Regulation (eu) 2022/2554 of the european parliament and of the council of 14 december 2022 on digital operational resilience for the financial sector (dora) will come into effect on 17 january 2025, imposing new obligations on financial and insurance entities regarding digital operational resilience.
Article 30 of dora is particularly crucial, as it details the contractual requirements between these entities and their third-party ict (information and communication technologies) service providers.
Article 30 applies to all financial entities, including insurance companies, that outsource ict services to third-party providers. it aims to ensure that contracts with these providers are clear, comprehensive, and compliant with the new standards of digital operational resilience.
Mapping and reviewing existing contracts
Companies must undertake a comprehensive mapping of their current contracts with third-party ict service providers.
The objectives are to:
- identify old contracts affected by the new obligations.
- review and amend contracts to ensure compliance with article 30.
- integrate dora’s requirements into all future contracts.
Contractual provisions from article 30
1st layer: general obligations compliance
To be compliant, each contract must include at least the following elements:
- description of ict services:
- does the contract contain a clear and complete description of all ict services and functions to be provided by the supplier?
- does it indicate whether subcontracting of these services is permitted and, if so, the applicable conditions
- location of services and data:
- does the contract specify the locations (regions or countries) where the ict services will be provided and where the data will be processed?
- is the supplier obliged to inform the financial entity in advance if it plans to change these locations?
- data protection:
- does the contract include provisions on the availability, authenticity, integrity, and confidentiality of data, including personal data?
- access and recovery of data:
- does the contract provide for access, recovery, and return of data in the event of insolvency, resolution, discontinuation of the business operations, or termination of the contract?
- do these provisions ensure that data will be provided in an easily accessible format?
- descriptions of service levels:
- does the contract include descriptions of service levels, including updates and revisions?
- assistance in the event of ict incidents:
- is the supplier obliged to provide assistance to the financial entity, at no additional cost or at a pre-determined cost, in the event of an ict-related incident?
- cooperation with competent authorities:
- does the contract require the supplier to fully cooperate with the financial entity’s competent authorities and resolution authorities, including persons appointed by them?
- termination rights:
- does the contract specify the termination rights and related minimum notice periods, in line with the expectations of competent authorities and resolution authorities?
- participation in security programmes:
- is the supplier required to participate in ict security awareness programs and digital operational resilience training developed by the financial entity?
2nd layer: critical or important functions
Additional requirements apply if the ict services support a critical or important function, which is defined as a function whose disruption could seriously impair a financial entity’s financial performance, or the soundness or continuity of its services and activities, or where an interruption, defect, or failure in its execution could seriously undermine the financial entity’s ability to continuously comply with the conditions and obligations of its authorisation, or its other obligations under applicable financial services law.
Again, each contract must include at least the following elements:
- comprehensive descriptions of service levels:
- does the contract provide comprehensive and detailed descriptions of service levels, with precise quantitative and qualitative performance targets?
- do these descriptions enable effective monitoring by the financial entity and the ability to take appropriate corrective measures without undue delay?
- notification of impacting developments:
- is the supplier obliged to notify the financial entity of any developments that could significantly affect its ability to provide the ict services?
- emergency plans and ict security:
- is the supplier required to implement and test business contingency plans?
- has it established measures, tools, and ict security policies that provide an appropriate level of security?
- participation in penetration testing:
- is the supplier obliged to participate and fully cooperate in threat-led penetration testing carried out by the financial entity?
- audit and inspection rights:
- does the contract grant the financial entity unlimited rights of access, inspection, and auditing, and the right to agree on alternative assurance levels if other clients’ rights are affected?
- is the supplier required to fully cooperate during on-site inspections and audits?
- does the contract provide details on the scope, and procedures to be followed, and the frequency of these inspections and audits?
- exit strategies:
- does the contract include exit strategies, notably:
- an obligatory adequate transition period during which the supplier continues to provide the services to reduce disruption risk?
- a plan to migrate to another supplier or to utilise suitable in-house solutions?
3rd layer: register requirements
Regardless of the criticality of functions, all financial entities must maintain and update a detailed register of information in relation to all contractual arrangements on the use of ict services provided by third-party ict service providers.
Be prepared and ensure your contractual arrangements are compliant with dora by 17 january 2025 !