All in all, DORA creates a comprehensive and detailed framework for the management of risks related to digitalisation in financial entities. DORA includes new requirements with respect to cyber security and operational resilience. The regulation also lays down new obligations for boards of financial entities. Failure to comply with these obligations could even result in administrative penalties to board members on an individual level. The sanctions for breach in Finnish legislation will likely be specified in the coming years. However, it is advisable that financial entities start to evaluate their ICT risks and practices in good time, also with respect to their ICT service providers.

 

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024