There’s just one month until the EU Digital Operational Resilience Act (DORA) will apply, with effect from 17 January 2025, and a wide range of financial services organisations from banks and credit institutions to insurance and reinsurance undertakings and intermediaries to investment firms and payments institutions and credit rating agencies and data reporting service providers, as well as their third party ICT service providers will be obliged to implement a risk management framework and third party risk arrangements to meet the baseline requirements for the security of network and information systems which support their business processes.

As a consequence, many financial entities will still be in the process of carrying out a review of their contracts with third party ICT service providers and may be seeking to renegotiate contractual terms, citing amendments as being necessary to comply with DORA.

But what does DORA actually require and to what extent are financial entities seeking to impose disadvantageous commercial terms on third party ICT service providers under the guise of DORA compliance?

Chapter V of DORA sets out the expectations on financial institutions for managing third party risk and Article 30 details the baseline contractual requirements, which increase in relation to ICT services in connection with functions deemed critical or important. DORA is then supplemented by Commission Delegated Regulation (EU) 2024/1773, which imposes pre-, during and post-contract obligations.

Before even thinking about entering into a contract in relation to those third party ICT services supporting a critical or important function, financial entities are required by Article 6, Commission Delegated Regulation (EU) 2024/1773 to prepare a policy regarding contractual arrangements on the use of those ICT services, which addresses: the selection and assessment of the suitability of third-party ICT providers including having regard to the business reputation of the service providers, their financial, human and technical resources, their information-security, their organisational structure, including risk management, and their internal controls; ensuring the third-party ICT service provider has the capacity and capability to monitor and maintain good industry practice having regard to technological developments; any proposed use of sub-contractors to provide the services; where services will be delivered having regard to the location of the supplier and where data will be processed and stored and the impact on operational and reputational risks to delivery;  and, the ability for the financial entity, appointed third parties and competent authorities to conduct on-site and other audits. The obligations in relation to supplier due diligence are not limited to factors directly relevant to their information security posture, including the ICT service provider’s risk mitigation and business continuity measures and their effectiveness, but extend to whether a supplier “acts in an ethical and socially responsible manner, respects human rights and children’s rights, including the prohibition of child labour, respects applicable principles on environmental protection, and ensures appropriate working conditions”, potentially requiring financial entities to conduct – and suppliers to produce the information relevant to – an ESG assessment, subject to the level of risk and the level of assurance deemed necessary. Suppliers may therefore find themselves expected to provide a much more extensive range of information at the procurement and award stage than may currently be the case. We have written a separate post on this obligation and have prepared a free Helping Hand ethical, social, environmental and human rights due diligence checklist.  

Furthermore, Article 9 requires that the policy must specify that contractual arrangements make provision for the implementation, monitoring and management of the obligations throughout the term, including: maintaining confidentiality, availability, integrity and authenticity of data and information; compliance with the financial entity’s policies and procedures (incorporating specific security measures including physical or logical access controls, strong authentication mechanisms and protection measures for cryptographic keys, change management protocols, patching and updates, backups and restoration and recovery procedures and methods and, reporting of major ICT incidents (comprising initial notification and interim and final reports) and significant cyber threats); and, penalties for non-compliance with contractual SLAs. The policy is required to provide for mechanisms for performance and quality management comprising: ensuring the third party ICT service provider delivers periodic reports, incident reports, service delivery reports, reports on ICT security and reports on business continuity measures and testing; key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity’s ICT risk management framework; provision of other relevant information; notification of ICT-related incidents and operational or security payment-related incidents (as appropriate); independent reviews and audits of legal and regulatory compliance; measures to remediate shortcomings in performance.

That policy is also required by Article 5 Commission Delegated Regulation (EU) 2024/1773 to provide for – and to inform - risk assessments to be carried out prior to entering into a contract addressing operational risks, legal risks, ICT risks, reputational risks, risks linked to the protection of confidential or personal data, risks linked to the availability of data, risks linked to the location where the data is processed and stored, risks linked to the location of the ICT third-party service provider and, ICT concentration risks at entity level.

Once a supplier has been identified, DORA then requires that, in respect of all third party ICT services:

• there is a written contract in place between the financial entity and third party ICT service provider;

• the written contract is contained within one document;

• the written contract is either available on paper or in another downloadable, durable and accessible format;

• the written contract sets out the rights and obligations of the parties;

• the written contract:

  • includes a clear and complete description of all functions and ICT services to be provided by the third party ICT service provider to the financial entity;

  • specifies whether, and to what extent, the ICT services supports critical or important functions;

  • states whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, if so, the applicable conditions for subcontracting;

  • identifies the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location;

  • incorporates a requirement for the third party ICT service provider to notify the financial entity in advance if it envisages changing the locations for the provision of the ICT services including storage and processing;

  • includes provisions addressing the availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;

  • incorporates provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;

  • details service level descriptions, including updates and revisions thereof;

  • imposes an obligation on the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined in advance (by being specified in the contract, for example), when an ICT incident that is related to the ICT service provided to the financial entity occurs;

  • requires the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;

  • includes termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;

  • the conditions subject to which ICT third-party service provider can participate in in the financial entities’ ICT security awareness programmes and digital operational resilience training provided to their own staff, where appropriate;  and,

  • incorporates a right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT to be conducted by means of the financial entity’s internal or external auditors, pooled audits/ICT testing, or – where certain criteria are met - third party certifications and/or the third party ICT service provider’s own audit reports shared with the financial entity.

In relation to those ICT services which are identified as supporting a critical or important function, the contract must, in addition to the above:

• include full service level descriptions, with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;

• incorporate notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;

• establish requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;

• impose an obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s periodic threat-led penetration testing (TLPT) (where and to the extent applicable);

• establish a right to monitor, on an ongoing basis, the ICT third-party service provider’s performance by reference to key performance indicators, key control indicators, audits, self-certifications and independent reviews (subject to microenterprise financial entities being entitled to instead rely on information and assurance rights from an independent third party appointed by the ICT service provider), addressing:

  • unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

  • the right to agree on alternative assurance levels if other clients’ rights are affected;

  • the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and,

  • the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;

•  make provision for exit strategies (including the periodic review and testing of a documented exit plan), in particular the establishment of a mandatory adequate transition period:

  • during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring;

  • allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.

Financial entities are required to ensure providers of ICT services supporting critical or important functions provide appropriate reports on their activities and services including periodic reports, incident reports relating to ICT-related incidents and operational or security payment-related incidents, service delivery reports, reports on ICT security and reports on business continuity measures and testing, and other relevant information. The financial entity must record its assessment of the third party ICT service provider’s compliance and this must in turn inform its risk assessment.

These are minimum requirements, and financial entities and third party ICT service providers can agree to a more onerous regime.

Some of these provisions are already likely to be addressed in the context of existing contract to meet existing obligations under the GDPR or wider obligations in relation to the security and confidentiality of information in the context of the contract or business continuity measures, but these existing contractual clauses may need to be expanded to address a wider category of data  or to apply to the service as a whole (while being careful to ensure that this  only applies to security etc and does not inadvertently extend other liability provisions or caps).

While DORA envisages that the parties may rely on approved standard contractual clauses, none are currently available.

Financial entities and third party ICT service providers should therefore that DORA and the Commission Delegated Regulation do not impose:

• specific security standards;

• prohibitions on sub-contracting;

• prohibitions on the locations at which data may be processed or stored;

• a specific time period for notifying proposed changes to locations at which data may be processed or stored;

• specific SLAs or KPIs;

• a requirement for free support to be provided in the event of a data incident;

• specific notice periods for termination;

• specific termination rights;

• an unfettered right of access without notice to conduct reviews and audits of data including that of other clients;

• a specific time period for reporting incidents or developments having a material impact;

• minimum business continuity and contingency arrangements;

• the frequency of periodic threat-led penetration testing (TLPT); and/or;

• the duration of ongoing service provision as part of an exit strategy.

These matters are therefore liable to negotiation between the parties.

Should you require support in understanding your obligations under DORA, preparing DORA policies, conducting DORA risk assessments, updated standard contract terms and precedents or in negotiating amendments to existing agreements, please contact us.