BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Preparing for DORA: Mind the Gap

Starting January 17, 2025, financial entities based in the European Union must have in place processes and policies, as well as mandatory contract provisions with their third-party technology vendors, that comply with the EU’s Digital Operational Resilience Act (DORA). Financial entities are currently at varying stages of updating their operational risk management frameworks and remediating contracts with technology vendors. For banks, the European Central Bank has signaled that resiliency will be a top priority on its supervisory agenda.

In this blog we take a look at the mandatory contract provisions under DORA, how they map to existing regulatory regimes in respect of outsourcing arrangements (highlighting the gaps between DORA and those regimes), and key considerations for designing a path for contract remediation for DORA compliance.

Scope and Objective

DORA applies to financial institutions, investment firms, fund management companies, insurance undertakings, and other regulated financial entities based in the EU.

One of DORA’s key objectives is to strengthen financial entities’ operational resilience by ensuring prudent risk management of a broad array of information technology and communication (ICT) services, including all of an organization’s cloud, software-as-a-service (SaaS), digital data, and IT infrastructure arrangements.

Mandatory Contract Provisions

DORA requires financial entities to ensure that all contracts with third-party ICT service providers, both intragroup and external, include mandatory contract provisions around the following:

  • Access and audit rights
  • Performance standards
  • Service locations
  • Data and confidentiality
  • Business continuity
  • Termination rights
  • Cooperation with authorities
  • Classification, notification, and reporting of major ICT-related incidents
  • Compliance with appropriate information security standards and other policies

For contracts with third-party ICT service providers that support critical or important functions, there are more prescriptive requirements around the following:

  • Access and audit rights
  • Subcontracting
  • Reporting obligations
  • Business contingency planning and testing
  • Participation in threat-led penetration testing
  • Exit planning

Key Gaps Between DORA and Existing Outsourcing Regulatory Regimes

EU financial institutions and investment firms will be familiar with existing EU regulatory expectations in respect of outsourcing arrangements, including the European Banking Authority’s Guidelines on Outsourcing Arrangements and the European Securities and Markets Authority’s Guidelines on Outsourcing to Cloud Service Providers.

Those guidelines include many of the same concepts (such as assessing “critical or important functions”) and require similar, if not the same, contract terms for outsourcings that support critical or important functions as those listed above. However, there are additional requirements under DORA that will likely create gaps between compliance with existing outsourcing regulatory regimes and compliance with DORA.

The key gaps between DORA and those existing regimes are as follows:

  • The scope of ICT services is broader under DORA, extending beyond services that the financial entity could otherwise undertake itself, e.g., digital data subscription services, SaaS, certain software licensing.
  • All contracts for ICT services must contain mandatory contractual provisions under DORA, not just those supporting critical or important functions. This will require remediating certain contracts that may have fallen outside of outsourcing contract remediation projects as well as amending contracting procedures for ICT services going forward.
  • There are additional mandatory contract provisions, such as participation by the ICT services provider in the financial entity’s digital operational resilience training and providing assistance with ICT incidents at no additional cost (or at a cost determined ex ante).
  • A separate policy must be adopted addressing compliance with the contractual requirements for third-party ICT services supporting critical or important functions, in addition to maintaining a register of all third-party ICT services arrangements (similar to the register of material outsourcings).

Businesses already subject to, and compliant with, the existing outsourcing regulatory regimes will need to undertake a contract remediation process to close the gaps in order to also meet the DORA requirements.

Key Considerations for Contract Remediation

Designing a suitable and efficient path to contract remediation can be a daunting task, especially where financial entities have hundreds of contracts in place with technology vendors. To achieve this, and based on our experience, the contract remediation project should be organized methodically into phases and take account of the following key considerations:

  • Assessment of the contract portfolio should identify ICT service types, criticality or importance of the ICT services, and in-scope EU territories. It may help to segment contracts into those which are brief, standard-form technology contracts and other more complex outsourcing contracts.
  • Where possible, automating the diligence of individual contracts can create efficiencies, though it is critical that the outputs of automated reviews are validated.
  • Preparing a contract addendum may be the most efficient method of remediation, which is then adapted for individual contracts, and firms can leverage any addenda previously used for compliance with mandatory contract terms for regulated outsourcings. Such an addendum could take a modular form enabling jurisdiction-specific issues to be added or removed, e.g., to address nuances around incident reporting, and also to adapt remediation for each contract based on the outcome of diligence.
  • The mandatory contract terms under DORA may be divided into “legal” terms (e.g., audit provisions, termination rights) and “business” terms (e.g., service definitions). For the latter, a bespoke remediation process may need to be agreed and documented with applicable business SMEs, to be completed before January 17, 2025 or as soon as possible thereafter.
  • Where remediation is required, early engagement of ICT service providers is key, and it may be prudent to prioritize certain providers based on criticality of services and/or complexity of contracts, as noted above.
  • In certain instances, financial entities may themselves act as an ICT service provider, such as where they provide platform solutions to other financial institutions as their customers. This will require a holistic view to be taken of the contract positions such entities take with their ICT service providers as against those given to their customers.