The Chartered Governance Institute UK & Ireland - Irish Region

Irish Region

DORA introduces various requirements for the management of ICT third-party risk and financial entities should start reviewing their contractual arrangements and documentation in preparation for its application.

Delving into DORA: ICT Contractual Arrangements

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) (“DORA”) will apply from 17 January 2025. DORA introduces various requirements for the management of ICT third-party risk and financial entities should start reviewing their contractual arrangements and documentation in preparation for its application.

In-scope financial entities

DORA applies to almost all types of regulated financial entities recognised by EU law, including credit institutions, electronic money institutions, payment institutions, account information service providers, investment firms, crypto-asset service providers, insurers of asset referenced tokens, AIF managers, UCIT management companies, insurance undertakings, reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, institutions for occupational retirement provision, central securities depositories, data reporting service providers, trading venues and crowdfunding service providers.

Register of Information

As part of the ICT risk management framework, financial entities must maintain and update an information register regarding all contractual arrangements on the use of ICT services provided by ICT third-party service providers. In January 2024, the European Supervisory Authorities (ESA) published a final report on the regulatory technical standard (RTS) in respect of the information register setting out various templates for this information register to be maintained at the individual, consolidated and sub-consolidated level. The final RTS for the information register is expected to be adopted by the European Commission by July 2024. This RTS will assist financial entities in complying with the information register requirements and facilitate the sharing of information with the relevant supervisors.

It will be important for financial entities to maintain their register in a compliant manner as they may be required to make it available to a competent authority (such as, in Ireland, the Central Bank). To assist financial entities with their preparations for establishing an information register, the ESA are offering financial entities the opportunity to take part in a dry-run during 1 July to 30 August whereby they can submit their information register to their competent authority and receive feedback and support on their register and reporting. The deadline for declaring interest in participating in the dry-run is 31 May.

ICT Services Contracts to address mandatory elements

A key requirement of DORA is that all contracts between regulated financial entities and ICT third -party service providers for the use of ICT services must address certain minimum elements as specified in Article 30. DORA adopts a tiered approach to such contracts with additional elements to be included in the contract where the ICT service is supporting a ‘critical or important function’.

Some of the mandatory elements to be addressed in all ICT services contracts include:

  • A clear and complete description of the ICT service.
  • Location from which the ICT service is to be provided and where the data will be processed.
  • Provisions around the protection of data, including personal data.
  • Access, return and recovery of data in the event of insolvency or discontinuation of the ICT service provider’s business operations.
  • Co-operation with the financial entity’s competent authorities and resolution authorities.
  • Termination rights and minimum notice periods.
  • Service levels.
  • Provision of incident support to the financial entity at no additional cost or at a cost determined ex ante.
  • Conditions for the third party service provider's participation in the financial entities' security awareness programmes and digital operational resilience training.

Many of the mandatory elements will be familiar to those financial entities whose contracts are drafted to comply with the European Banking Authority’s Outsourcing Guidelines (2019). While overlaps between these Guidelines and DORA requirements are welcome, financial entities should not be lulled into a false sense of security. Article 30 of DORA requires more detail for certain provisions and also introduces some new requirements. In most cases, it is likely that an existing contract with an ICT third party service provider will need to be amended to address DORA requirements.

Another key point to emphasise is that DORA applies to a broader range of contracts than merely outsourcing arrangements, as it applies to the use of ‘ICT Services’ which are defined as:

“digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.

The recitals to DORA emphasise that the definition of ‘ICT services’ is to be understood in a broad manner and they provide some examples of the breadth of in-scope arrangements. In short, due to the breadth of this term it is likely that most financial entities will have a number of contracts that will need to be updated and larger more complex entities may have a herculean project ahead.

Search CGI