Information and communication technology (ICT) use in the financial services (FS) sector has become pervasive: from the digitalisation in payments spearheaded by open banking reform to digital transformation of back office and critical functions as more and more FS regulated entities adopt cloud services. It’s so prevalent that we now have subsectors within the FS sector devoted to the cross-over between FS and tech: from Fintech and Insurtech to Wealthtech!
FS regulated entities are racing to keep up to date with constantly evolving technology systems but as these entities increase their technology adoption they are increasing their risk exposure to technology. For example, as more and more of these entities use cloud services this increases the risk relating to access to their data and networks by threat actors and hostile nation-states.
The EU is concerned because there is currently no harmonised approach governing how FS regulated entities should monitor the resilience of the ICT systems they rely upon to avoid these ICT-related risks such as cyber-attacks and downtime disruption. Concentration risk in certain technology sectors such as cloud infrastructure is also a concern and an incident involving one critical service provider may affect the entire EU financial system.
This creates risks as FS regulated entities lack clear guidance on how best to evaluate and mitigate ICT risk. This leads to inconsistent approaches (which may not be best practice), legislative disparities and inconsistent supervision from regulators which further compounds the problem.
The EU Digital Operational Resilience Regulation 2022/2554 (DORA) is part of the EU’s Digital Finance Package. It aims to plug this regulatory gap by providing FS entities (as defined below) with clarity on the digital operational resilience requirements the EU expects them to comply with in order to manage cyber threats and ICT security. This extends to the requirements that need to be incorporated into contracts between FS entities and their ICT third party service providers.
This short article focuses on what FS entities need to consider incorporating into their contracts with ICT third party service providers. It is a must read for FS entities and ICT third party service providers – both these parties are widely defined!
For another perspective from our European colleagues, please also see these articles:
DORA is an EU regulation that has entered into force and will apply as of 17 January 2025 and will be directly applicable in all EU Member States.
It is also worth noting that certain “regulatory technical standards” (as referred to in DORA) will be issued by European Supervisory Authorities (ESAs) that will set out in more detail and/or expand upon some of DORA’s requirements including in respect of how a critical third party ICT third party service provider is defined, ICT-related incident reporting thresholds and ICT system testing requirements.
FS entities will need to ensure all of their contracts with ICT third party service providers for the provision of ICT services meet the requirements of DORA (as set out in Articles 28 and 30) on or before 17 January 2025. This will be a lot of work especially as it relates to updating existing contracts. Many clients we’re advising are adopting a risk-based approach dealing with the most important in-scope contracts, but this leads a rump of contracts that may not be updated in time. It remains to be seen what the regulatory response will be to such technical non-compliance and whether there will be a practical grace period for FS entities but, local EU regulators are likely to hold powers to take enforcement action against non-compliance and so it is sensible for FS entities to ensure compliance by 17 January 2025.
It applies to a wide range of EU-regulated financial entities including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and insurance, including their agents, and reinsurance undertakings, as listed in Article 2(1) of DORA (together the FS entities).
It is worth noting that DORA will also apply to parent companies based outside the EU that procure ICT services on a group-wide basis (where the group companies benefiting from the ICT services include EU-regulated firms that fall within the FS entities definition). So, clients should watch out for group-wide agreements and ensure they are also remediated where applicable.
FS entities need to comply with DORA.
Having said that there is a degree of flexibility afforded to FS entities when implementing the DORA requirements in accordance with the principle of proportionality. FS entities are to implement compliance with DORA taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
What does proportionality mean in practice? DORA sets out certain contractual requirements (as defined below) that need to be met. DORA also sets out various pre-contractual due diligence steps that a FS entity needs to undertake in order to assess ICT risk in contracts between it and ICT third party service providers. Following completion of these steps a FS entity will have a better understanding of the ICT risks associated with such contracts and can then, in accordance with the principle of proportionality, determine based on their risk assessments whether or not they need to require the contract with the ICT third party service provider to include all the relevant requirements of Article 30 or not. For example and for illustration purposes only: Article 30(2)(b) states the contract between the FS entity and any ICT third party service provider has to include “the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations.” It may not always be practical for this level of detail to be provided in the contract and the FS entity, based on its risk assessment of the scope of ICT services being provided under such contract, may be comfortable with more high-level language stating that the ICT third party service provider may provide the “Services” from certain countries (specified in the contract) and “such other locations as the supplier may notify the customer in advance from time to time”.
However, although a more proportional approach to these requirements would be welcomed by the ICT third party service providers contractually opposite FS entities, there is a corresponding challenge for ICT third party service providers because DORA is a new EU regulation which imposes specific legal requirements on FS entities and so many FS entities might not be willing to take this more pragmatic approach. Instead, there is a risk that many FS entities transpose the DORA requirements as-is into contracts (as that is the safest way to ensure compliance) which causes challenges for ICT third party service providers.
Except for critical ICT third party service providers (please see below on this), DORA doesn’t apply to ICT third party service providers directly, but they will need to be very familiar with its requirements because it requires FS entities, as a matter of law, to incorporate into their contracts with ICT third party service providers various rights and obligations (contractual requirements). This is different to the requirements of, for example, the EBA Guidelines on outsourcing arrangements (EBA Outsourcing Guidelines) which operate as guidance for in-scope regulated financial entities.
ICT third party service providers is a broad term covering a wide range of suppliers including providers of cloud services, data analytics services, digital managed services and data centre services. ICT third party service providers include an entity within a FS group of companies that provides ICT services predominantly to other group companies and/or any FS entity that provides ICT service to other FS entities.
Article 30 relates to contracts between the FS entity and the ICT third party service providers for the provision of ICT services. The definition of ICT services has been deliberately drafted broadly (encompassing “digital and data services provided through ICT systems”) to cover all types of ICT services.
There is no one-size-fits all answer to this question unfortunately! It is true that since ICT services have become so pervasive some of our clients are struggling with delineating between what is an ICT service that needs to be considered in light of DORA and what is not. This is particularly complex when ICT services are provided as an ancillary or incidental part of an overall non-ICT service. For example, if a FS entity enters into a contract with a supplier for the delivery of food via an online platform does this mean the contract is in-scope? Where the service procured is the provision of food not ICT services, but the ordering of that food is via a digital platform (i.e. ICT service), then it is not unreasonable to assume such an agreement is not intended to fall in scope of DORA.
It is likely that FS entities will need to go through each vendor contract and, on a case-by-case basis, make these types of determinations – no easy task especially given the deadline for compliance is fast approaching.
The contractual requirements apply to any contract for the provision of ICT services.
Article 30(2) sets out some general requirements to be included in any contract for the provision of ICT services between a FS entity and ICT third party service provider.
Article 30(3) then includes further requirements where the ICT services support a critical or important function of the FS entity. A “critical or important function” means a function, the disruption of which would materially impair the financial performance of a FS entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
Unlike the EBA Outsourcing Guidelines the contractual requirements apply to any agreement for the provision of ICT services between the FS entity and ICT third party service provider (whether or not it is an outsourcing). It is also important to note that DORA (like the EBA Outsourcing Guidelines) includes intra-group ICT service arrangements.
The contractual requirements are not very different to existing regulatory requirements imposed by the EBA Outsourcing Guidelines. This is acknowledged in DORA where it states “…Those principles [the contractual requirements] are complementary to the sectoral law applicable to outsourcing.”3
One of the frequently missed new contractual requirements imposed by DORA is the requirement to document ICT arrangements in one written document available to the parties on paper, or in a document with another downloadable, durable and accessible format.
In other words, there will be no, or very limited, possibility to refer to external policies, or terms and conditions, that would not be physically included into the ICT agreement. This may require ICT third party service providers to change the entire format and architecture of their client contractual documentation.
Article 30(2) sets out nine requirements that need to be included in all contracts between FS entities and ICT third party service providers providing ICT services.
The good news is there is a lot of overlap between these requirements and existing requirements set out in the EBA Outsourcing Guidelines. So, the requirements should not be new to FS entities.
The difference is Article 30(2) needs to be complied with even if the contract for the provision of ICT services relates to supporting non-critical or important functions of the FS entity.
Having said that the requirements (summarised at a high level below) are the types of requirements you would expect to see in an ICT services agreement:
Reference | Topic | Summary |
Article 30(2)(a) | Services and subcontracting |
This relates to having clarity on the scope of the services and the subcontracting arrangements. The contract needs to include a complete description of the ICT services including whether subcontracting of ICT services (supporting a critical or important function) is permitted and, if so, any conditions applicable to such subcontracting. |
Article 30(2)(b) | Data location |
This relates to data location. The contract needs to specify the locations where the contracted/subcontracted ICT services are to be provided and where data is to be processed. The ICT third party service provider is required to notify the FS entity in advance of any changes to such locations. |
Article 30(2)(c) | Data treatment |
This relates to the treatment of data. The contract needs to include provisions dealing with the availability, authenticity, integrity and confidentiality of data (including personal data). |
Article 30(2)(d) | Access to data |
This relates to the FS entity’s ability to access data including on termination. The contract needs to include provisions for ensuring the ability to recover data (including personal data) processed by the FS entity in the event of insolvency, resolution or discontinuation of the business operations of the ICT third party service provider or on the termination of the contract. |
Article 30(2)(e) | Service levels | This relates to the contract having appropriate service levels (e.g. uptime, response times, fix times) |
Article 30(2)(f) | ICT incidents |
This relates to assistance provided in the event of an ICT incident. The contract needs to include provisions relating to the obligation of the ICT third party service provider to provide assistance to the FS entity in respect of an ICT incident that relates to the ICT services provided to the FS entity (at no additional cost or based on a pre-agreed cost). |
Article 30(2)(g) | Cooperation | This relates to the ICT third party service provider’s cooperation obligations. The contract needs to include provisions relating to the ICT third party service provider’s obligation to cooperate with the FS entity’s local regulators (including persons appointed by such regulators). |
Article 30(2)(h) | Termination | This relates to the termination provisions that need to be included in the contract. |
Article 30(2)(i) | Security awareness | This relates to obligations on the ICT third party service provider to participate in the FS entity’s security awareness programmes and digital operational resilience training. |
In addition to the Article 30(2) requirements where a FS entity enters into a contract with a ICT third party service provider for ICT services supporting a critical or important function then the FS entity needs to comply with Article 30(3). This sets out more onerous requirements some of which may prove challenging for FS entities to incorporate into their contracts. For example:
Article 30(4) of DORA anticipates that standard contractual clauses” may be developed to help companies with compliance with the requirements of Article 30 but, as yet, none have been published.
For bespoke arrangements FS entities may seek to update their agreements with ICT third party service providers on a case by case basis via an amendment.
Alternatively, they may seek to impose a “DORA addendum” that seeks to update and amend the terms of any ICT services agreement in order to meet the requirements of DORA (and the parties agree the DORA addendum would take precedence over the underlying agreement it is amending).
In addition, in order to be proactive, we anticipate ICT third party service providers seeking to impose their own supplier-friendly “DORA addendum” that they will argue meets the key requirements of DORA.
DORA establishes an “oversight framework" for all critical ICT third-party services providers to FS entities because the EU deems that such providers have become critical to the stability and integrity of the EU’s financial system. The increasing, widespread reliance on services supplied by critical ICT third-party service providers, combined with the interdependence of IT systems across different market infrastructures create a direct, and potentially severe, risk to the EU’s financial services system and to the continuity of delivery of financial services in the EU if critical ICT third-party service providers were to be affected by operational disruptions or major cyber incidents.
A particular ESA will be appointed as Lead Overseer for each critical third-party ICT service provider. Lead Overseers will hold significant supervisory powers including the power to carry out investigations, onsite and offsite inspections at critical ICT third-party service providers, access all relevant premises and locations and ask for information from these types of providers for the purposes of monitoring and managing any impact of the ICT third-party risk posed to FS entities and ultimately to the EU’s financial system.
The ESAs will designate ICT third-party service providers that are “critical” for FS entities based on the specific criteria which will be adopted by the European Commission as a delegated act. The ESAs published a draft of this criteria in February 2024.
Those ICT third-party service providers designated as critical by an ESA are required to maintain an adequate business presence in the EU and if they are not already located in the EU, they will need to incorporate a subsidiary in the EU within 12 months of such designation. The requirement for a designated critical ICT third-party service provider to set up a subsidiary in the EU should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the EU. Also, DORA does not impose a data localisation obligation as it does not require data storage or processing to be undertaken in the EU.
There is no doubt that DORA is a hot topic for many FS entities as they prepare for the date it comes into force early next year. Many FS entities may struggle to be fully compliant before this date and so may be in technical breach. It is unclear how the regulators will respond to this. Initially, due to the enormous scale of the ICT contractual landscape covered by DORA,5 ESAs may be slow in carrying out audits of FS entities’ compliance with DORA contractual requirements. However, given that non-compliance may result in severe regulatory consequences (for FS entities, depending on the local enforcement laws, this may end up in a decision to terminate non-compliant contracts, personal liability of FS entities’ managers responsible for ICT operational resilience and DORA compliance, financial penalties or even, at the most severe end of the scale, loss of the licence required to perform the financial activities), we recommend FS entities start by mapping out all their contracts they think will be captured by DORA (and don’t forget contracts procured by an entity outside the EU for the benefit of entities in the EU) and then focusing on the contracts where the ICT services are supporting a critical or important function. We then advise that FS entities create their own set of DORA compliant contractual terms – either for direct use with the ICT third party service provider or as a reference when the latter offers their own contractual terms to meet DORA. The sooner the process is completed the greater the chance of achieving the required compliance before January 2025.