DORA: ‘Technical Standards,’ new pieces of the puzzle

The Digital Operational Resilience Act (“DORA”) aims to harmonize rules related to digital resilience for the financial sector. DORA applies to 21 different types of financial entities. As of January 17, 2025, DORA is effective.

Earlier we reported on DORA and the impact DORA will have on contracting with IT suppliers. The latter is part of the fourth pillar of DORA, which is ‘managing third-party provider ICT risks’. The first pillar is a ‘general framework for ICT risk management’. The second pillar concerns ‘the management, classification and reporting of ICT-related incidents’ and the third pillar ‘the testing of digital operational resilience’.

Fifth pillar of DORA concerns ‘the oversight framework for critical third-party providers of ICT services’. This pillar concerns so-called critical third-party providers of ICT services that may be designated by European regulators and will be subject to oversight. These include large, systemic IT providers that have been designated as critical. This should be distinguished from IT suppliers of critical or important functions to which the regime of the fourth pillar applies. Of course, as a rule, a critical third-party provider of IT services will also provide critical or important functions.

While the rules for the various pillars are broadly contained in DORA, in a number of areas the European regulators (EIOPA, EBA and ESMA) are jointly mandated to elaborate on certain standards in the form of further ‘Technical Standards’. On January 17, 2024, further regulations (‘Technical Standards’) were published that provide further detail on elements of the pillars mentioned above (including further detail on the elements that should make up the overall ICT risk management framework and incident risk classification).

Meanwhile, a second set of additional regulations has gone into consultation and these further regulations, possibly with some minor changes, will be published in a final version on July 17, 2024.

In this contribution, we consider the further regulations that relate to ‘the management of ICT risks of third-party providers’ (we will also refer to them as ‘IT suppliers’), as these ‘Technical Standards’ formulated in these further regulations affect financial institutions’ relationships and contracting with IT suppliers.

Information Register

Every financial institution is required under DORA to have an information register in relation to all agreements that relate to the use of IT services provided by IT suppliers (see Article 28(3) DORA). The joint European regulators have prepared a ‘Technical Standard’ (which became final on January 17, 2024) that elaborates a template for such an information register (under Article 28 paragraph 9 DORA). The template is an excel document that financial institutions should use to give substance to the obligation to maintain the information register.

The template includes many prescribed fields in which information should be stored on a variety of topics including information about the IT vendor, the type of IT service, information about the contract (start date, end date), whether or not it is ‘critical or important functions’ or whether the mandatory contract clauses are included. In short, the template provides clarity on what should be kept in the information register but will be quite laborious for many financial institutions.

The importance of keeping this information register is high under DORA. Indeed, financial entities must report annually to the competent authority on the number of new IT service agreements entered into, the categories of third-party providers, the types of contracts, and the IT services and functions provided. In addition, financial institutions must be able to make all or parts of the information register available to the competent authority upon request. Finally, financial institutions are required to notify competent authorities (using the information register) of planned contracts with IT providers that involve critical or important functions. 

Contractual arrangements for IT suppliers of critical or important functions

Article 28(2) of DORA requires financial institutions to have policies in place that address third-party providers of IT services and, more specifically, third-party providers of critical or important functions. Briefly, these are those functions whose disruption could materially impair the financial performance, continuity of services or the financial entity’s compliance with licensing requirements.

Based on Article 28(10) DORA , the joint European regulators also prepared a ‘Technical Standard’ here as well (which became final on January 17, 2024). Further supplementary regulations to that Technical Standard specify the content of that policy in relation to contractual arrangements for third-party providers of critical or important functions.

This regulation consists of 10 articles. The first four articles deal with governance regarding policy (who is responsible at what stage of the use of these services). For the pre-contractual phase and the contracting phase, the following articles are relevant.

Pre-contractual phase

The fifth article stipulates that the financial institution must provide an ex ante risk assessment. This means, before the financial institution enters into a contract with an IT supplier of critical or important functions, a risk assessment in which the impact of the service must be assessed for the following risks:

  • Operational risks
  • Legal risks
  • IT risks
  • Reputational risks
  • Risks related to the protection and availability of confidential and personal data
  • Risks associated with data processing location

The sixth article requires the financial institution to conduct due diligence before entering into a contract with the IT supplier. It seems to us that such due dilligence cannot be separated from the risks mentioned above. Therefore, the issues that must be addressed in a due dilligence seem to give hands and feet to the issues mentioned under the ex ante risk assessment.

Contracting phase

DORA prescribes a number of mandatory topics that, in addition to mandatory articles for all IT suppliers, must be included in contracts with IT suppliers for critical or important functions. In this regard, the further supplementary regulations also flesh out the topics mentioned in Article 28 of DORA but not elaborated on there.

Article 8 gives some further direction on the interpretation of the contractual provisions that deal with access, inspection and audit rights by the (auditors of) financial institutions. Based on this article, under strict conditions mentioned, certifications or own reports of the IT supplier can also be used to fill in the audit obligations.

Article 9 deals with the further details of how a financial entity can ensure that key measures and ‘Key Performance Indicators’ are met by IT suppliers and how this can be monitored. For the former, in particular, a penalty regime in a Service Level Agreement for compliance with service levels could be considered. For monitoring, according to this article, the contract should include reporting requirements, a clear description of service levels and incident reporting.  

Finally, article 10 requires each financial institution to have a documented exit plan for each contract with an IT supplier for a critical or important function. The relevant exit plan must be periodically reviewed for changing circumstances. The exit plan must also be tested taking into account interruptions in service or the unexpected termination of the contractual relationship (for whatever reason).   

Outsourcing critical or important functions to subcontractors

Article 30(2) DORA requires financial entities to make clear in contractual arrangements when (further) outsourcing of critical or important functions by an IT supplier to subcontractors is permissible and, if so, under what conditions this may occur. Again, the joint European regulators have drafted “Technical Standards” with further rules on the said further outsourcing. However, these further additional rules are still under consultation and will therefore only become final on July 17, 2024.

Although this further regulation is still a draft, it contains a number of important considerations for contracting around further outsourcing by IT suppliers to subcontractors that support critical or important functions. For example, the further regulation contains a number of risk elements that allow the financial institution to decide at all whether further outsourcing by the IT supplier can take place (such as financial stability, continuity and geographical location of the subcontractor). It should also be contractually agreed with the IT supplier that the assessment of the risk elements related to a subcontractor will be repeated periodically.

It is, under the further regulation, also the obligation of the financial entity to monitor the entire chain (i.e. including subcontractors). This means that there should be concrete agreements in the agreements with IT suppliers that actually allow the financial entity to monitor the entire chain. Also, the financial entity should be informed by the IT supplier if there are material changes with respect to the subcontractor. That can be at the contractual level as well as at the level of the subcontractor’s organization. That also means that the contract will have to contain a mechanism by which the financial institution is guaranteed the relevant provision of information and can actually enforce this provision of information. Indeed, the financial institution must have the ability to oppose these material changes.

Finally, the further regulation provides that the financial institution should have the ability to terminate the agreement with the IT supplier if a) if the IT supplier makes material changes with respect to the subcontractor (agreement) despite any objections from the financial institution and b) if the IT supplier outsources critical or important IT services without the express consent of the financial institution.  

Conclusion

Further regulations as contained in the ‘Technical Standards’ provide further interpretation and clarification of DORA. This also applies to contracting with IT suppliers as part of ‘managing third-party provider ICT risks’. At least in part, because some of the documentation is still under consultation and will not become final until July 17, 2024. In part, financial institutions can follow what already applies under the outsourcing rules ‘Financial Supervision Act’ and the (EIOPA, EBA and ESMA) guidelines as far as contracting is concerned. However, on the basis of DORA (and the ‘Technical Standards’ now known in addition to it) a number of new requirements apply or there are differences for subjects that should already be addressed. Quite a puzzle, and time for solving the puzzle is running out as DORA goes into effect in January 2025.