The Digital Operational Resilience Act (DORA) is an EU regulation introduced by the European Union to enhance the operational resilience of financial entities against digital risks. It aims to ensure that businesses in the financial sector can withstand, respond to, and recover from (Information Communication Technology) ICT-related disruptions, such as cyberattacks and system disruptions.
DORA aims to enhance the security and stability of the financial system and foster trust in digital operations by instituting uniform compliance requirements for financial entities across the EU. The regulation entered into force on January 16, 2023, and will be fully applicable starting January 17, 2025.
What is DORA Article 30?
One of the DORA's provisions, Article 30, addresses the contractual rights and obligations of the financial entities and the ICT third-party service providers. It outlines essential contractual requirements to ensure financial entities' digital operational resilience and strengthen the stability and continuity of financial operations in a progressively digital environment. It also aims to protect financial entities against ICT-related disruptions and ensure compliance with EU regulatory requirements by establishing essential contractual agreements with third-party ICT service providers, such as risk management, performance criteria, and security measures.
Article 30 Key Contractual Provisions
The financial entity's and the ICT third-party service provider's rights and obligations must be explicitly written. The complete contractual agreement, including service level agreements, must be consolidated into one document that is available to both parties, in digital or paper format, and should be easily downloadable and readable.
The following key components must be included, at the very least, in the contractual agreements for the use of ICT services:
A. Service Scope and Subcontracting Terms
The contract must clearly describe the third-party service provider's ICT services and functions. It should also outline the circumstances under which such subcontracting is acceptable and state whether or not subcontracting an ICT service that supports essential services is allowed.
B. Service and Data Processing Locations
The contract must specify the data processing and storage locations and the regions or countries where ICT services, including subcontracted tasks, will be provided. If the ICT third-party service provider intends to change any of these locations, it must provide the financial entity with an advance notice of its intention to make such change.
C. Data Protection and Security Provisions
To secure data, particularly personal data, the contract must have provisions ensuring data availability, authenticity, integrity, and confidentiality.
D. Data Access and Recovery in Service Disruption
If the ICT third-party service provider becomes insolvent, discontinues operations, or the contract is terminated, the contractual agreement must include clauses ensuring that both personal and non-personal data processed by the financial entity may be accessed, recovered, and returned in a readily accessible manner.
E. Service Level Descriptions and Updates
The service levels must be comprehensively outlined in the contract, and provisions must include any updates or revisions. Service level descriptions shall include precise quantitative and qualitative performance targets to allow the financial entity to effectively monitor ICT services and take appropriate corrective actions, without undue delay, when agreed service levels are not met.
F. Incident Assistance Obligation
In the case of an ICT incident related to ICT service provided to the financial entity, the contract must require the ICT third-party service provider to assist the financial entity, either at no additional cost or at a predetermined cost agreed upon in advance.
G. Cooperation with Authorities
The ICT third-party service provider is bound by the terms of the contract to fully cooperate with the competent authorities and financial entity's resolution authorities, which includes any individuals designated by them.
H. Termination Rights and Notice Periods
To ensure that the requirements of competent resolution authorities are met, the contract must include the termination rights and minimum notice periods for terminating the contractual arrangement.
ICT Service Provider Involvement in Security and Resilience Training
Article 13(6) of DORA requires that the contract must include the terms and circumstances under which ICT third-party service providers will participate in the financial entities’ digital operational resilience training and ICT security awareness programs. This ensures that the ICT third-party service providers meet the organization's security and resilience requirements.
For ICT services supporting critical services, the contractual arrangements shall, in addition to the above, include the following:
The contract must include exact quantitative and qualitative performance objectives and comprehensive service-level descriptions. If the agreed-upon service levels are not met, these objectives must enable the financial entity to monitor the ICT services effectively and efficiently and take remedial action. The contract should also include provisions for updates and revisions to these service-level descriptions.
B. Notice Periods and Reporting Obligations
The contract must outline the ICT third-party service provider's notice periods and reporting obligations, including the need to notify the financial entity of any developments that could materially impair the provider's capacity to provide ICT services for crucial or important functions in compliance with the agreed-upon service levels.
C. Contingency Planning and Security Requirements
Under the financial entity's regulatory framework, the contract must mandate that the ICT third-party service provider implement and test business contingency plans and maintain ICT security measures, tools, and policies that ensure an adequate level of security for the provision of services.
D. Participation in Threat-Led Penetration Testing(TLPT)
As stated in Articles 26 and 27 of DORA, the contract shall require the ICT third-party service provider to cooperate and participate in the financial entity's TLPT to assess and enhance the security of their ICT services.
E. Monitoring, Audit, and Inspection Rights
The financial entity has the right to monitor the ICT third-party service provider's performance at all times. This involves the financial entity, its designated third party, and competent authorities having unrestricted access, inspection, and audit rights to examine relevant documentation on-site if it is essential to the provider's activities.
Other contractual agreements or policies cannot restrict these rights. In addition, financial entities shall have the right to agree on alternative assurance levels if other clients' rights are impacted. During on-site inspections and audits, the ICT third-party service provider must cooperate and provide comprehensive details on these inspections' scope, procedures, and frequency.
F. Exit Strategies and Transition Period
To minimize disruption to the financial entity, exit strategies must include a mandatory transition period whereby the ICT third-party service provider continues to offer services.
This transition period ensures a smoother shift by reducing the risk of disruptions at the level of the financial entity and allowing the financial entity to switch to the use of other ICT third-party effectively. Depending on the complexity of the ICT service, the entity can either switch to another third-party provider or migrate to an in-house solution.
Financial entities and ICT third-party providers should consider using standard contractual clauses (SCCs) developed by public authorities for certain services when negotiating contracts.
The Joint Committee, on behalf of the European Supervisory Authorities (ESAs), will develop regulatory technical standards that will specify additional requirements for the factors that financial entities need to consider when subcontracting ICT services to third parties for critical operations. These standards will all consider the size, risk profile, and complexity of the financial entity's activities and services.
Frequently Asked Questions (FAQs)
