Article 27 Digital Operational Resilience Act (DORA), Key Contractual Provisions

Jul 23, 2024by Sneha Naskar

Article 26 of the Digital Operational Resilience Act (DORA) mandates that financial entities undertake a thorough preliminary assessment of ICT concentration risks and establish clear guidelines for further sub-outsourcing arrangements. This ensures that both the financial entity and the ICT third-party service provider are aligned on their rights and obligations, and that all contractual arrangements are meticulously documented.

Key Elements of Contractual Arrangements for ICT Third-Party Service Providers

Key Elements of Contractual Arrangements for ICT Third-Party Service Providers

The regulation emphasizes the need for transparency, security, and cooperation to maintain operational resilience and safeguard critical functions.

  • The rights and obligations of both the financial entity and the ICT third-party service provider must be clearly allocated and documented in writing. The entire contract, inclusive of service level agreements, shall be consolidated into a single written document accessible to both parties in either paper format or a downloadable and accessible electronic format.
  • Contractual arrangements for the use of ICT services shall encompass the following essential elements:
    • A comprehensive description of all functions and services to be provided by the ICT third-party service provider, specifying whether subcontracting of critical or important functions, or significant parts thereof, is permissible and under what conditions such subcontracting may occur.
    • Specification of the locations where contracted or subcontracted functions and services will be performed and where data will be processed, including storage locations. The ICT third-party service provider must notify the financial entity of any intended changes to these locations.
    • Provisions regarding accessibility, availability, integrity, security, and protection of personal data. Additionally, provisions ensuring access, recovery, and return of personal and non-personal data in an easily accessible format in cases of the ICT third-party service provider's insolvency, resolution, or discontinuation of business operations.
    • Detailed service level descriptions, including updates and revisions, and precise quantitative and qualitative performance targets within agreed service levels. These provisions enable effective monitoring by the financial entity and prompt corrective actions if agreed service levels are not met.
    • Notice periods and reporting obligations of the ICT third-party service provider to the financial entity. This includes notification of any developments that could materially impact the ICT third-party service provider's ability to perform critical or important functions in accordance with agreed service levels.
    • Obligations of the ICT third-party service provider to assist in case of ICT incidents at no additional cost or at a pre-determined cost.
    • Requirements for the ICT third-party service provider to implement and test business contingency plans and maintain ICT security measures, tools, and policies ensuring secure service provision aligned with the financial entity's regulatory framework.
    • Rights for ongoing monitoring of the ICT third-party service provider's performance, including:
      • Rights of access, inspection, and audit by the financial entity or appointed third parties, without hindrance from other contractual arrangements or implementation policies.
      • Agreement on alternative assurance levels if rights of other clients are affected.
      • Commitment to full cooperation during onsite inspections by the financial entity, detailing scope, methods, and frequency of remote audits.
    • Obligations of the ICT third-party service provider to fully cooperate with competent authorities and resolution authorities of the financial entity, including their appointed representatives.

DORA Compliance Framework

    • Termination rights and minimum notice periods for contract termination, aligned with expectations of competent authorities.
    • Exit strategies, particularly establishing a mandatory transition period:
      • During which the ICT third-party service provider continues providing functions or services to minimize disruption at the financial entity.
      • Allowing the financial entity to transition to another ICT third-party service provider or shift to on-premises solutions, considering the complexity of the service provided.
  • During contract negotiations, financial entities and ICT third-party service providers should consider employing standard contractual clauses tailored to specific services.
  • The ESAs, through the Joint Committee, will develop draft regulatory technical standards specifying additional elements necessary for financial entities to determine and assess when subcontracting critical or important functions, ensuring compliance with the provisions outlined in point (a) of paragraph 2.

The ESAs will submit these draft regulatory technical standards to the Commission by [OJ: insert date 1 year after the date of entry into force]. The Commission is authorized to adopt these regulatory technical standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010 to supplement this Regulation.

DORA Compliance Framework