The EU Regulation on Digital Operational Resilience (DORA) will apply from 17 January 2025 to most financial entities in the EU. DORA's increased focus on third-party risk management includes detailed requirements for provisions that must be included in existing and new ICT contracts. This briefing concentrates on the contractual requirements imposed by DORA. Firms have a substantial "to do" list to prepare for DORA over the coming months and, to be ready in time, they should be identifying and triaging their ICT contracts, reviewing them against those requirements and negotiating with service providers any contract amendments necessary to comply.

1 DORA's scope

DORA sets out operational resilience requirements both for financial services firms in their use of ICT services and for certain third parties providing those ICT services. DORA is therefore important not only for financial services firms but also for providers of ICT services to financial entities – including, significantly, those based outside the EU. Whilst DORA will not apply in the UK, UK-based financial services firms and providers of ICT services to financial entities will need to pay attention to DORA if they offer services in the EU. EU financial entities subject to DORA include full-scope AIFMs, MiFID investment firms, UCITS management companies, credit institutions, CSDs, CCPs, payment institutions, e-money institutions, authorised cryptoasset service providers and trading venues.

2 Mandatory contractual provisions - haven't we been here before...?

DORA imposes content requirements for all contractual arrangements between financial entities and ICT third-party service providers for "ICT services" (including intra-group ICT contracts), although there are more prescriptive requirements for contracts supporting critical or important functions.

This will feel like familiar territory to financial services organisations: it's fair to say that there is significant cross-over between the contractual requirements in DORA and those in existing EU guidance and legislation, such as the European Banking Authority (EBA) guidelines on outsourcing, the European Securities and Markets Authority's guidelines on outsourcing to cloud service providers and PSD2. Many firms will have undertaken contract remediation projects already to comply with those regimes. While the changes made as part of those projects may go a long way towards complying with the contractual requirements under DORA, we would nevertheless caution firms against thinking that the job has already been done:

  • Contracts which fell outside the scope of previous updating exercises (because they were not an "outsourcing") may need to be considered afresh for compliance with DORA. Unlike the EBA guidelines, DORA is not limited to outsourcing contracts - "ICT services" are not restricted to services that the financial entity would normally undertake itself. Instead, "ICT services" are broadly defined as:

"digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services"

  • While the existing EU guidelines and contractual requirements under DORA are aligned in many respects, there are some differences which will need to be addressed. By way of example, DORA specifically demands that all contracts for ICT services include a requirement for service providers to provide assistance, when an ICT incident that is related to those services occurs, "at no additional cost or at a cost that is determined ex-ante".

In-scope financial entities will therefore need to undertake a DORA compliance project which will, once all relevant ICT contracts have been identified, likely involve a gap analysis and repapering of a number of ICT contracts.

3 What key obligations are to be included in all contracts for ICT services?

All contracts for ICT services must be in writing and be documented, including service level agreements, in "one written document" which must be available "on paper, or in a document with another downloadable, durable and accessible format".

Most of the requirements that apply to all contracts for ICT services are those which should already be addressed in any well-drafted contract for these types of services: a clear and complete description of the services and the location from which they are provided, service level descriptions, detailed data protection provisions, appropriate termination rights and minimum notice periods, and provisions requiring full cooperation with the competent authorities. Other provisions, such as those relating to assistance (and cost) in the event of an ICT incident, and conditions for the service provider's participation in the financial entities' security awareness programmes and digital operational resilience training, are less likely to be routinely addressed in a compliant manner in a service provider's existing standard terms.

4 More extensive requirements for contracts supporting critical or important functions

The requirements for contracts for ICT services which support critical or important functions are more prescriptive than those applicable to other contracts.

Critical or important function

A "critical or important function" is "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law".

The level of detail required for these contracts will be greater and they will also need to include extra provisions, for example, an obligation on the service provider to cooperate in threat-based penetration testing, to implement contingency plans and put in place security measures providing an appropriate level of security. They must also make provision for unrestricted rights of access, inspection and audit and exit strategies, such as setting an appropriate mandatory transition period.

5 Standard contractual clauses

DORA does not mandate specific contractual wording to meet its requirements. It does however contemplate public authorities developing standard clauses for this purpose in relation to "specific" services (cloud computing services, for example) and requires financial entities and ICT third-party service providers "to consider" using such clauses in those circumstances.

Firms can expect the larger ICT service providers to issue their own standard addenda or equivalent, or explanatory documentation mapping their existing clauses to DORA's contractual requirements.

6 The broader context

DORA's specific content requirements for ICT contracts sit alongside a broader set of requirements for "sound management" of ICT third-party risk, which will have a bearing on contract remediation projects, as well as on new contractual arrangements with ICT service providers. Two tranches of draft RTSs have been published for consultation, setting out more detail in relation to a number of these requirements and so firms will need to ensure that their approach is sufficiently flexible to accommodate the greater detail introduced by the RTSs.

Principle of proportionality

As an overarching principle, firms' management of third-party risk and their implementation of these rules is subject to a principle of proportionality. The principle of proportionality is helpful, particularly for small and medium-sized firms. It means taking into consideration a number of factors, such as size and overall risk profile, the nature, scale and complexity of their services and operations, the degree of dependency upon, and the criticality of, the third-party services, and potential impact (both at an individual and at group level) of service failures, including, of course, for end customers.

Firms will be required to maintain and update a register of information in relation to all contracts with ICT third-party service providers and distinguish between those ICT services that support critical or important functions and those that do not. This register (or specific parts of it) must be made available upon request by a competent authority. As part of a DORA contract remediation project, firms will need to triage contracts in any event to identify those which support critical or important functions and will likely focus on those first, owing to the complexity of the underlying terms, the sophistication of the suppliers and the higher bar that these contracts will need to meet.

Firms will need to ensure that they have processes in place to comply with the "sound management" principles set out in DORA. While these obligations may not be mandated content for contracts in the strictest sense, a number of them (obligations around termination and exit strategies in particular) are best supported through express provisions in the contract with the service provider. There may however be a longer debate with service providers around the inclusion and drafting of these provisions than around provisions which more closely track mandatory content requirements.

What about the UK?

For developments in relation to the regulation of critical third party suppliers to authorised firms and financial market infrastructures in the UK (the UK's equivalent to DORA, albeit not its mirror image), please see our recent briefing here.

7 How can we help?

Please do get in touch with us to find out more about DORA, its potential impact on your organisation and how our Technology & Commercial Transactions and Financial Services & Markets teams at Travers Smith can assist with your DORA project.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.