As of January 17th, 2025, financial institutions and ICT service providers need to comply with a new set of rules to strengthen the digital operational resilience of the financial sector: the European Union's Digital Operational Resilience Act (“DORA”). For ICT third-party service providers providing their services to financial institutions, compliance with (relevant parts of) articles 28-30 and the Regulatory Technical Standards (“RTS”) on ‘subcontracting ICT services supporting critical or important functions’ is imperative. The DORA articles and RTS outline extensive requirements for establishing and managing contractual relationships between financial institutions and ICT third-party service providers to mitigate operational risks and strengthen cyber resilience. In addition to the requirements for the relationship between the financial institution and the ICT third-party service provider, DORA requires that information about the full ICT service provider supply chain is available, reaching down even to fourth, fifth, and further party suppliers. In this blog, we explore the core requirements and challenges of DORA for contracting with financial institutions, from the perspective of the ICT third-party service provider.
Contracting requirements under DORA
Articles 28-30 of DORA set foundational requirements to ensure robust operational resilience through ICT service agreements. These articles require financial institutions and ICT third-party service providers to conclude written agreements that clearly define service levels and expectations, security measures and compliance responsibilities. The key contractual provisions that need to be included for all types of ICT third-party service providers are included in article 30(2) DORA:
- Description of service: A clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider;
- Conditions for outsourcing: The conditions for subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
- Locations of services and data: The locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations;
- Security of data: Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
- Access, recovery and return of data: Provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial institution in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;
- Service level descriptions: Details about the service levels, including updates and revisions thereof;
- Incident reporting and assistance: The obligation of the ICT third-party service provider to provide assistance to the financial institutions at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
- Cooperation with supervisory authorities: The obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial institution, including persons appointed by them;
- Termination rights: Termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; and
- Training awareness participation: The conditions for the participation of ICT third-party service providers in the financial institutions’ ICT security awareness programs and digital operational resilience.
Further, there are extra requirements that need to be included in contracts with ICT third-party service providers supporting critical or important functions. Those requirements are included in article 30(3) of DORA. The additional requirements for ICT third-party service providers supporting critical or important functions of the financial institutions are:
- Full-service level descriptions and KPIs: The contract must include full-service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial institution of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;
- Notice and reporting obligations: Agreement must be made on notice periods and reporting obligations of the ICT third-party service provider to the financial institution, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;
- Business continuity: There are requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial institution in line with its regulatory framework;
- Thread-led penetration testing participation: The obligation of the ICT third-party service provider to participate and fully cooperate in the financial institution’s TLPT;
- Monitoring: The financial institution has the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails unrestricted rights of access, alternative assurance levels and audits and inspections; and
- Exit strategy: Agreements on an exit plan for termination of the service, during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial institution or to ensure its effective resolution and restructuring and to allow the financial institution to migrate to another ICT third-party service provider or to in-house solutions must be agreed upon.
But that is not all: even more additional requirements (and more detailed requirements to the requirements in article 30) are included in the aforementioned RTS on subcontracting. The RTS also dive into the requirements with regards to further subcontracting outsourced ICT services (the chain of subcontractors). With a critical eye, one can see that there is some overlap in article 28, 30 and the RTS (for example regarding termination rights). This might be the result of DORA being developed by means of harmonization of existing cybersecurity legislation and guidelines, such as the European Banking Authority (“EBA”) Guidelines on Subcontracting.
Practical steps for ICT third-party service providers when contracting with financial institutions
To address the above requirements, ICT service providers can implement a few practical strategies when providing services to financial institutions:
- Develop standardized contract templates: Using contract templates (both for supporting critical and non-critical functions) that incorporate all DORA requirements can streamline the contracting process and ensure consistency across all agreements with your customers that are financial institutions. Also develop contracts for your subcontractors, i.e. the chain as discussed earlier.
- Define contracts more in favor of the ICT third-party services provider: For several requirements, it is possible to include wording or options that are more favorable to the ICT service provider. For example, in case of incident notification and assistance: “the ICT third-party service provider must provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante.” Include thresholds and agree upfront on rates for assistance with incident handling.
- Implement a risk-based approach: When contracting with your customers acting as financial institutions, discuss whether you are a critical or non-critical ICT third-party service provider to the respective financial institution. When you are non-critical, be aware of your specific role regarding the services you provide. Prioritize contracting with financial institutions where your services are more critical or important.
- Create complete overviews of your subcontractors: To be able to provide information to the financial institution about your subcontractors (and theirs, etc.), make sure you have complete overviews of your direct subcontractors. Know what functions you outsource to them, where they are located, where data is processed, etc.
- Do not be afraid to ask for help: If you are unclear of your role or need expertise advice, engage with legal experts to navigate the complex requirements and subcontracting chains.
Final remarks
Under DORA, both financial institutions and ICT third-party service providers face significant responsibilities and challenges in managing contractual relationships. Articles 28-30 and the RTS on subcontracting emphasize thorough due diligence, contractual requirements and obligations that extend to every subcontractor in the chain. By establishing complete and clear contracts and gaining knowledge about your role vis-à-vis your customers that are financial institutions, services, and subcontractors, you can manage these requirements more effectively.
If you have any questions about this topic, you can email us at contact@ictrecht.nl