Preamble 51 to 60, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) establishes comprehensive measures to enhance the EU financial sector's resilience against cyber threats and ICT risks. Key aspects include specifying contractual elements, ensuring effective monitoring and oversight of ICT third-party service providers, and promoting standardized practices to maintain operational continuity and legal certainty. The following sections outline these crucial provisions.

51. Specification Of Contractual Elements

Contractual arrangements should include comprehensive descriptions of functions and services provided, locations of function provision and data processing, and detailed service level descriptions with quantitative and qualitative performance targets within agreed service levels. These provisions are essential for effective monitoring by financial entities, ensuring accessibility, availability, integrity, security, and protection of personal data, along with guarantees for access, recovery, and return in cases of insolvency, resolution, or discontinuation of business operations of the ICT third-party service provider.

52. Notice Periods And Reporting Obligations

To maintain control over developments that could impact ICT security, contractual agreements should stipulate notice periods and reporting obligations for ICT third-party service providers. These provisions should cover developments potentially affecting critical functions, requiring the provider's assistance during ICT-related incidents at no additional cost or at a predetermined cost.

53. Rights Of Access, Inspection, And Audit

Rights of access, inspection, and audit by the financial entity or appointed third parties are crucial for ongoing monitoring of ICT third-party service provider performance. Full cooperation from providers during inspections is essential. Competent authorities of financial entities should also have these rights, subject to confidentiality requirements.

54. Termination Rights And Exit Strategies

Contractual arrangements should clearly outline termination rights, minimum notice periods, and dedicated exit strategies. These strategies should include mandatory transition periods during which ICT third-party service providers must continue relevant functions, reducing the risk of disruptions or enabling effective transitions to alternative providers or on-premises solutions, based on service complexity.

55. Use Of Standard Contractual Clauses For Cloud Computing

Voluntary use of standard contractual clauses developed by the Commission for cloud computing services can enhance legal certainty for financial entities and their ICT third-party providers. This aligns with regulatory requirements and expectations in the financial services sector, building on measures outlined in the 2018 Fintech Action Plan to encourage and facilitate standard contractual clauses for cloud computing services outsourcing by financial entities.

56. Union Oversight Framework For Critical ICT Third-Party Service Providers

To strengthen digital operational resilience and preserve financial system stability and the integrity of the single market, critical ICT third-party service providers should be subject to a Union Oversight Framework. This framework aims to harmonize supervisory approaches to ICT third-party risk in the financial sector, ensuring robust oversight of providers crucial for operational functions.

57. Designation Mechanism For Critical ICT Third-Party Service Providers

A designation mechanism should be established to determine which ICT third-party service providers qualify as critical based on quantitative and qualitative criteria reflecting the financial sector's reliance on them. Providers meeting criticality parameters are included in the Oversight Framework. Those not automatically designated may opt in voluntarily, while providers already subject to Eurosystem oversight mechanisms under Article 127(2) of the Treaty on the Functioning of the European Union are exempted.

58. Legal Incorporation And Data Localization

The requirement for critical ICT third-party service providers to be legally incorporated in the Union does not imply data localization requirements. This Regulation does not impose additional obligations on data storage or processing within the Union.

59. Member States' Oversight Competence

Member States retain the competence to conduct their own oversight of ICT third-party service providers not designated as critical under this Regulation but deemed important at the national level.

60. Coordination And Oversight Forum

The Joint Committee of the ESAs should continue coordinating cross-sectorally on ICT risk matters, supported by a new Subcommittee (the Oversight Forum). This Forum would prepare individual decisions for critical ICT third-party service providers, make collective recommendations, and benchmark oversight programs. It aims to identify best practices for addressing ICT concentration risks across the financial sector.