The Digital Operational Resilience Act (“DORA”) requires that Financial Entities ensure that their ICT contracts include specific provisions that support business continuity, risk management, and regulatory compliance amongst other conditions imposed by DORA.
As a result, for any ICT Service Provider that wishes to retain captured Financial Entities as clients, some level of acceptance as regards integrating DORA related new contractual obligations must be accepted.
In this article, we shall explore some key essential themes for ICT Service Providers to consider when negotiating ICT contracts with Financial Entity clients.
1.Detailed Service Level Agreements
Having properly detailed Service Level Agreements (“SLAs”) is a requirement in terms of DORA. Thus, those ICT Service Provider who only make available basic SLAs, or perhaps no SLAs at all, will need to be able to supply a more developed SLA meeting DORA’s expectations.
In this regard, DORA and the related literature issued to date, is not very prescriptive in terms of what an SLA should contain. For advanced ICT Service Providers who were already used to making available detailed SLAs, it is thus typical that few changes, if any, are actually envisaged to their SLA in view of DORA.
Any properly developed SLA that meets DORA expectations is envisaged to include at least:
As regards penalties for defaults on an SLA, ICT Service Providers may particularly wish to note that DORA does not preclude that so called “service credits” are negotiated as the relative (sole) penalty.
2. Risk Management and Security
DORA places significant emphasis on risk management and cybersecurity. ICT contracts should accordingly cover obligations for risk assessments to identify and mitigate risks/vulnerabilities, security incident reporting mechanisms, compliance with industry standards and related obligations.
While compliance with international security standards such as ISO 27001 does not in itself translate to DORA compliance, in practice, it is probable that ICT Service Providers who can show certification with such standards or can at least commit thereto, are best placed to provide Financial Entities with the reassurances that such would typically expect.
3. Audits
Financial Entities subject to DORA are expected to have the ability to audit ICT Service Providers and thus accepting some level of audit rights towards Financial Entity will be inevitable for ICT Service Providers.
Key provisions to consider when negotiating include:
4. Subcontracting Restrictions and Oversight
A level of subcontracting tends to be inherent in the service delivery of most ICT Service Providers. In turn, often the chain of subcontractors can be quite lengthy in that the subcontractors may also use further subcontractors. Accordingly, the DORA related expectations on subcontracting and oversight tend to be particularly key and sensitive topics for an ICT Service Provider when negotiating with Financial Entities.
Conditions on the disclosure and appointment of subcontractors arise from DORA. Financial Entities need to also be prepared and have controls against the introduction of new risks in view of changes to the subcontracting chain.
Reporting obligations on the Financial Entities’ subcontracting chain also apply.
Financial Entities may seek to retain control of the subcontracting chain, and approval processes for subcontracting should thus be carefully considered and negotiated.
A level of back-to-back flow-down of obligations by ICT Service Providers unto their subcontractors tends to be inevitable for the ICT Service Provider to be able to commit to the respective commitments towards its Financial Entity clients.
5. Business Continuity and Exit Strategies
Operational resilience in terms of DORA extends beyond service uptime commitments in an ICT contract’s SLA. It also includes preparedness for disruptions and exit planning on contract termination.
Elements such as business continuity planning requirements, ensuring the ICT Service Provider have contingency measures, should be carefully considered and negotiated, as are as termination assistance clauses requiring support to ensure a smooth transition, data portability and deletion, ensuring financial entities
ICT contracts are in view of DORA expected to cover elements such as business continuity planning requirements, ensuring financial entities can retrieve or securely erase their data when switching providers as well as relative minimum notice periods.
When it comes to business continuity, ICT Service Providers tend to consider their Business Continuity Policy a “trade secret”. Sharing of a copy of the Business Continuity Policy does not to date emerge as a direct obligation under DORA and thus, providing some alternative visibility can be considered for negotiations by ICT Service Providers.
6. Legal Compliance Clauses
Often times, Financial Entities may be pushing for contracts having wording that states that both parties’ are committing to DORA compliance. As such, ICT Service Providers may wish to recall that DORA compliance is a legal obligation of the Financial Entity, and not directly of the ICT Service Provider.
Push back against such language may thus be considered as not just needed for better negotiations but also as needed to reflect the legal reality.
7. Commercial
In practical terms, for an ICT Service Provider to be able to commit to the various expectations that Financial Entities require in terms of DORA, various effort, time and resources need to be committed to by the ICT Service Provider. Thankfully, to date, the DORA related literature does not preclude that assistance is charged for.
Thus, ICT Service Providers may wish to negotiate the inclusion of commercial related elements on any inputs/assistance that Financial Entities may need in their DORA related contractual updates.
Conclusion
The above are just some of the key themes that need to be considered when negotiating updates to ICT contracts in view of DORA.
Critically, ICT Service Providers may wish to note that they are somewhat dependent on their Financial Entity customers’ classification in their regard since ultimately, which content needs to be included within an ICT contract by the Financial Entity depends on whether the Financial Entity deems the ICT services being provided by the ICT Service Provider as supporting critical, or important functions or otherwise.
Indeed, the bulk of the contractual content which must be included is enshrined within DORA article 30. DORA’s article 30(2) effectively sets out de minimis requirements applicable irrespective of the ICT Service Provider’s categorisation, while DORA’s article 30(3) applies as regards those ICT Service Provider’s supporting a critical or important function of the Financial Entity.
Further envisaged detail as to the contractual content is however found in the Regulatory Technical Standards (“RTS”) issued by the European Supervisory Authorities (“ESAs”) especially the key for ICT Service Providers being the RTS concerning the subcontracting of ICT services supporting critical or important functions (the “Subcontracting RTS”).
Recently, the proposed draft Subcontracting RTS was refused by the EU Commission. Updates to ICT contracts with a view to ensuring the Financial Entity’s DORA compliance should thus be approached with yet even more caution, given the current state of flux.
Should you wish to read further about the RTS’ rejection, you may access here.
This is the third article in our series “The DORA Edge: Empowering ICT Providers in Financial Services.”.
For information or assistance please contact us at info@gtg.com.mt
Author: Dr Terence Cassar