(Regulation (EU) 2022/2554 of the European Parliament and the Council, of December 14, 2022) entered into force on January 17, 2025, imposing new and stringent obligations on financial entities and ICT third-party service providers (e.g., cloud computing providers, software providers, and ICT infrastructure).
Considering this new regulatory framework, an immediate and detailed analysis of existing contracts is required to review and update them.
This is because, in addition to introducing structural obligations regarding the security and resilience of financial entities’ systems, DORA Regulation creates a detailed regulatory framework governing contractual relations with so-called «ICT Third-Party Service Providers», responding to the growing dependence of financial entities on external vendors to support their ICT functions and processes.
One of the core elements of DORA is the management of risks associated with these third-party providers, establishing a minimum set of contractual obligations that both financial entities and providers must comply with, aimed primarily at ensuring (i) continuous monitoring of the services provided to ensure the financial entities’ operational continuity and (ii) effective supervision by the competent authorities over ICT service providers, especially those supporting critical or important functions of financial entities.
To ensure effective monitoring, operational continuity, and regulatory oversight, the European legislator, through Article 30 of DORA Regulation, has set forth that contracts between financial entities and ICT service providers must, at a minimum, include the following provisions:
– A detailed description of the ICT services to be provided, including the possibility and conditions for subcontracting;
– Identification of the service delivery and data processing locations, with the obligation for prior notification in case of any changes;
– Strict obligations on data treatment policies, ensuring availability, integrity, authenticity, and confidentiality, and compliance with the General Data Protection Regulation (GDPR);
– Access and data recovery procedures in case of cessation of activity or insolvency;
– Service level agreements (SLAs), including periodic updates and revisions;
– Mandatory assistance procedures in the event of ICT incidents;
– Obligation to cooperate with competent authorities;
– Termination clauses with minimum notice periods;
– Conditions for participation in ICT security and digital operational resilience training programs.
– When the ICT service providers support critical or important functions, contracts should also include:
– Full descriptions of service levels, with strict performance goals, including quantitative and qualitative targets;
– Pre-notification obligations regarding any developments that may materially affect the ICT provider’s ability to effectively deliver services;
– Contingency plans and robust security measures, regularly tested and adjusted to ensure regulatory compliance;
– Mandatory participation in Threat-Led Penetration Testing (TLPT);
– Continuous monitoring rights, including inspections and audits;
– Exit strategies and mandatory transition periods to ensure continuity or efficient migration of services.
In response to these regulatory requirements, financial entities must adopt a proactive approach, implementing:
(a) A rigorous mapping process of internal processes relying on third-party ICT services, prioritizing those supporting critical or important functions;
(b) A program for defining and managing priorities for contractual review;
(c) A strict schedule to ensure compliance with the regulations.
Entities must maintain an up-to-date record of all contracts with ICT service providers, with a particular focus on those involving critical functions. This record must be available to the relevant authorities to enable quick and effective verification of regulatory compliance.
Lastly, it is important to note that the competent authorities have the responsibility to oversee and monitor both financial entities and ICT providers, with the power to impose financial penalties on non-compliant third-party ICT service providers, reaching up to 1% of their average global daily turnover from the previous financial year.
has experienced lawyers in the areas of Contracts, Compliance, and , and can provide legal advice in this field, effectively supporting the contractual review process.
