The Digital Operational Resilience Act (DORA), applicable as of 17 January 2025,[1] aims to ensure that financial institutions, third-party service providers and critical infrastructure entities are resilient to operational disruptions caused by technology failures or cyberattacks. The objective of DORA is to enhance the operational resilience of the financial sector by establishing standardised requirements for managing risks associated with information and communication technology (ICT) systems.

Although the legislation primarily applies to financial entities in the EU, its implications will undoubtedly resonate across borders, including in the United Kingdom. At present, there is no normalisation applied across the varying U.K. regulatory bodies for operational resilience. U.K.-based financial institutions with EU operations, subsidiaries or clients must explicitly comply with DORA in those jurisdictions. Whilst the U.K. has not adopted DORA directly, domestic regulation for operational resilience as set by the Financial Conduct Authority (for example), creates an environment for compliance expectations to potentially converge in the future.

Core facets of DORA compliance include:

1. Risk Management – Identifying and mitigating ICT risks
2. Incident Reporting – Mandating the timely reporting of significant ICT-related incidents to regulators
3. Resilience Testing – Stress testing ICT systems
4. Third-Party Management – Focused review of outsourced ICT services
5. Information Sharing – Cyber threat intelligence and updates shared with key entities

As those dealing with technology disputes will know, there are many ways technology can fail. Disputes can arise from data breaches, software defects and service level agreement (SLA) failures, amongst others. Technology disputes are often complex enough in nature; however, litigation arising from ICT system and service compliance failures under DORA may become even more complex, particularly where services are provided to an EU entity by a U.K. provider.

This article considers the potential impact of DORA on technology disputes and how engaging experts early on can help navigate these challenges.

Jurisdictional Complexities

In the context of an existing ICT software or service agreement (provided by a U.K. entity to an EU entity as an example), parties that have not performed adequate provisions under DORA such as ICT system risk, system hardening and contractual review potentially face a more protracted dispute in the event of an operational resilience failure once DORA is in full effect. An organisation’s technical landscape is often vast. As technology progresses and developments occur, suppliers are switched, or infrastructure is changed, it can be difficult to maintain a full and accurate picture of the complex network that makes up the ICT landscape. Cross-border data transfers and their subsequent endpoints may remain unknown (particularly at the executive level) when taking a reactive rather than proactive approach to the compliance requirements of DORA. Where system, service and/or contractual review has not been carefully considered by those U.K. suppliers (and any relevant third-party providers) in existing agreements, risks arise that DORA requirements will be unmet, potentially leading to dispute at a later stage in the event of a compliance failure.

If not explicitly defined in existing agreements, disagreements may arise over whether EU or U.K. law applies under an EU/U.K. DORA dispute. A U.K. entity may prefer disputes to be dealt with in the U.K., whilst an EU entity may insist on EU courts or arbitral bodies. Without contractual alignment, disputes can become reliant on subjective interpretations of industry standards, best practice and implied obligations. This may lead to increased costs and longer litigation timelines, as parties argue over what constitutes reasonable or expected practice. In complex technology disputes, technical expert evidence may be ordered to establish any direct cause of failure. Without agreement or contractual alignment to go by, one party’s expert may rely on specific regulatory requirements that an opposing expert might disregard.

Disclosure Scope

In disputes where software or a system’s fitness for purpose is challenged due to allegations of errors and/or vulnerabilities, specific documentary disclosure and factual evidence may be sought to evidence direct cause. Disclosure scope and obligations may significantly vary between EU and U.K. practices. Agreement on required disclosure may be hard to reach with narrower or wider expectations provided by each side.

Although this can be a common issue within any cross-border dispute, the implications of narrower disclosure in EU/U.K. DORA disputes could constrain getting access to documentation such as operational logs, system configurations and test results, creating gaps in evidence required to identify root cause failure. This could be further detrimental to understanding whether other aspects of DORA compliance have been met, which may need to be considered holistically within expert evidence (such as sufficient testing).

In situations where systems are highly interconnected (between a vendor and third-party provider), determining where a fault originated may create friction between parties not originally engaged in the dispute because of required disclosure. Third parties may not be contractually obliged to provide full access to disclosure items which could impact analysis of whether, retrospectively, third-party due diligence was also performed adequately.

Third-Party Complications

ICT software or services may contain third-party or subcontracted components. However, those separate parties may have differing SLA agreements, clouding who bears ultimate responsibility for any deficiencies raised in dispute. This fragmented accountability could complicate assessment of any technical failure. The existence of multiple chains in a dispute can affect the expert evidence, where one party opines the fault is with the service provider, whilst the opposing party alleges root cause failure lies with a third-party vendor.

This could result in a subsequent rise in secondary litigation as U.K. entities seek recompense from third-party failures because of their failings under DORA. With the complications that could potentially arise because of DORA obligations (from the core facets listed above), many providers, particularly start-ups and scale-ups, may not have the capacity, funds or appetite for a hefty litigation. A potential rise in alternative dispute resolution (ADR) may therefore become more prevalent.

Expert Evidence

IT contract disputes often relate to SLAs and/or other performance failures. To identify whether failures have occurred (in relation to system downtime or system defects), technical experts will need to identify what the stipulated or agreed levels and standards were or should have been. Early technical expert involvement will therefore be critical in identifying specific and detailed requests for documents in narrower disclosure settings, well placed to state their criticality for expert evidence.

In the absence of contractual specifications, disputes can become entangled in what constitutes acceptable performance, leaving “reasonable expectations” open to wider interpretation. For example, the crux of analysing SLA failures and other performance metrics depends not only on parties having a shared understanding of what constitutes a defect or unplanned outage, but also the occurrences and proper identifications of such being logged appropriately in the contemporaneous evidence. In general, the definitions of what constitutes a bug, error, defect or outage, and each’s duration, priority and severity classification, should be acknowledged in a master document or the contract itself, but this is not always the case. In absence of such definitions, or in restricted disclosure settings, experts with cross-border IT system knowledge should be able to agree on what industry standard expectations would typically be, and applicable best practice standards.

A large part of an expert’s undertaking hinges on the disclosure process being conducted appropriately, with a large reliance on the quality and interpretation of that disclosure for expert opinion to be formed. In cases where EU disclosure may be narrower than what a U.K. litigation might normally entail, involving technical experts as early as possible will be key to identifying the most appropriate disclosure required. Experts may jointly agree specific disclosure in a joint request. However, this would require all party experts to invest a collaborative mindset to their instructions and approach. This may not necessarily occur in practice. Considerations in relation to confidentiality and data protection restrictions should also be given.

Often in litigation settings, expert instructions are drafted prior to any expert involvement. To engage experts most effectively, allowing joint expert input to the perceived issues may assist in ensuring the instructions (once drafted) are clear and technically accurate, optimising the experts’ ability to thoroughly investigate all relevant issues jointly and cohesively.

Navigating Complexities Around DORA

Litigations arising from EU-U.K. disputes under DORA, particularly those involving third parties, face challenges, such as fragmented accountability, limited evidence access, conflicting regulations and technical complexity. Such issues can lead to delays, increased costs, asymmetry in evidence and difficulties in determining faults.

To mitigate the issues identified above, parties might agree whether international standards would be a good benchmark to use alongside considered customary practices in the absence of any specified jurisdictional regulation. Seeking an agreement up front using neutral international benchmarks such as ISO 27001, ISO31000 and ISO 22301, for example, may mitigate unnecessary delays and be of more assistance to the court. Such would enable parties on both sides to work to the same (albeit subjectively interpreted) application of international standards in the absence of any specified jurisdictional or regulatory expectations. This may then subsequently reduce the potential for expert evidence to diverge where there is an absence of specific contractual stipulations.

Using a global, multi-jurisdictional, multilingual experienced eDiscovery provider with the requisite forensic experience for data anonymisation, collection and preservation should assist to minimise potential data protection breaches. Seeking professionals who have experience of working with both EU and U.K. regulators for multinational entities will also be beneficial.

When instructing experts, in order to mitigate expert opinion divergence between the parties’ technical evidence, framing instructions in a neutral language and avoiding language that allows for subjective interpretation will be the key facilitator. For example, in instances where a system’s integrity or soundness needs to be analysed, consider providing a specific period required for analysis. Collaborate with the expert(s) to understand how to define technically what integrity or soundness should constitute, by definition, prior to the instruction drafting. In the interests of minimising conflicting opinions arising in expert evidence, it may be beneficial to consider the use of a single, neutral expert, appointed jointly between parties, with expertise in cross-border technical systems.

Focusing on expert knowledge and experience of applicable frameworks, as well as their knowledge and experience in relation to particular ICT systems and products, will be key to instructing the right expert for fostering collaboration between parties. Experts should have a deep understanding of EU DORA and U.K. operational resilience requirements, to best assess how to circumvent jurisdictional ambiguities and identify common regulatory goals (such as ICT risk).

Whilst the above suggestions are not exhaustive to counteract the complexities of cross-border disputes in all instances, seeking expert input as early as possible will be key to navigating the complexities of disputes arising from DORA.

Read Past Raising the Bar Issues