DORA – what do in-house lawyers need to know about the recent Regulatory Technical Standards (supplementing DORA)?

Written By

jonathan emmanuel module
Jonathan Emmanuel

Partner
UK

I am a partner in the Tech Transaction team and Co-Head of our International Financial Services Sector Group, based in London. I advise clients on disruptive digital technology adoption including cloud computing, AI, blockchain, agile software development and open source licensing, with a particular focus on FinTech.

gavin punia module
Gavin Punia

Partner
UK

I am a senior financial services regulatory specialist with a particular focus on advising firms who are digitally transforming the way financial services are being delivered.

kuba ruiz Module
Kuba Ruiz

Senior Counsel
Poland

I am a senior counsel in the Commercial Group in Warsaw. I focus on major IT and commercial projects and transactions, as well as developing my dispute resolution practice. I also advise on financial sector regulatory issues relating to pan-European payments and fintech projects, including outsourcing and cloud computing.

According to the EU Digital Operational Resilience Regulation 2022/2554 (DORA):

  • FS entities (as defined below) may only contract ICT services supporting their critical or important functions if the relevant ICT third party service providers follow the most up-to-date and highest quality information security standards.
  • FS entities are obliged to assess particular risks related to ICT services and their providers before they enter into contractual arrangements.
  • RTS (as defined below) issued under DORA provide details of such required due diligence assessment, contracting and securing exit from the contractual arrangement. 

What is a regulatory technical standard and why is it important?

DORA refers to certain “regulatory technical standards” (each an RTS) that are to be issued by European Supervisory Authorities (ESAs) and are intended to set out in more detail and/or expand upon some of DORA’s requirements.

ESAs submit the relevant RTS to the European Commission (Commission) which is then empowered to supplement DORA by adopting the RTS. Each adopted RTS is issued by the Commission as a Delegated Regulation (each a Delegated Regulation).

As of 1 July 2024, there are multiple draft RTS that have been issued but only three have been adopted as Delegated Regulations – see below.

Each Delegated Regulation is directly binding on the financial entities that need to comply with DORA (being a wide range of EU-regulated financial entities including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, insurers and insurance brokers as listed in Article 2(1) of the DORA (together the FS entities). Therefore, they must be carefully considered (and complied with) by FS entities!

What are the three Delegated Regulations relevant to DORA?

On the 25th June 2024, the following Delegated Regulations, supplementing DORA, were published in the Official Journal of the European Union (OJEU). Each of these Delegated Regulations will enter into force on the 20th day following their publication in the OJEU. 

  • Commission Delegated Regulation (EU) 2024/1772 supplementing DORA with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
  • Commission Delegated Regulation (EU) 2024/1773 supplementing DORA with regard to RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers; and
  • Commission Delegated Regulation (EU) 2024/1774 supplementing DORA with regard to RTS specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.

Scope of this article

This short article summaries the key principles set out in Commission Delegated Regulation (EU) 2024/1773 (DR 2024/1773). DR 2024/1773 is important to in-house lawyers advising FS entities because it relates to the key issues FS entities need to consider in order to assess ICT risk when entering into, monitoring, and exiting contracts with ICT third party service providers providing ICT services supporting critical or important functions.  

The other two Delegated Regulations referred to above are also important, but the focus of this article is the impact the relevant Delegated Regulation has on the contractual arrangements the FS entity is entering into with the relevant ICT third party service provider. (The other two Delegated Regulations are more focused on operational/security risk management arrangements.)

Want to know more about the DORA? See our other articles on this hot topic:

DR 2024/1773 – the FS entity needs a policy in place to assess ICT third party service provider risk 

Article 6(1) of DORA refers to the requirement for FS entities to have in place a “sound, comprehensive and well-documented ICT risk management framework” which enables them to address ICT risk “quickly, efficiently and comprehensively” so that a high level of digital operational resilience is ensured.  ICT risk management is particularly important in respect of ICT third party service providers supporting an FS entity’s critical or important functions.

As part of the overall risk management framework envisaged by Article 6(1) of DORA, and as set out in Article 28(2) of DORA, DR 2024/1773 states each FS entity must have in place a strategy on ICT third-party risk which must include a policy governing the contracting for ICT services supporting critical or important functions provided by ICT third party service providers (the policy). Furthermore, according to Article 28(5) of DORA, FS entities may only enter into contractual arrangements for ICT services supporting critical or important functions if the relevant ICT third party service providers follow the most up-to-date and highest quality information security standards, which needs to be duly assessed before entering into any relevant contractual arrangements. 

DR 2024/1773 sets out the key principles (Key Principles) that the policy should include so that the FS entity is able to identify, assess and manage ICT risk associated with the ICT third party service provider supporting a critical or important function during all phases of the contracting lifecycle: from the pre-contracting phase, during the term of the contract and at the end/termination of the contract. The Key Principles apply to all ICT third party service providers including where they are group companies of the FS entity and also ICT third party service provider subcontractors that provide ICT services supporting critical or important functions or material parts thereof. 

It is important that the Key Principles are included in the policy and properly considered by the relevant FS entity when contracting with the relevant ICT third party service provider so that it can show to regulators, if they are audited by them, that they have undertaken appropriate due diligence of their ICT third party service providers, that they can appropriately monitor them during the term of the relevant contract and that they have appropriate measures in place to ensure an orderly transfer of the relevant ICT services to a replacement supplier on termination or expiry of the relevant contract. 

DR 2024/1773 is also of importance to ICT third party service providers because if they are unable to adequately address the Key Principles then FS entities may not wish to contract with them. 

The Key Principles will be relevant to new contracts the FS entity wishes to enter into and existing contracts the FS entity has in place as at the date the DORA comes into force (17th January 2025) (Existing Contracts). 

What needs to be included in the policy?

Below is a summary of the Key Principles that need to be captured (and dealt with by the FS entity) in the policy.  For further information we recommend you review the relevant Articles of DR 2024/1773 including the Articles we refer to below:

DR 2024/1773 Article reference  Comment 
Risk assessment (Article 5)
  • The FS entity must undertake a risk assessment of the ICT third party service provider supporting critical or important functions before a contract is entered into with it.  
  • The risk assessment should assess the risks associated with the provision of the relevant ICT services including operation risks, legal risk, ICT risks and reputational risks.  
  • This means a careful review of the contract will be required so that the FS entity can understand what elements of the requirements set out in Article 30 of the DORA are met by the relevant contract and what elements are missing and determine if this “gap” is acceptable, in accordance with the principle of proportionality.  See our separate article on this principle available here.  
  • This risk assessment will need to be re-run for any Existing Contracts.  
Due diligence (Article 6)
  • The policy should set out the details of an appropriate due diligence process that must be undertaken by the FS entity to assess the ICT third party service provider before a contract is entered into.
  • The due diligence process must consider various factors, including:

    • Does the ICT third party service provider have the ability to monitor technological developments and identify ICT security leading practices and implement them in order to mitigate ICT risks (e.g. cyberthreats)?
    • Is the ICT third party service provider using any subcontractors?
    • Is the ICT third party service provider located, or is it processing or storing FS entity data, in a third country and does this create concerns from an operational or reputational risk perspective?
    • Does the ICT third party service provider consent to the conduct of audits (including onsite audits).

  • This due diligence process will need to be re-run for any Existing Contracts.
Conflicts of interest (Article 7) 
  • The policy should set out appropriate measures to identify and deal with any actual or potential conflicts of interest arising from the use of the ICT third party service provider that must be undertaken before the FS entity enters into a contract with it.  
  • In particular, where the ICT third party service provider is a group company then the policy should specify that decisions including in respect of the terms governing the financials of the deal, must be taken “objectively”.  
  • This means agreements with ICT third party service providers must be undertaken at arms-length. 
Contractual clauses (Article 8 of this Delegated Regulation) 
  • The policy must state that the relevant contract between the ICT third party service provider and the FS entity must be in written form and include “all the elements referred to in Article 30(2) and (3)” of the DORA.   
  • This requirement to transpose the requirements of Article 30 (relating to ICT third party service providers providing ICT services supporting critical or important functions) is subject to the principle of proportionality.  
  • Article 8 acknowledges that it may not always be possible for the FS entity to obtain audit rights over the ICT third party service provider’s relevant business premises in order to meet the access, inspection and audit rights envisaged by Article 30(3)(e) of the DORA. In such circumstances it may be permissible to rely on pooled audits and pooled ICT testing, third party certifications or to rely on internal/third party audit reports made available by the ICT third party service provider. This is helpful to know as direct rights of audit and inspection of the ICT third party service provider’s relevant business premises may not be practical especially if the ICT third party service provider is a provider providing SaaS services to multiple customers from one data centre and so direct access rights to such premises may not be permitted on the grounds it would be disruptive to the provider’s business operations etc.  
  • It should be noted that reliance on third party certifications and audit reports may only be permitted where the conditions in Article 8(3) are met. For example:

    • Where the FS entity is satisfied with the audit plan of the ICT third party service provider relating to the relevant contract.
    • Where the FS entity ensures the scope of the certifications or audit reports cover the systems and key controls identified by it and ensures compliance with relevant regulatory requirements?

  • The policy must ensure that material changes to the contract must be formalised in a written agreement which is dated and signed and shall specify the renewal process for the contract.  It is therefore important that the FS entity ensures that it agrees appropriate amendment agreements to the relevant contract it has with the ICT third party service provider each time there is a material change to the contract. 
Monitoring of the contractual arrangements (Article 9) 
  • The policy should specify the measures and key indicators to monitor, on an ongoing basis, the performance of the ICT third party service provider including in relation to compliance with the requirements regarding confidentiality, availability, integrity and authenticity of data and information and compliance with the FS entity’s relevant policies and procedures.
  • This links to Article 30(2)(c) of the DORA which states the contract must include appropriate provisions relating to the “availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.” This requirement could be satisfied through the provision of service level availability reports and compliance with the FS entity’s information security standards.
  • The policy shall specify the measures that apply when SLAs are not met including contractual penalties (e.g. service credits, provision of SLA reports, obligations to create and implement a remedial plan and termination rights).
  • The policy shall specify the measures to enable the FS entity to monitor overall performance in line with the contract. For example (and this should be considered in the contract):

    • Provision of reports (e.g. service level reports, ICT security reports, BCDR reports including in relation to the output of BCDR tests, exit plan reports including in relation to the output of any exit plan tests).
    • Notification obligations on the ICT third party service provider in relation to failure to perform and delays in performance.
    • The ability for the FS entity to audit the ICT third party service providers compliance with the terms of the contract.

  • The policy shall establish the appropriate measure that the FS entity is to adopt if it identifies shortcomings of the ICT third party service provider including in relation to compliance with the contract. For example:

    • Obligations to rectify the breach.
    • Obligations to create a remedial plan which needs to be signed off by the FS entity and then implemented in accordance with its terms.
    • Enhanced monitoring rights provided to the FS entity to ensure further shortcomings do not occur.
Exit from and termination of the contractual arrangements (Article 10) 
  • The policy shall contain requirements for a documented exit plan for each contract and for its period review and testing.  
  • This aligns with the requirements of Article 30(3)(f) of the DORA which sets out Exit related requirements to be included in the contract.  Issues to consider are:

    • Is there an exit plan that has been agreed at the date of the contract or shortly thereafter?
    • Does the contract specify what the exit plan needs to cover (if it needs to be agreed shortly after execution of the contract)?
    • Is there a process governing the acceptance of the exit plan and regular testing of it to ensure there will be an orderly transfer of the services to the replacement supplier (which may include the FS entity). 

 

The requirements of the DR 2024/1773 provide a helpful checklist of the key areas that FS entities need to consider during the key phases of a contractual relationship with an ICT third party service provider, namely: pre contract issues around due diligence and risk assessment (Articles 5 and 6), issues relating to how to monitoring an in-flight contract (Articles 7, 8 and 9) and finally issues to consider when terminating a contract (Article 10).    

It is worthwhile for FS entities to closely review its contents as the areas it requires the relevant policy to include will impact on the terms that need to be agreed in the contract with the relevant ICT third party service provider.

Our Fintech team will be monitoring next steps and shall keep you up-to-speed with the latest developments regarding DORA implementation.

Latest insights

More Insights
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Bank card propped up against laptop

Germany: BaFin updates AML guidance

Dec 19 2024

Read More
Colourful building

FinTech Features December 2024

Dec 18 2024

Read More