Digital Operational Resilience – getting your contracts remediated for DORA
Now that the European Union’s Digital Operational Resilience Act (“DORA”) has been adopted and the European Supervisory Authorities have begun the process of developing the relevant underlying technical standards, companies who provide financial services in the EU need to understand how DORA could impact them, and in particular their contract remediation processes and outcomes.
This insight provides an overview of the implications DORA has for ICT contracts entered into by financial services firms. It focuses on the specific DORA contract requirements and remediation processes.
Background to DORA
DORA is a broad piece of legislation, aimed at increasing the resilience of the financial services sector by ensuring firms are able to withstand and recover from all types of technology related disruptions and threats.
A key part of DORA is the requirement for specific contractual terms to be included in each agreement with suppliers of information and communications technology (“ICT”) services. The requirements are similar to those that exist under other regulation and guidance, such as the European Banking Authority ‘Guidelines on outsourcing arrangements’ (“EBA Guidelines”). However, as the requirements are not fully aligned, regulated firms will need to ensure their ICT contracts are remediated to include the mandatory DORA contractual terms.
Extraterritorial and intragroup effects and financial services industry providers
Where a non-EU parent company contracts for services to be provided by third-party ICT service providers to group entities within the scope of DORA, e.g., under global framework or master services agreements, those services will have to be DORA-compliant, even if procured outside the EU.
It is also important to note that, for the purposes of DORA, ICT third party service providers include any intragroup entity that provides predominantly ICT services to financial entities within the same group. In our experience, regulated firms sometimes overlook the application of current outsourcing and operational resilience regulatory requirements to intragroup providers, including those established in offshore or nearshore locations. The consequences of non-compliance with DORA raise the stakes for firms in these situations.
DORA also applies to financial services entities that provide ICT services to other financial services entities – a relatively common model in this sector.
Senior management responsibility
Compliance with DORA is ultimately the responsibility of the board or management body of the regulated firm. Senior management will therefore be tasked with, and responsible for, all aspects of DORA compliance, including the contract remediation processes and outcomes covered in this note.
Among the sanctions and remedies for DORA non-compliance, DORA requires EU Member States to provide for individual civil liability for board and management body members and will also allow Member States to provide for criminal liability for such members.
How it differs from the EBA Guidelines
A key difference between DORA and the EBA Guidelines is that DORA applies to contracts for all “ICT services”, not only to outsourcings. ICT services is defined very broadly, capturing "digital and data services… on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates".
Therefore, even if a firm remediated its contracts for compliance with the EBA Guidelines, other contracts will now be in scope (and additional provisions will likely be needed, even for those EBA remediated contracts).
Given the very broad definition of "ICT services", one of the main challenges for firms will be to determine whether a contract is either primarily for ICT services or other services where the delivery or part of the delivery is by an ICT service, e.g., a contract for vending machine services with IoT capability and other digital connectivity. In this example, it would likely be reasonable to assume that a vending machine service contract is not within the scope of DORA. But there will of course be more difficult questions about other ICT-enabled services that firms will need to resolve.
Timeline
Following DORA entering into force on 16 January 2023, in scope regulated firms now have until 17 January 2025 to ensure they meet the latest contractual requirements.
Mandatory contractual terms
DORA does not prescribe specific terms to be copied into all ICT contracts, but instead (much in the way we have seen before) sets out requirements the contract must address. Article 28 sets out an extensive list of general principles to be applied for ICT third-party risk management and Article 30 provides a list of key contractual provisions that are to be included in ICT contracts (broken down to provide additional requirements for ICT contracts supporting "critical or important functions").
A "critical or important function" is defined to mean a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
Mandatory provisions required under DORA Article 30(2)(a) – (i) for all ICT contracts, summarised broadly, are:
- ICT services description and sub-contracting: setting out a clear and complete description of the services and whether subcontracting supporting critical or important functions is permitted, and if so under what controls.
- Services and data location: documenting the locations (regions and countries) where the services are to be provided and where data is stored and processed, and notification obligations of proposed changes.
- Data availability, integrity and data protection: appropriate provisions on the availability, authenticity, integrity and confidentiality of data, including the protection of personal data.
- Access to data: rights to access to data in the event of insolvency, service interruption or termination of the contractual arrangements. including the recovery and return of data in accessible formats.
- Service level specifications: clear descriptions of service levels, including updates and revisions thereof.
- ICT incidents: an obligation on the ICT provider to assist at no additional cost (or a cost determined ex-ante) if an ICT incident occurs that is related to the ICT services provided.
- ICT third-party co-operation: obligations on the ICT provider to fully cooperate with appropriate regulators of the financial entity.
- Termination rights: appropriate termination rights and notice periods, in accordance with expectations of regulators of the financial entity.
- Security awareness and training: requirements for the ICT provider to participate in the firm's ICT security awareness programmes and digital operational resilience training.
Mandatory provisions required under DORA Article 30(3)(a) – (f) for ICT contracts supporting critical or important functions, summarised broadly, are:
- Full service level descriptions: a full service level description, including precise quantitative and qualitative performance targets to allow for the effective monitoring of the service and to enable appropriate corrective actions to be taken.
- Notice and reporting obligations: clear notice and reporting obligations, including in relation to any developments that might have a material impact on the ICT provider's ability to provide the services in accordance with the contract.
- Business contingency planning: obligations on the ICT provider to implement and test business contingency plans, and to implement appropriate ICT security measures in line with the financial entity's regulatory framework.
- Penetration testing: requirements for ICT providers to participate and fully co-operate in the firm's threat-led penetration testing.
- Rights to monitor: a right to monitor the ICT provider's performance on an ongoing basis, including through unrestricted rights of audit, the provider's full co-operation in such monitoring and audits, and other appropriate assurances.
- Exit arrangements: firms must be able to exit, and receive transitional services and migrate services under, all contracts without disruption to their business activities or detriment to the continuity and quality of services provided to clients, or impacting their compliance with regulatory requirements. Exit plans must also be comprehensive, documented and sufficiently tested and reviewed periodically.
DORA also requires that the contract is included in one written document and is available to the parties on paper, or in a document with another downloadable, durable and accessible format.
Beyond the contract
In addition to the wide-ranging governance and reporting obligations under DORA, a separate policy must be adopted addressing compliance with the contractual requirements for third-party ICT services supporting critical or important functions, in addition to maintaining a register of all third-party ICT services arrangements (similar to the register of material outsourcings, broken down to distinguish between those ICT services that support critical or important functions and those that do not).
If you wish to discuss other aspects of DORA, e.g., developing a suitable ICT risk management framework, maintaining a detailed register and reporting requirements, we would be happy to do so.
Proportionate approach
DORA allows for a proportionate implementation of the required measures, based on a number of factors, such as size and overall risk profile, the nature, scale and complexity of their services and the degree of dependency on and criticality of the third-party services.
This means that more complex and/or extensive ICT services require a more detailed approach.
The remediation process
Impacted firms need to undertake a systematic approach to remediating their ICT contracts before 17 January 2025, or as soon as possible thereafter.
The process should include the following key steps:
- Identify all contracts for ICT services and categorise those that support critical or important functions, including those subject to the extraterritorial and intragroup provisions outlined above.
- Identify amendments required to meet the mandatory DORA requirements, and engage with suppliers to agree the necessary variations, ideally, where practicable, applying DORA-compliant contractual provisions developed by the firm itself.
- Update templates and playbooks to ensure all future contracts entered into comply with the relevant DORA requirements.
Possible considerations
For off the shelf standard contracts, firms should consider whether the supplier will likely offer up their own standard DORA terms (possibly on a "take it or leave it" basis). Whilst some ICT suppliers will implement self-serve options, firms may need to request these are put in place with other smaller providers.
Preparing a contract addendum or side letter may be the most efficient method of remediation, which can then be adapted for individual ICT contracts and negotiated on a standalone basis.
For some relationships, or where the volume and/or timings dictate a more pragmatic approach, firms could seek to unilaterally impose additional terms to plug any gaps (although, only after it has weighed up the risks and benefits of this approach).
Key contacts
The Stephenson Harwood team has a wealth of experience supporting firms on their contract remediation programmes and advising on strategy and approach. We also support suppliers navigate these requirements and have a unique understanding of how the market settles on acceptable terms.