How did you tackle the extra workload due to DORA?
“Operationally, the difficulty emerged when we had a number of customers simultaneously starting to send us their version of what they wanted us to sign. Whilst we very happy to provide them with an addendum clarifying the rights that they were entitled to ask for according with the new legislation, we could not really agree to so many different versions.”
How has DORA affected your business relationships?
The short answer is … a lot. Since Colt’s beginning, more than 30 years ago, we have had a very strong presence in the financial services sector. Many of our customers are captured by DORA because of their activities.
The immediate effect was that our customers have turned around to their supply chain, to perform an analysis of who they rely on for their operational resilience.
As a connectivity provider, Colt has been top of that list, because every bank now operates in the cloud, and their connection to the cloud is often provided by Colt. Without us functioning at our usual 99.999% availability, they literally could keep their business going. The most immediate consequence has been a request by some customers to introduce a contractual amendment to our existing contract with them, introducing, for instance, the right to audit us, which they must have for all the suppliers deemed critical – because it is one of the requirements of DORA.
How did you tackle the workload once DORA was adopted?
Operationally, the difficulty emerged when we had a number of customers simultaneously starting to send us their version of what they wanted us to sign. Whilst we very happy to provide them with an addendum clarifying the rights that they were entitled to ask for according with the new legislation, we could not really agree to so many different versions. We decided to draft a playbook with number of Colt contractual amendments, which we issued to the whole Commercial Legal team in order to avoid each Financial Services customer insisting on their own version. From a logistical perspective, that could have been a nightmare!
We decided the best approach was to leverage the existing customer relationship. To some degree the requirements may be new, but the reality is that financial service regulators have for years required financial services firms to have a robust and auditable process for how they select their vendors, and how they ensure that the vendors are sufficiently reliable.
We effectively reminded customers that they already had a lot of the data they needed because they usually appoint vendors through an RFP process which tends to be really detailed, and requires a lot of disclosure from vendors, including about IT system security standards, business continuity protocols, etc.
What were the practical steps that you took to be able to meet the deadlines?
We started by mapping the workstream to comply with the customer request and that mapping process revealed that the most important internal stakeholder was Security, as it was a security -driven matter. Our approach was that Security needed to lead. with everyone else chipping in and being responsible for their bit.
How might the regulatory regime change for your business post-DORA?
It is a bit difficult to say, because each regulator is acting separately, and each jurisdiction is different – there’s no centralised equivalent of the European Commission that can provide regulatory guidelines. So to the extent that one of these regulators identifies Colt as critical for the functioning of the country’s financial ecosystem, then we could be subject to DORA even further.
This is a new world for us because we are not regulated by financial services authorities. We are a communication provider and are caught by a sectoral regulator which we don’t really know. We know very well the telecommunication authority in each country where we have a license or authorisation, but this might be the first time that we have had to interact with financial sector regulators.
What is one piece of advice you have for legal teams also facing DORA “storm”?
“Start with what you already do. I guarantee you won’t be starting from scratch. Speak to your IT security colleagues and see what it is that you have documented and then build on that. The chances are you would have already looked at similar issues and you will need to expand on that rather than start afresh.”
Alessandro Galtieri – Deputy General Counsel at Colt
Alessandro is Deputy General Counsel, VP Corporate Law, and Group Data Protection Officer at Colt, a network and data centre services company active in more than 50 countries. He is also the Secretary of Colt’s Audit Committee and the Chair of Colt pension fund’s Investment Governance Committee.
Alessandro has extensive experience in the high-tech space, with roles at Hexagon, the European Space Agency, and Interoute Communications (now GTT).
He is qualified in England, Ireland, and Italy; a Chartered Governance Professional, and a Certified Information Privacy Professional. He attended Rome University “La Sapienza”, the University of Law, and the Academy of International Law in The Hague. Alessandro holds an MBA from Hult International Business School at Ashridge.
Alessandro is member of the Society for Computers and Law’s Sustainability and ESG Committee, and a guest lecturer for the University of Law’s Certificate in Effective Skills for the In-House Lawyer. In 2019 Alessandro was Legal500’s Data Protection Individual of the Year.