The EU’s Digital Operational Resilience Act (“DORA”) will become applicable from the 17th January 2025 and is meant to create a comprehensive technology risk regulatory framework for ensuring the EU financial sector’s “digital operational resilience”.

While DORA was conceived with a focus on financial institutions, its implications extend beyond the financial sector to effectively encompass or affect Information and Communication Technology (“ICT”) service providers that provide their services to the financial sector, whether directly by DORA under its Oversight Framework for Critical ICT Third-Party Service Providers, or indirectly, through contractual requirements which DORA imposes on financial entities in their arrangements with ICT Third-Party Service Providers.

Critical ICT Third-Party Service Providers

DORA establishes a regulatory Oversight Framework for ICT Third-Party Service Providers which are designated as “critical” in terms of DORA.

Such designation is made pursuant to a mechanism which considers the dimensions and nature of the financial sector’s reliance on such ICT third-party service provider, revolving around the significance of the services, their potential impact in the event of disruption, and their interconnectedness with other essential services.

The relative designation is issued by the European Supervisory Authorities (the “ESAs”), namely the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”), and the European Securities and Markets Authority (“ESMA”), through a joint committee and upon recommendation from the Oversight Forum.

Mainly the largest ICT service providers are expected to be designated as Critical ICT Third-Party Service Providers under the DORA framework.

How Does DORA Affect All ICT Service Providers that Service the Financial Sector?

DORA seeks to achieve a high common level of digital operational resilience for the financial sector by laying out of rules and obligations applicable to financial entities in relation to:

a) ICT risk management;

b) reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;

c) reporting of major operational or security payment-related incidents to the competent authorities by certain financial entities;

d) digital operational resilience testing;

e) information and intelligence sharing in relation to cyber threats and vulnerabilities; and

f) measures for the sound management of ICT third-party risk.

While the above obligations are directed to financial entities, DORA also imposes rules on contractual content requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities.

In regard to the above, it should be noted that “ICT Services” are considered by DORA to refer to any digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.”

Requirements in Contracts for ICT Services

DORA establishes a minimum set of contractual requirements which apply to any contractual arrangement for ICT Services between a financial entity and an ICT Third-Party Service Provider. Such minimum contractual content requirements are mainly enshrined in DORA’s article 30(2) which sets out the following contractual content requirements:

  1. a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
  2. the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations;
  3. provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
  4. provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;
  5. service level descriptions, including updates and revisions thereof;
  6. the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
  7. the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;
  8. termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;
  9. the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6).

    More extensive contractual requirements are however imposed for ICT services “supporting critical or important functions” of a financial entity, that is "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law".

    The detail on contractual requirements in ICT Third Party Service Provider’s contracts supporting critical or important functions is mainly enshrined in DORA article 30(3) and include further extensive provisions which may be particularly key for ICT Service Providers to consider, for example, an obligation of the service provider to cooperate with the financial entity in threat-based penetration testing, unrestricted rights of access, inspection and audit and exit strategies, such as setting an appropriate mandatory transitionary period.

    ICT Service Providers: Prepare for Contractual Revisions

    Albeit DORA becomes applicable on the 17th January 2025, ICT Service Providers should already be preparing to engage in discussions to amend existing contracts for compliance purposes and considering entering into new contracts bearing in mind DORA’s impending requirements.

    It should also be noted that on the 25th March 2024, the Malta Financial Services Authority (“MFSA”) published the “Authority’s Minimum Expectations in Relation to Financial Entities’ Preparedness to Regulation (EU) 2022/2554 on Digital Operational Resilience”, and considered that the MFSA’s 2024 Minimum Expectations vis-à-vis sufficient DORA preparedness to include Expectation 17, namely that:

    “Financial Entities have taken steps towards aligning their current written contractual arrangements with ICT Third-Party Service Providers to the key contractual provisions specifically mentioned in Article 30 of the DORA Regulation”.

    DORA preparedness thus needs to commence by ICT Service Provider’s at a time where to date certain key matters remain in development, including for example adoption of DORA’s final draft technical standards – the Regulatory Technical Standards and the Implementing Technical Standards. Furthermore, standard contractual clauses are still being developed by public authorities for specific services.

    Similarly, DORA correlated considerations with regards to the upcoming NIS 2 Directive (Directive 2022/2555) cannot be fully considered given that to date a national Maltese law transposing the same has not been published, nor correlated designations have been undertaken.

    A further difficulty is also envisaged for ICT Service Providers in that  ultimately whether a Service Provider’s contractual arrangement with a financial entity require the extensive clauses mandated for contractual arrangements supporting critical or important functions is based on an assessment and determination outside of the ICT Service Provider’s control.

    For more information or assistance on Technology Law please contact Dr Ian Gauci and Dr Terence Cassar.

    You may also be interested in reading: https://gtg.com.mt/dora-consultation-draft-rts-enhanced-oversight/

     

    Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
    Skip to content