DORA: time to review your ICT contracts

DORA sets out operational resilience requirements both for financial services firms in their use of ICT services and for certain third parties providing those ICT services. DORA is therefore important not only for financial services firms but also for providers of ICT services to financial entities – including, significantly, those based outside the EU. Whilst DORA will not apply in the UK, UK-based financial services firms and providers of ICT services to financial entities will need to pay attention to DORA if they offer services in the EU. EU financial entities subject to DORA include full-scope AIFMs, MiFID investment firms, UCITS management companies, credit institutions, CSDs, CCPs, payment institutions, e-money institutions, authorised cryptoasset service providers and trading venues.  

DORA imposes content requirements for all contractual arrangements between financial entities and ICT third-party service providers for "ICT services" (including intra-group ICT contracts), although there are more prescriptive requirements for contracts supporting critical or important functions. 

This will feel like familiar territory to financial services organisations: it's fair to say that there is significant cross-over between the contractual requirements in DORA and those in existing EU guidance and legislation, such as the European Banking Authority (EBA) guidelines on outsourcing, the European Securities and Markets Authority's guidelines on outsourcing to cloud service providers and PSD2.  Many firms will have undertaken contract remediation projects already to comply with those regimes.  While the changes made as part of those projects may go a long way towards complying with the contractual requirements under DORA, we would nevertheless caution firms against thinking that the job has already been done:

• Contracts which fell outside the scope of previous updating exercises (because they were not an "outsourcing") may need to be considered afresh for compliance with DORA.    Unlike the EBA guidelines, DORA is not limited to outsourcing contracts - "ICT services" are not restricted to services that the financial entity would normally undertake itself.  Instead, "ICT services" are broadly defined as:

• While the existing EU guidelines and contractual requirements under DORA are aligned in many respects, there are some differences which will need to be addressed.  By way of example, DORA specifically demands that all contracts for ICT services include a requirement for service providers to provide assistance, when an ICT incident that is related to those services occurs, "at no additional cost or at a cost that is determined ex-ante".

In-scope financial entities will therefore need to undertake a DORA compliance project which will, once all relevant ICT contracts have been identified, likely involve a gap analysis and repapering of a number of ICT contracts.

All contracts for ICT services must be in writing and be documented, including service level agreements, in "one written document" which must be available "on paper, or in a document with another downloadable, durable and accessible format". 

Most of the requirements that apply to all contracts for ICT services are those which should already be addressed in any well-drafted contract for these types of services: a clear and complete description of the services and the location from which they are provided, service level descriptions, detailed data protection provisions, appropriate termination rights and minimum notice periods, and provisions requiring full cooperation with the competent authorities.  Other provisions, such as those relating to assistance (and cost) in the event of an ICT incident, and conditions for the service provider's participation in the financial entities' security awareness programmes and digital operational resilience training, are less likely to be routinely addressed in a compliant manner in a service provider's existing standard terms.

The requirements for contracts for ICT services which support critical or important functions are more prescriptive than those applicable to other contracts.    

The level of detail required for these contracts will be greater and they will also need to include extra provisions, for example, an obligation on the service provider to cooperate in threat-based penetration testing, to implement contingency plans and put in place security measures providing an appropriate level of security.  They must also make provision for unrestricted rights of access, inspection and audit and exit strategies, such as setting an appropriate mandatory transition period.

DORA does not mandate specific contractual wording to meet its requirements.  It does however contemplate public authorities developing standard clauses for this purpose in relation to "specific" services (cloud computing services, for example) and requires financial entities and ICT third-party service providers "to consider" using such clauses in those circumstances. 

Firms can expect the larger ICT service providers to issue their own standard addenda or equivalent, or explanatory documentation mapping their existing clauses to DORA's contractual requirements. 

DORA's specific content requirements for ICT contracts sit alongside a broader set of requirements for "sound management" of ICT third-party risk, which will have a bearing on contract remediation projects, as well as on new contractual arrangements with ICT service providers.  Two tranches of draft RTSs have been published for consultation, setting out more detail in relation to a number of these requirements and so firms will need to ensure that their approach is sufficiently flexible to accommodate the greater detail introduced by the RTSs.

Firms will be required to maintain and update a register of information in relation to all contracts with ICT third-party service providers and distinguish between those ICT services that support critical or important functions and those that do not. This register (or specific parts of it) must be made available upon request by a competent authority.  As part of a DORA contract remediation project, firms will need to triage contracts in any event to identify those which support critical or important functions and will likely focus on those first, owing to the complexity of the underlying terms, the sophistication of the suppliers and the higher bar that these contracts will need to meet.  

Firms will need to ensure that they have processes in place to comply with the "sound management" principles set out in DORA.  While these obligations may not be mandated content for contracts in the strictest sense, a number of them (obligations around termination and exit strategies in particular) are best supported through express provisions in the contract with the service provider.  There may however be a longer debate with service providers around the inclusion and drafting of these provisions than around provisions which more closely track mandatory content requirements.

Please do get in touch with us to find out more about DORA, its potential impact on your organisation and how our Technology & Commercial Transactions and Financial Services & Markets teams at Travers Smith can assist with your DORA project.