The Challenge Organizations Face to Become DORA Compliant Is Not to Be Underestimated

As part of the process for completing the registers of information, financial entities should review their existing contracts with ICT Providers to ensure that they contain the mandatory provisions specified by DORA. In parallel, financial entities should be considering necessary updates to their standard form agreements for the outsourcing and/or procurement of ICT services to streamline contractual negotiations with any new ICT Providers. Our overview of the mandatory contractual terms can be found here.

Registers of Information
As part of their ICT risk management framework, DORA requires financial entities to maintain a register of information setting out all contractual arrangements entered into with ICT Providers on the use of ICT services. The scope of the reporting requirement is broad, and the register needs to be maintained both at sub-consolidated and consolidated levels.

The register of information and any other information needs to be submitted to the ESAs on an annual basis, or on request. The registers must set out any new arrangements for the use of ICT services, the categories of ICT Providers the financial entity has engaged, the types of contractual arrangements in place, and the ICT services and functions that are being provided. The register must also clearly distinguish between contractual arrangements made with ICT Providers whose services support the financial entity’s critical or important functions and those that do not. “Critical or important functions” are functions, the disruption of which would materially impair the financial performance of a financial entity or its compliance with the conditions and obligations of its authorization or obligations under financial services law, or the soundness or continuity of its services and activities.

The purpose of the registers of information is not only to assist with financial entities’ internal ICT risk management (and to ensure regulators can appropriately supervise financial entities), but also to enable the ESAs to designate “critical” ICT Providers and to establish and conduct oversight of such ICT Providers.

Financial entities should be preparing their registers of information by engaging with their existing ICT Providers, including by:

• preparing DORA-specific questionnaires to understand ICT Providers’ intentions around compliance, and ensuring the financial entity has sufficient visibility and understanding of ICT Providers’ subcontractors and supply chains;
• conducting risk management exercises in collaboration with ICT Providers, including penetration testing; and
• placing ICT Providers on a risk register to comply with the requirement to remediate and further discuss any DORA-related risks.

Financial entities must have completed and submitted their registers of information by January 17, 2025.

Mandatory Contractual Requirements
DORA sets out mandatory contractual requirements which must be integrated into all contracts between financial entities and ICT Providers, as well as additional requirements that must be included where the ICT services provided are supporting a financial entity’s critical or important functions. While many of the requirements are likely to already be included in financial entities’ standard form contracts, a gap analysis of financial entities’ existing contractual arrangements with ICT Providers will be necessary to assess whether remediation is needed to align with DORA. As a proactive step, financial entities should consider preparing DORA amendments and addenda that can be applied to existing contracts to streamline and expedite negotiations with ICT Providers.

DORA also introduces specific contractual provisions relating to the subcontracting of ICT services, granting financial entities with significant visibility over ICT Providers’ supply chains. The provisions include:

All Contracts with ICT Providers

• A clear and complete description of all functions and ICT services to be provided by the ICT Provider, specifying whether the ICT Provider is permitted to subcontract the ICT services, and the conditions applying to such subcontracting (see below);
• The locations (regions or countries) where (1) the contracted or subcontracted functions and ICT services are to be provided, and (2) where data is to be processed or stored, and a requirement for the ICT Provider to give the financial entity prior notice if it plans on changing such locations;
• Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
• Provisions on ensuring access, recovery and return of personal and non-personal data processed by the ICT Provider to the financial entity in an easily accessible format (1) in the event of the insolvency, resolution or discontinuation of the business operations of the ICT Provider, or (2) in the event the ICT services contract is terminated; and
• The conditions of the ICT Providers’ participation in the financial entity’s ICT security awareness programs and digital operational resilience awareness training.

Contracts with ICT Providers Supporting Critical or Important Functions
In addition to the above, the below provisions must be included in contracts with ICT Providers whose ICT services support a financial entity’s critical or important functions. It is important to note that ICT Providers supporting a financial entity’s critical or important functions will not automatically mean that such ICT Provider is to be designated as a CTPP—the CTPP designations are assessed by ESAs based on criteria set out in DORA.

• Full service-level descriptions (including updates and revisions) to enable effective monitoring of the ICT services by the financial entity, and to enable appropriate corrective actions to be taken when agreed service levels are not met, such as service credits or termination rights;
• Notice periods and reporting obligations for the ICT Provider, including an obligation to notify the financial entity of developments which may have a material impact on the ICT Provider’s ability to provide the ICT services in line with the agreed service levels;
• Requirements for ICT Providers to implement and test their business contingency plans and to have in place security measures that align with the financial entity’s regulatory framework;
• The requirement for ICT Providers to participate and fully cooperate in the financial entity’s thread-led penetration testing; and
• The right of the financial entity to monitor the ICT Provider’s performance on an ongoing basis, including having unrestricted rights of access and audit, the right to agree on alternative assurance levels if the ICT Provider’s other clients’ rights are affected by the ICT Provider’s performance, and exit strategies (in particular, permitting the financial entity to migrate the ICT services to an alternative ICT Provider or to an in-house solution, including the provision of appropriate transition support).

Contractual Provisions Relating to Subcontracting
The ESAs published a draft regulatory technical standard (RTS) on subcontracting on July 26, 2024. The draft RTS specifies conditions for the subcontracting of ICT services supporting critical or important functions. The draft RTS is currently being reviewed by the European Commission and it is unlikely that any significant modifications will be made to the ESAs’ draft.

Contracts between financial entities and ICT Providers will need to set out whether the ICT Provider is permitted to subcontract the ICT services supporting a financial entity’s critical or important functions (or material parts thereof), and, if so, the conditions applicable to any such subcontracting arrangement. In particular, contracts must include provisions covering the following:

• The ICT Provider’s entire chain of subcontractors will need to be identified, and the identification of the chain must be kept up to date by the ICT Provider. Financial entities and competent and resolution authorities must also be granted the same rights of access, inspection and audit for the subcontracting chain as those granted to the ICT Provider;
• Financial entities will need to be informed of any material changes to the subcontracting arrangements, and must be given sufficient notice to assess the impact of the risks the financial entity is or might be exposed to as a result of the change. The length of the notice period will depend on the size and overall risk profile of the financial entity as well as the nature, scale and complexity of its services, activities and operations;
• Material changes to the subcontracting arrangements can only be implemented once the financial entity has approved, or not objected to, the changes by the end of the notice period (i.e., the change is deemed accepted if the financial entity does not object prior to the end of the notice period); and
• Financial entities must have termination rights where (i) the ICT Provider implements a material change to the subcontracting arrangements despite the financial entity’s objection, or (ii) the ICT Provider makes a material change to the subcontracting arrangements prior to the end of the notice period without the financial entity’s explicit approval, or (iii) the ICT Provider subcontracts any ICT services supporting a critical or important function that the ICT Provider is not explicitly permitted to subcontract in the contract between the ICT Provider and the financial entity.

Conclusion
Financial entities will need to ensure that all DORA requirements are complied with by the January 2025 compliance deadline. Financial entities will need to engage with ICT Providers to prepare registers of information and will need to remediate contracts with ICT Providers to include the DORA-mandated contractual provisions. We will closely follow any DORA developments.

The authors would like to thank trainee solicitor Anahita Shahrokh for her contributions to this client alert.