The financial sector still has a few months to make its IT contracts compliant with the Digital Operational Resilience Act (DORA). DORA is a European regulation aimed at strengthening the digital operational resilience of the financial sector and aims, among other things, to harmonize fragmented laws and regulations on ICT risk management and ICT outsourcing and address gaps and overlaps in them. As of Jan. 17, 2025, financial institutions such as banks, insurers and investment firms must comply with the requirements set by DORA in that context.
An important part of DORA deals with third party risk management of financial institutions, with requirements that apply to the situation where financial institutions involve third parties for their use of ICT services; IT vendors.
In this article, we list the elements that should be in IT contracts that must comply with DORA. This distinguishes between those items that should be in all IT contracts, and items that should be additionally included in contracts that deal with IT services that support critical or important functions of financial institutions.
An important consideration is that the contractual requirements derive not only from DORA itself, but also from the delegated regulations under DORA (also referred to as level-2 regulations); the so-called Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) established by the joint European financial sector regulators EBA, EIOPA and ESMA.
In any case, the following elements must be reflected in a contract between a financial institution that falls within the scope of DORA and its IT vendor:
Service Description - A clear and complete description of the ICT services and functions to be provided.
Agreements on subcontracting - A determination as to whether subcontracting of critical or important functions is permitted, and if so, under what conditions. If subcontracting is permitted, it should at least be agreed that the IT supplier remains responsible for performing the services, a monitoring obligation and reporting obligations with respect to the subcontracted services, agreements on relevant locations, information security, certain service continuity safeguards such as business continuity plans (BCPs) and certain service levels, that the supplier contractually impose audit rights in favor of the financial institution and its regulators on its subcontractors, and be informed of changes to the subcontracted services and certain termination rights related to subcontracting.
Locations of the services and data - A description of the locations where the service is provided and the (personal) data is processed and/or stored, and a requirement for the provider to inform the financial institution in advance of any changes to this
Information security - Agreements to ensure the availability, authenticity, integrity and confidentiality of (personal) data.
Access, recovery & return of data on termination - The agreement should include safeguards of access, recovery and return in usable format in case of insolvency, settlement or cessation of business.
SLA - A description of the service level (in the English version of DORA 'service level descriptions'), at least in outline form (see also the list below).
Incident support - An obligation on the IT vendor to provide assistance to the financial entity in the event of incidents, free of charge or at pre-agreed rates
Duty to Cooperate - A contractual obligation to cooperate fully with regulators and/or competent authorities.
Termination rights and minimum notice periods - The ability to terminate the agreement at least in case of (i) serious violations of laws and regulations by the IT supplier, (ii) circumstances identified during ICT risk monitoring that may adversely affect the agreement or the IT supplier, (iii) apparent weaknesses in the IT supplier's management of ICT risk (especially where information security is concerned), and (iv) if the regulator can no longer exercise effective oversight, with appropriate notice periods.
Participation in awareness programs and training - Agreements on, where relevant, the participation of (the staff of) the IT vendor in awareness programs and training on operational resilience of the financial institution.
Contracts involving ICT services that support the critical or important functions of the financial institution should include, in addition to the above list, the following elements:
SLA with KPIs - service levels for the entire service, including precise quantitative and qualitative performance targets
Notification deadlines and reporting obligations - The obligation to notify developments that may materially affect the IT supplier's ability to effectively deliver the IT services in accordance with the agreed service levels
BCPs - Obligation to establish and test corporate emergency plans and have appropriate ICT security measures, tools and policies in place
TLPT cooperation obligation - Obligation to cooperate with the financial institution's threat-led-penetration tests (TLPT), if it has been determined by the institution that the relevant ICT services are in scope of its TLPT
Audit right - The right to continuously monitor the IT supplier's performance, which right is fleshed out by unrestricted rights of access, inspection and audit for the financial institution itself and its regulators with an obligation of full cooperation for the supplier and an obligation for the financial entity to provide details of the audit or inspection in advance. There is also room to agree on a different type of assurance if rights of other clients of the IT supplier would be affected by an audit or inspection.
Exit - Financial institutions must be able to terminate the agreement without disruption to their business activities, without being restricted in their compliance with regulatory requirements and without compromising the continuity and quality of services to (end) customers. In addition, the agreement should include arrangements for the transition of the ICT services and associated data to another supplier or the financial institution itself.
These types of agreement requirements are not entirely new for most financial entities, by the way. The pre-DORA laws and regulations in the field of (ICT) outsourcing, such as the EBA and ESMA guidelines on outsourcing arrangements and the EIOPA guidelines for outsourcing to cloud service providers, already contain a series of similar requirements imposed on (ICT) outsourcing agreements. On IT contracts where the EBA, EIOPA or ESMA guidelines have already been taken into account, some of the issues will therefore already be covered. In that case, a gap analysis, and filling in the gaps will suffice. Nevertheless, we expect some work to be done in all cases, as DORA contains more stringent requirements than those that have applied so far, and there will also be more IT contracts "in scope. Indeed, the aforementioned outsourcing guidelines primarily (almost exclusively) looked at ICT outsourcing of critical or key functions, while DORA sets requirements for all ICT contracts.
