Key DORA Contractual Provisions
Nov 4, 2024
This blog provides a concise overview of the key contractual provisions required for compliance with the DORA regulations, offering insight into what your business needs to implement. Please note that this is not legal advice; it is intended for educational purposes only. We recommend that you consult your legal team to review your contracts and the requirements outlined below.
https://www.dora-info.eu/dora/article-30/#r1
Single Contract with SLA in one accessible document
The rights and responsibilities of both the financial entity and the ICT provider should be clearly outlined in writing. The complete contract, including the service level agreements, needs to be in one document that both parties can access, either on paper or in a downloadable, easy-to-read format.
The contractual arrangements on the use of ICT services shall include at least the following elements
a. A straightforward description of all the functions and ICT services the provider will offer. It should also say if they can subcontract any of these critical services and, if so, what the rules are for doing that.
b. The places—like regions or countries—where the ICT services will be provided and where data will be processed and stored. It should also mention that the provider needs to let the financial entity know in advance if they plan to change any of these locations.
c. Rules about making sure data is available, authentic, intact, and confidential, especially when it comes to protecting personal data.
d. Rules to ensure that both personal and non-personal data processed by the financial entity can be easily accessed, recovered, and returned if the ICT provider goes out of business or if the contract ends.
e. Descriptions of service levels, along with any updates and changes.
f. The ICT provider must assist the financial entity at no extra cost or at a pre-agreed cost if an ICT incident related to their service occurs.
g. The ICT provider must fully cooperate with the authorities mentioned in Article 46 and the financial entity's resolution authorities, including their appointed representatives.
h. Termination rights and minimum notice periods for ending the contract, in line with what the authorities expect.
i. The conditions for ICT providers to participate in the financial entities' ICT security awareness programs and digital operational resilience training as outlined in Article 13(6).
The contract for using ICT services that support critical or important functions must include, along with the elements mentioned in paragraph 2, at least the following:
a. Complete service level descriptions, including updates, with clear performance targets to help the financial entity effectively monitor ICT services and take timely corrective actions if service levels aren't met.
b. Notice periods and reporting obligations for the ICT provider to the financial entity, including alerts about any changes that could affect their ability to deliver critical ICT services according to agreed service levels.
c. Requirements for the ICT provider to implement and test business contingency plans, as well as to have security measures, tools, and policies that ensure adequate security for the financial entity’s services in compliance with regulatory standards.
d. The ICT provider must participate and fully cooperate in the financial entity's Threat Led Pen Test as outlined in Articles 26 and 27.
e. The right to continuously monitor the ICT provider’s performance, which includes the following:
i. Unrestricted rights for the financial entity, an appointed third party, and the competent authority to access, inspect, and audit, including taking copies of essential documentation on-site, without limitations from other contracts or policies."
ii. The right to negotiate alternative assurance levels if the rights of other clients are impacted.
iii. The ICT provider must fully cooperate during onsite inspections and audits conducted by the competent authorities, the Lead Overseer, the financial entity, or an appointed third party.
iv. The obligation to provide details on the scope, procedures, and frequency of these inspections and audits.
By exception to point (e), the ICT provider and a microenterprise financial entity can agree that the entity’s rights to access, inspect, and audit can be delegated to an independent third party appointed by the ICT provider. The financial entity can request performance information and assurance from this third party at any time.
f. Exit strategies, specifically the requirement for a mandatory transition period:
i. During which the ICT provider will continue delivering services to minimize disruption for the financial entity and ensure effective resolution and restructuring.
ii. Allowing the financial entity to switch to another ICT provider or transition to in-house solutions based on the service's complexity.
When negotiating contracts, financial entities and ICT providers should consider using standard contractual clauses created by public authorities for specific services.
The European Supervisory Authority (ESA)s will develop draft regulatory technical standards through the Joint Committee to clarify the elements that a financial entity needs to assess when subcontracting ICT services for critical functions.
In creating these standards, the ESAs will consider the size and risk profile of the financial entity, as well as the nature, scale, and complexity of its services and operations.
The ESAs must submit these draft standards to the Commission by July 17, 2024.
The Commission is authorized to adopt these regulatory technical standards to supplement this Regulation, following Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010.
All found here
I hope that gives you some insight and confidence in preparing for DORA. If you found this interesting you might also find more interesting articles in our blog section specifically Granular Information on DORA