DORA – Some insights on contractual clauses in agreements between financial entities and ICT third-party service providers

On 27 December 2022, Regulation (EU) 2022/2554 on the Digital Operational Resilience of the Financial Sector (“DORA”) has been published in the Official Journal of the European Union. Bird & Bird has published a number of materials covering DORA, inter alia this overview covering DORA and its aspects in general. The most important achievement of DORA is that the regulation establishes a European single rulebook for the information and communication technology (“ICT”) governance.  

DORA entered into force on 16 January 2023 and will apply from 17 January 2025, which means that entities subject to DORA’s requirements have less than a year for preparations to meet the set-out compliance deadline.

DORA will apply directly to financial sector entities listed in Article 2 (1) (a)-(t) of DORA, which includes almost all types of financial entities (level one application). In relation to ICT third-party service providers (“ICT Providers”), there are two ways for how DORA will apply (level two application); 

  • directly in relation to critical ICT Providers when it comes to designation and oversight of such pursuant to DORA, and 
  • indirectly to all ICT Providers due to the fact that ICT Providers will need to adjust their organisations, provision of the ICT services and the contractual agreements in relation to such services to the requirements in DORA, when providing such services to financial entities. 

This means that both financial entities and ICT Providers will need to make adjustments to their organisation and conduct of business following from the requirements in DORA, in one way or another. In particular, DORA will require actions at both levels in adjusting policies, processes, procedures and tools to manage the security (and the reliability) of their ICT systems as well as the content and overall handling of contractual agreements, both between financial entities and ICT Providers and also between ICT Providers and their subcontractors (where allowed by the financial entity). This article aims to provide some insights into some aspects of the contractual provisions that are necessary to be included in the agreements to comply with DORA. 

How to handle this right? 

Article 28 sets out an extensive list of general principles to be applied for ICT third-party risk management including several principles related to contractual agreements. In addition, Article 30 provides a list of key contractual provisions that are to be included in contractual agreements between financial entities and ICT Providers, for financial entities to comply with DORA, meaning that financial entities may include additional contractual provisions to better specify the contractual agreements, as long as the additional provisions do not contradict the key provisions specified in Article 30. 

In the below, we provide some insights in relation to that. 

Financial entities’ sole responsibility for compliance with DORA

Financial entities shall manage their ICT third-party risk and will at all times remain responsible for compliance with and discharge of all obligations under DORA. The importance of setting clear and comprehensive contractual clauses in the agreements is a part of the risk management and should therefore not be underestimated. Therein, financial entities shall ensure that all aspects of the provision of ICT services are thoroughly regulated taking into account the scope and criticality or importance of the ICT service and the overall risk assessment and due diligence of the ICT Provider that each financial entity shall have done prior to engaging such.  

It is not unusual that financial entities are provided with template agreements of a "take-it-or leave-it" nature by technical providers, including ICT Providers. It will be important to keep in mind that it is always the financial entity's own risk assessment that shall form the basis for determining whether such an agreement is sufficient in relation to the risks arising from each particular relationship with an ICT Provider and the service it provides, including the subcontractors it involves, and whether this particular template agreement may thus be accepted following that. The compliance obligation will always be on the financial entity’s side.  

Clarity of contractual agreements 

The rights and obligations shall be clearly allocated in the contractual agreement, in writing. Functions and ICT services to be provided shall be described in a clear manner. Where appropriate, Service Level Agreements including service level descriptions and revisions thereof shall be included in the agreements. 

The level of details shall correspond to the type and complexity of the service provided by the ICT Provider. An agreement shall include a clear and complete description of all functions and ICT services to be provided by the ICT Provider, including whether the subcontracting is permitted and on what conditions (see more on subcontracting below). 

For contractual agreements with ICT Providers performing critical or important functions, the provisions shall contain, in addition to the above, more precise descriptions of all relevant aspects including the clauses enabling financial entities to take corrective actions if the service levels are not met. 

DORA requires that the agreement is included in one written document and is available to both parties on paper, or in a document with another downloadable, durable and accessible format. 

Proportionality 

DORA allows for a proportionality assessment in relation to the implemented measures, based on the nature, scale, complexity of the ICT-related dependencies and the risk arising from the contractual relations with ICT Providers, also taking into account the criticality and importance of the respective service, process or function as well as the potential impact of the ICT service on the continuity and availability of financial services and activities. In relation to the contractual agreements this means that more complex and/or extensive ICT services require a higher level of details covered in the agreements. DORA contains a list of key contractual provisions that financial entities shall ensure to include in the contractual agreements with ICT Providers. The list is divided into two parts, contractual clauses in article 30.2 applicable as a basis and additional requirements for contractual clauses supporting critical and important functions in article 30.3, already here offering to apply a proportionality principle depending on the nature of ICT service to be provided. 

Appropriate security standards

As a general principle, financial entities may enter into contractual arrangements with ICT Providers that are compliant with appropriate information security standards. In case of ICT Providers that concern critical or important functions, the requirement is to use “the most up-to-date and highest quality information security standards”. As a first step, it will therefore be crucial for financial entities to determine whether the service concerns a critical or important function, and then involve internal stakeholders who have the knowledge and expertise to properly assess which security standard is acceptable in each case to determine what security standard will be appropriate in each particular case. 

Given the importance of applying the right level of security standard, it is further important to include an assurance that the ICT Provider shall keep necessary security standard or certification under the agreement and also the conditions that will apply in case the ICT Provider has not been successful with keeping it or if the performed audits have given remarks, and the time frame for remedying the issues as well as the exit strategy that might apply in such case. 

Securing access, inspection and audit rights

Financial entities shall ensure contractual arrangements on access, inspection and audit rights over the ICT Provider including the frequency of such, areas to be audited and audit standards. Full cooperation with competent authorities or resolution authorities is required, which means that such rights shall be granted in the agreement. The requirements are similar to already existing requirements on outsourcing, even though they go a bit further in DORA. 

DORA stipulates a requirement to verify that the auditors, or the pool of auditors, that are appointed to make audits in relation to ICT services of high technical complexity possess appropriate skills and knowledge to effectively perform the audits or assessments. This means that in such cases financial entities will have to be able to not only have a clear picture of own risks but also have clarity on the risk that may arise on the ICT Provider’s side and that the auditors are sufficiently knowledgeable to understand such risks, the consequences they may entail on the provision of ICT services and thus on the financial entities obligations in accordance with DORA. This puts quite an extensive obligation on the financial entities, especially the ones of small or medium size. Some exceptions have been introduced for financial entities that qualify as micro-enterprises or are subject to the simplified ICT risk management framework under DORA. How to handle this will depend on each particular situation, but we hope that certain branch standards will soon appear. 

A number of regulators around Europe has already expressed their intention to increase oversight of how well financial entities handle cybersecurity and their ICT subcontractors. We can therefore expect an increase in supervisory activities, which means that both the financial entities and also the ICT Providers shall be prepared for that, and thus “have all their ducks in a row” in that part. It is therefore important to regulate everything related to that in detail. Our view is that this part shall be discussed specifically by the financial entities and ICT Providers to find a suitable solution for both parts. 

Termination rights and exit strategies 

Financial entities shall ensure that they can terminate contractual agreements, which is, of course, common practice. However, DORA goes a bit further and provides a list of situations when termination is required; 

  1. at significant breach of applicable laws, regulations and contractual terms,  
  2. when there are circumstances that mean that altering of the performance of the functions is possible or there are otherwise material changes that affect the arrangement or the situation of the ICT Provider, 
  3. when the ICT Provider has evidenced weaknesses pertaining its overall ICT risk management and in particular ensuring the availability, authenticity, integrity and confidentiality of data, 
  4. where effective supervision of the financial entity by the competent authority is no longer possible as a result of the conditions, or circumstances related to, the respective contractual agreement. 

The termination rights and the circumstances under which they apply shall be clearly defined including the minimum notice periods for termination. Also, DORA requires those to be defined in accordance with the expectations of the competent and resolutions authorities. For the sake of clarity, it is important to define surrounding details, for example, what constitutes a significant breach in a particular contractual agreement (which will highly depend on the overall ICT risk landscape in each financial entity and also on the scope and complexity of each ICT service). It is further highly relevant to clearly indicate details for other cases of where termination right will apply to the agreement.  

In addition, where financial entities enter into agreements in relation to critical or important functions, they must establish an exit strategy taking into account the risk that may emerge in relation to that. Also, in this case the exit strategy will require sufficient details and shall include at least contractual clauses containing minimisation requirements for disruption of activities of the financial entity, which shall be achieved avoiding circumvention or limiting of the compliance requirements and without any detriment to the continuity and quality of the service provided to the financial entity’s customers. Logic prompts that this can only be achieved ensuring a sufficient level of assistance from the ICT Provider it is therefore crucial to agree on necessary levels of cooperation including the liabilities that may arise for non-cooperation. 

Exit strategies shall further include provisions on how the data is to be treated in case of termination and exit, both under the exit process and post exit. We provide some insights on data handling below. 

ICT subcontractors 

The provision of ICT services to financial entities in many, if not almost all, cases depends on a complex ICT subcontracting chain whereby ICT Providers may rely on a number of subcontracting arrangements with other providers. Relying on ICT Providers and ICT subcontractors may have an impact on financial entity’s ability to identify, assess and manage its risks including the risks connected to lack of information provided by ICT Providers and limited ability to obtain information from ICT subcontractors – and yet again, this fact does not reduce the responsibilities of financial entities. The “know-your-subcontractor” concept is not new, but here again DORA and regulatory technical standards  mandated by its article 30.5 (“Draft RTS”), yet only a draft, provide a number of detailed requirements that go farther that we have seen before. These requirements, albeit applicable to financial entities, will have huge impact on ICT Providers and their subcontractors due to that they will need to do many adjustments, both operationally and contractually. 

DORA requires that clear and complete description of all functions and ICT services to be provided by the ICT Provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and what conditions will apply to such subcontracting. Further, where the provision of ICT services to financial entities depends on a potentially long or complex ICT subcontracting chains whereby several subcontractors may be involved, each providing a part of the ICT service that supports a critical or important function, it is required that financial entities monitor the entire subcontracting chain of ICT providers to identify and monitor all the subcontractors that effectively provide the ICT service supporting critical or important functions. 

Financial entities, being responsible for compliance with extensive requirements, shall ensure to have a clear and holistic view of the risks associated with subcontracting, and be in a position to properly monitor, manage and mitigate the risks that may affect the provision of the subcontracted ICT services supporting critical or important functions. Financial entities should have appropriate processes in place, directly or indirectly through their ICT Providers, to address the relevant risks that may impact the provision of ICT services supporting critical or important functions, in accordance with their contractual arrangements with ICT Providers. In order to identify the risks the financial entities shall make an assessment of various parameters, as a minimum requirement in article 3 Draft RTS, inter alia, whether the ICT provider has implemented due diligence processes of its subcontractors, whether the ICT Provider is able to involve the financial entity into the decision-making in relation to the subcontractors, that the relevant clauses in the contractual agreement between the financial entity and the ICT Provider are replicated as appropriate into the contractual agreements between the ICT provider and its subcontractor, that the ICT Provider itself has adequate abilities, expertise, financial, human and technical resources, applies appropriate information security standards, and has an appropriate organisational structure, including risk management and internal controls, incident reporting and responses, to monitor its subcontractors etc. Further, article 4 of the Draft RTS sets out conditions under which ICT services supporting a critical or important function may be subcontracted. 

All of this requires that contractual agreements between financial entities and ICT Providers reflect the requirements, in a manner appropriate for each financial entity, based on the identified risks and due diligence of the ICT provider.

Handling of data

Handling of data, both personal and non-personal, remains one of the main parts when utilising third party providers. Likewise, DORA sets out some requirements for data handling, for example, on defining locations where contracted and sub-contracted ICT services are to be provided and where the data located as well as notification requirement on change to the location, defining provisions on availability, authenticity, integrity and confidentiality in relation to the protection of personal and non-personal data, provisions ensuring access, recovery and return of data in case of insolvency, resolution or discontinuation of business operations of the ICT Provider or in the event of termination of the agreement. The requirements are specifically set out in article 30.2 and are in line with the EU General Data Protection Regulation (EU) 2016/679 (GDPR).

What happens next?

Less than eight months left until DORA starts to apply. If you are a financial entity, hopefully you have already done your DORA gap analysis and can move on to handling the gaps, where handling of ICT Provider risk and contractual agreements with such is a part. Focus on mapping the contracts and determining which ones are supporting a critical or important function and following that review the agreements to identify what needs to be adjusted following DORA requirements. 

If you are an ICT provider, do not underestimate how extensive this work can be. What you may need to do is understand what kind of customers you have and based on that what may need to be adapted in your agreements, operational procedures internally to comply with the requirements that will apply from 17 January 2025 when DORA starts to apply, your procedures and agreements in relation to your subcontractors.

Latest insights

More Insights
Curiosity line blue background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Bank card propped up against laptop

Germany: BaFin updates AML guidance

Dec 19 2024

Read More