In PART I of our blog series, we outlined the framework of the Digital Operational Resilience Act (‘DORA’). In this second part of our blog series about DORA, we focus on the implications or impact DORA has for normal IT-suppliers. Normal opposes those IT-suppliers providing ‘critical’, ‘important’ or ‘systemic’ IT-services for which a stricter regime applies. In PART III of this blog series we will take a further look at these ‘critical’ IT-suppliers.
ICT 3rd Party Risk Management
One of the areas to address ICT security and digital resilience for financial entities is ‘ICT 3rd Party Risk Management’. DORA covers a wide range of IT-suppliers, including providers of cloud computing services, software, data analytics services and providers of data centre services. Companies which are part of a financial group and provide ICT services predominantly to their parent company, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should also be considered as IT-suppliers under DORA.
A financial entity should at all times remain fully responsible for complying with its obligations set out in DORA, which means that the financial entity needs to conduct a careful monitoring of any potential impact of the services of the IT-supplier on the continuity and quality of financial services at individual and at group level, as appropriate.
The conduct of such monitoring should follow a strategic approach to IT-supplier risks formalised through the adoption by the financial entity’s management body of a dedicated IT-supplier risk strategy, enabling a continuous screening of all IT-supplier dependencies. All financial entities are therefore required to maintain a register of information with all contractual arrangements about the use of ICT services provided by IT-suppliers. Financial supervisors should be able to request the full register, or to ask for specific sections thereof, and thus to obtain essential information for acquiring a broader understanding of the ICT dependencies of financial entities.
In addition, a thorough pre-contracting analysis should be executed before any formal conclusion of IT-contracts with the IT-supplier. This pre-contracting analysis should in particular focus on elements such as the criticality or importance of the services supported by the envisaged IT-contract, the necessary supervisory approvals or other conditions, the possible concentration risk entailed, as well as applying due diligence in the process of selection and assessment of the IT-supplier and assessing potential conflicts of interest.
The foregoing means that the IT-supplier will be confronted with all sorts of information requests and pre-contractual requirements from the financial entity before any contract can even be concluded. Not only that, once the contract is in place, the IT-supplier will have to make sure that, during the entire life cycle of the contract, he is able to abide with the standards and requirements set out in the risk framework of the financial entity. This means that processes and information (such as certificates) will have to be maintained and updated if and where necessary.
Key Contractual Provisions
From a contractual point of view the harmonization of key contractual provisions probably will have an important impact for the IT-supplier. Such harmonization should cover minimum areas which are crucial for enabling a full monitoring by the financial entity of the risks that could emerge from their-supplier or the use of its services, from the perspective of a financial entity’s need to secure its digital resilience because it is deeply dependent on the stability, functionality, availability and security of the IT-services received.
Therefore, when entering into new contracts with IT-suppliers or when renegotiating contractual arrangements, IT-suppliers and financial entities should ensure the coverage of the key contractual provisions as provided for in DORA. DORA is not clear whether this also means that existing IT-contracts need to be amended, but needless to say that both for the financial entity and the IT-supplier this would be advisable.
What are the key contractual provisions that need to be incorporated in IT-contracts (bearing in mind that this applies to all IT-contracts, meaning both normal and critical IT-suppliers)?
Provision of services
Irrespective of the criticality or importance of the function supported by the IT-services: DORA requires that the rights and obligations of the financial entity and of the IT-supplier shall be clearly allocated and set out in writing. That sounds obvious but means that the full contract shall include service level agreements and is available to all parties in one written document.
The contractual arrangements should, in particular, provide for a specification of the complete descriptions of functions and services. In addition the locations, meaning regions or country, where such functions are provided and where data is to be processed, including the storage location, need to be described. The contract should also have the requirement for the IT-supplier to notify if anything changes in the locations. The contract should also have an indication of service level descriptions, meaning what service levels apply to the services and what are the norms (e.g. percentage of availability) for the service levels.
Security and Audit
Financial entities may only enter into contractual arrangements with IT-suppliers that comply with appropriate information security standards. IT-suppliers therefore need to have at its disposal (internationally) accepted security certifications. The IT-contracts also have to include terms under which the IT-supplier has to notify the financial entity of any changes in relation to its own security. Abiding to security standards also means for the IT-supplier the implementation and testing of business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity.
In exercising access, inspection and audit rights over the IT-supplier, financial entities shall, on the basis of a risk-based approach, pre-determine (and incorporated in the IT-contract) the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
The IT-contract must have provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data. DORA however does not say what the content of these provisions should be. Given that non-compliance with these provisions entitles the financial entity to terminate the IT-contract, service levels in relation thereto need to be clear and the financial entity will want to be able to have realistic remedies in case of non-compliance.
The financial entity also should be able to have access to its data and to have possession over its data at all times. This means that the IT-contract should have provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the IT-supplier, or in the event of the termination of the contractual arrangements.
Cooperation of the IT-supplier
The IT-supplier should cooperate with the financial entity in several ways and the IT-contract should incorporate provisions to do so.
First, there is the obligation of the IT-supplier to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an IT incident that is related to the IT-service provided to the financial entity occurs.
Secondly the IT-supplier must fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them, in case of any investigation or questions posed by these authorities.
Third, the IT-contract should describe the conditions for the participation of the IT-supplier in the financial entities’ ICT security awareness programs and digital operational resilience training in accordance with the obligations regarding awareness and training that are with the financial entity under DORA.
Termination and (basic) exit
The IT-contract must have specific provisions on termination for cause (meaning that a generic provision for termination in case of breach of contract is not sufficient). Financial entities shall ensure that contractual arrangements on the use of IT services may be terminated for cause in any of the following circumstances: (i) Breach of law by the IT-supplier, (ii) a degradation of the performance of functions, (iii) the IT-supplier’s weakness in relation to overall ICT risk management of the financial entity and (iv) the supervisory authority is no longer capable of supervising due to negligence of the IT-supplier.
Any termination (for convenience) rights of the IT-supplier should be in line with related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities. The latter could refer to the EBA- or EIOPA guidelines for insurance companies or banks, which have elaborated on notice periods necessary for the transition of services. Although not explicitly mentioned for (non-critical) IT-suppliers, the reference to the expectations of competent authorities also means that IT-contracts will have to incorporate an obligation for the IT-supplier to cooperate in an exit or transition of the IT-services.
Impact from the perspective of the (non-critical) IT-supplier
Although DORA comes into effect in January 2025, this does not mean that the IT-supplier of financial entities is not able to already anticipate on the consequences of DORA as described in this blog:
- Take a critical look at your own IT-contracts and see whether it includes the key contractual elements mentioned in DORA. Do not forget that there are open or vague norms, and by being pro-active as IT-supplier you are able to draft these in your own benefit while still being compliant with DORA. This does not only apply to new contracts entered into after January 2025 but also existing contracts.
- Take a look at processes within the organization to see whether you can align with or prepare yourself for the requirements of DORA, such a security requirements, incident response requirements or cooperation with the financial entity but also the required pre-contracting analysis that the financial entities will have to perform and the information that will be required from the IT-supplier.
- Make sure that you have the necessary information, certificates or audits in place (such as certificates to demonstrate an appropriate level of security), and if not already start the procedures and processes necessary to acquire these. These procedures can be very time-consuming, so having this in place before January 2025 means taking action on a short term.
In addition critical IT-suppliers will have to meet a more strict regime. In PART III of our blog series we therefore will focus on the impact of DORA for the critical IT-supplier.