Navigating Contracts Under DORA: What You as an ICT Service Provider Need to Know

Digital Operational Resilience Act

What should in-house counsel keep an eye on?

Navigating Contracts Under DORA: What You Need to Know

At RMOK Legal, we are receiving new queries around the Digital Operational Resilience Act (DORA). If you’re like some of our in-house counsel clients diving into the world of DORA contracting, there are a few key provisions you should definitely keep an eye on. Let’s break it down.

  1. Introduction

  2. Background

  3. Key Provisions for Non-Critical or Important Functions

  4. Key Provisions for Critical or Important Functions

  5. Conclusion

Key Takeaways

  • Understanding DORA: The Digital Operational Resilience Act (DORA) is EU legislation aimed at harmonizing ICT risk management for financial entities to protect against severe operational disruptions.

  • Applicability: While DORA does not apply in the UK, it is relevant for UK-based companies offering services in the EU or acting as ICT third-party service providers (ICT TPPs) to EU financial firms.

  • Implementation Date: DORA will take effect on 17 January 2025, with no expected extensions.

  • UK Regulatory Landscape: The UK has its own requirements for outsourcing and operational resilience, with ongoing consultations to manage critical third parties in the financial sector.

  • Contract Updates: Financial entities are updating contracts to comply with DORA, leading to increased workload for in-house counsel. ICT TPPs are generally willing to accommodate reasonable requests to maintain commercial relationships.

  • Critical vs. Non-Critical Functions: The determination of whether services are critical or important is made by the financial entity, and existing contracts may need to be reviewed to ensure compliance with DORA.

  • Avoiding Contract Amendments: Some companies, like Google and Oracle, have mapped DORA requirements to avoid the need for contract negotiations or amendments.

  • Contract Provisions: Key areas to consider in contracts include form of contract, service descriptions, monitoring and notifications, termination rights, subcontracting, audit and access rights, data and security, business continuity, incident response, training and awareness, data locations, exit strategies, and cooperation with authorities.

  • Proportionality Test: For critical or important functions, more robust contract requirements apply, similar to those in the EBA Outsourcing Guidelines, with a proportionality test to ensure measures are appropriate.


Background

What is DORA?

The Digital Operational Resilience Act (DORA) is EU legislation that aims to harmonise the approach to ICT risk management for financial entities. The EU wants to make firms and the financial markets better protected against severe operational service disruption caused by cyber attacks and ICT issues. This is increasingly important given the interconnectedness of the financial system and the risk of financial contagion.


Does DORA apply to my company?

DORA does not apply in the UK, but it is relevant for many UK-based companies, either because they are financial firms (directly or indirectly) offering their services in the EU, or because they are ICT third-party service providers (ICT TPPs) who offer services in the EU to financial firms. There are two types of ICT TPPs: those designated by the European Supervisory Authorities as critical for financial entities, and those which a financial entity has classed as such itself.


When will it take effect?

DORA is due to take effect from 17 January 2025, with no rumours of any extension.


What’s the UK doing in this space?

The UK regulatory authorities already have requirements relating to outsourcing and operational resilience. The FCA, the Bank of England, and the PRA are consulting on how they should manage critical third parties to the UK financial sector. The consultation closed in March 2024, and we are awaiting the outcome and next steps. There is some overlap with DORA in this regard.


Why now?

It is likely because the financial entities have completed their gap analysis, reviewed their ICT risk policies, and identified their relevant contracts.  There has been real trend emerging of UK ICT third party service providers, including RMOK’s clients, being asked to update existing contracts to cater for DORA.  Unfortunately, there has been no ‘one-size-fits-all’ approach to drafting, which is adding many in-house counsel teams already large workload.  That said, as was the case for, for example GDPR and Outsourcing Guidelines introductions, the ICT third party service providers (“ICT TPPs”) are willing to entertain reasonable and proportionate requests.  After all, no ICT TPP will want to willingly risk their future commercial relationship with these kinds of buyer.


I can reject the amendment request because my services are not critical or important functions. Right?

The choice of whether your services are “critical or important functions” of your (financial entity) buyer, is a matter solely determined by the buyer.  In some instances, the buyer might be swayed to confirm that the existing contractual arrangements already cater for DORA requirements.  This argument is not guaranteed and needs to be considered for each contract separately.


Is there a way to avoid a flood of requests?

Maybe.  Check out what Google and Oracle published.  They have mapped the DORA contracting requirements for ICT TPPs with a view that no contract negotiations or amendments are required by any financial entity caught by DORA. Google: mapping, Oracle: checklist.

Ok, we have a contract amendment request, now what?

Talk to RMOK Legal.  We can check the language, next steps, and consider key areas such as those below for non-critical or important functions.

1. Form of Contract

2. Service Descriptions and Levels

3. Monitoring and Notifications

4. Termination Rights

5. Subcontracting

6. Audit and Access Rights

7. Data and Security

8. Business Continuity

9. Incident Response

10. Training and Awareness

11. Data Locations

12. Exit Strategies

13. Cooperation with Authorities

1. Form of Contract

First things first, everything needs to be in writing. According to Article 30(1) of DORA, the rights and obligations of both parties should be clearly laid out. This includes service level agreements (SLAs) and should be available in a durable and accessible format.

2. Service Descriptions and Levels

When it comes to the services provided, clarity is key. Article 30(2)(a) and (e) require a complete description of all functions and services, along with detailed service level descriptions.  This is likely already in the ICT TPPs existing contract but a distinction might be required as between critical and non-critical functions.

3. Monitoring and Notifications

Keeping tabs on performance is crucial. Article 30(3)(b) mandates that the contract should include notice periods and reporting obligations. The contract should outline how the ICT TPP will notify the financial entity of any significant developments that might impact service delivery.

4. Termination Rights

You need to know when and how the contract can be terminated by the financial entity if things go south. Article 28(7) and Article 30(2)(h) provide for termination in cases of “significant breaches” or other critical issues.

5. Subcontracting

If subcontracting is involved, Article 30(2)(a) should be checked. The contract should ensure that any subcontractors are held to the same standards and that the primary service provider remains responsible for their performance.

6. Audit and Access Rights

You have the right to audit the service provider’s performance. Article 30(3)(e) provides the financial entity obligation to agree parameters around inspections and audits. The contract should grant you and your auditors access to relevant business premises and data, ensuring transparency and compliance.  This will likely be another common friction point for many ICT TPPs, especially whether onsite access is necessary and proportionate.

7. Data and Security

Protecting your data is paramount. Article 30(2)(c) and (d) cover provisions for data availability, authenticity, integrity, and confidentiality. The contract should outline commitments to data security, including technical and organisational measures.

8. Business Continuity

In case of disruptions, Article 30(3)(c) requires the service provider to have business continuity plans in place. The contract should describe strategies for maintaining service continuity and data backup.

9. Incident Response

If an ICT incident occurs, Article 30(2)(f) mandates the ICT TPP to assist the financial entity. The contract should detail support in responding to incidents, ensuring the ICT TPP is not left with a heavy cost.

10. Training and Awareness

Article 30(2)(i) requires the service provider to participate in your ICT security awareness programs. This sounds ok until you consider the 1:many offerings where ICT TPP personnel are supporting multiple financial entities.

11. Data Locations

The contract should specify the locations where data is processed and stored (Article 30(2)(b)). It should provide information about data centres and sub-processors, ensuring robust security measures regardless of the location.

12. Exit Strategies

The contract should support robust exit planning by offering tools for data export and migration (Article 30(3(f)). This could include a commitment to providing services during a transition period to minimise disruption.

14. Cooperation with Authorities

The service provider should fully cooperate with supervisory authorities, resolution authorities, and their appointees during audits and inspections (Article 30(2)(g)). The contract should grant access, inspection, and audit rights to ensure compliance.


What about critical or important functions provided by ICT TPP?

You have more robust contract requirements set out in Article 30(3), which would be familiar to many ICT TPPs that have negotiated pursuant to, for example, the EBA Outsourcing Guidelines.   It is recognised in DORA that the proportionality test is to be applied.  This means that measures are to be considered based on the nature, scale, complexity of the ICT-related dependencies and the risk arising from the contractual relations with the ICT TPPs, and also the potential impact of the ICT service on the continuity and availability of the financial services and activities. 


RMOK Comments

At RMOK, we totally get it. Juggling a new amendment on top of everything else can be overwhelming. However, there is always room to ensure that the outcome remains reasonable, proportional and supporting your goals. If you have any questions or need assistance, we are here to look after it for you.


Previous
Previous

UK Data Access and Use Bill 2024

Next
Next

Navigating AI Contracting: Key Insights and Practical Tips