Newsletters
From 17 January 2025, the DORA Regulation [Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022] on digital operational resilience in the financial sector will apply throughout the European Union (EU).
What is the purpose of the Regulation and which are the main organisations affected?
With the aim of harmonising the rules on operational resilience and cybersecurity regulation in the EU, the DORA Regulation establishes uniform requirements for the security of network and information systems of companies operating in the financial sector (such as banks and insurance companies).
Although primarily aimed at financial entities, the Regulation's rules also have a direct impact on companies in the technology sector that provide ICT services to these entities, namely cloud service providers, software suppliers, data centres, among others.
In particular, the Regulation contains a set of provisions that determine the content of contracts signed between financial institutions and their ICT service providers.
What are the main obligations applicable to contracts between financial organisations and their ICT service providers?
The Regulation establishes minimum elements that must be included in these contracts and that must be in writing:
- A clear and complete description of the ICT functions and services that will be provided;
- Whether or not subcontracting of ICT services is permitted and, if so, the conditions applicable to subcontracts;
- Locations where functions and services will be provided;
- Data protection provisions;
- Service level descriptions (SLA), including updates and revisions;
- Obligation for the provider to provide assistance in the event of an ICT-related incident;
- Obligation to co-operate with the competent authorities and the financial institution;
- Termination rights and adequate minimum notice periods;
- Provisions on ICT security awareness and training for providers.
In contracts for ICT services in support of "critical or important functions" of the financial organisation, the Regulation requires additional clauses that provide, inter alia:
- Complete descriptions of the service level, with quantitative and qualitative performance targets;
- Notification periods and notification obligations regarding developments that may have a material impact on the services provided;
- Obligations to test operational contingency plans, security and co-operation policies;
- The financial institution's right to monitor the performance of service provision;
- Definition of exit strategies with a mandatory transition period that reduces the risk of disruption to the financial entity.
Technical regulations on subcontracting ICT services
In July 2024, the European Supervisory Authorities (ESAs) published the Final Report on the draft Regulatory Technical Standards (RTS) that establish new complementary requirements for financial organisations regarding the outsourcing of ICT services that support critical or important functions.
The aim of these RTS is to specify the aspects that a financial organisation should consider and assess when outsourcing ICT services, ensuring that the risks associated with this outsourcing are properly managed and mitigated.
Among other aspects, the RTS establish that the contracts signed between the financial organisation and the ICT service provider must include contractual provisions that address:
- The ICT service provider's responsibility for subcontracted services;
- Monitoring and reporting obligations on the part of the ICT service provider regarding subcontracted services;
- The location of data processing or storage by the ICT provider's subcontractor, where relevant;
- Guaranteed continuity of services and compliance with established security requirements in the event of non-compliance by any of the ICT provider's subcontractors;
- The financial organisation's rights of access, inspection and audit of subcontracted services;
- The duty to notify in cases of material changes to subcontracting agreements;
- The resolution rights of the financial organisation.
The RTS also establish requirements related to the ICT subcontracting chain that must be included in the contract between the financial organisation and the ICT service provider, namely:
- The identification of the entire chain of ICT subcontractors involved in the provision of critical or important services, which must be updated on an ongoing basis;
- Effective monitoring of ICT services by the financial organisation;
- Provisions enabling the financial organisation to assess the impact of a potentially complex outsourcing chain and potential impact on its ability to monitor critical functions, as well as on the ability of competent authorities to supervise the financial organisation;
- Rights of the financial organisation to obtain information from the ICT service provider on subcontracting agreements and relevant performance indicators.
Final considerations:
The application of the DORA Regulation and the RTS that complement it as of 17 January 2025 requires action on the part of both financial entities and their ICT service providers, who will have to align their subcontracting practices with a view to complying with the established requirements.
In particular, existing contracts between financial entities and ICT service providers should be assessed and possibly revised to ensure that they comply with the Regulation.
Contracts concluded between ICT service providers and their subcontractors should also be analysed in the light of the DORA Regulation and the RTS and the concrete obligations that result from them for ICT service providers.
Any changes to such contracts for the purposes of complying with the DORA Regulation should be promptly implemented and documented.