Beginning January 17, 2025, financial entities based in the European Union must have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with the EU Digital Operational Resilience Act (DORA).
In this blog post, we take a look at second-level requirements under DORA covering subcontracting information and communications technology (ICT) services supporting critical or important functions. The requirements introduce mandatory contract terms which are additional to equivalent requirements under existing outsourcing regulatory regimes and may be challenging to implement across technology vendors in less than six months; however, there is potentially some flexibility in that regard.
Background
For many requirements under DORA, including certain mandatory contract terms, the European supervisory authorities (ESAs) are required to develop further detail to the primary legislation in the form of regulatory technical standards (RTS) or, in respect of standard forms and templates, implementing technical standards.
Under Article 30(2)(a) of DORA, EU-based financial entities must ensure that their ICT services agreements state whether or not subcontracting of ICT services supporting critical or important functions is permitted (and any conditions). Under Article 30(5), the ESAs are required to develop draft RTS which specify further elements of Article 30(2)(a).
As we previously highlighted, many of the mandatory contract terms under DORA are consistent with existing outsourcing regulatory regimes, such as the European Banking Authority’s Guidelines on Outsourcing Arrangements and the European Securities and Markets Authority’s Guidelines on Outsourcing to Cloud Service Providers (together, the Outsourcing Guidelines). However, there are certain additional requirements under DORA that will likely create gaps between compliance with the Outsourcing Guidelines and compliance with DORA.
Mind the Gap
On July 26, the ESAs published in final form RTS (Final RTS) detailing, among other things, mandatory terms for the contract between the financial entity and its ICT service provider, where the ICT service provider is permitted to sub-contract ICT services supporting critical or important functions. These functions are determined by the financial entity and are defined as functions the disruption of which would materially impair (1) the client’s continuing compliance with the conditions and obligations of its regulatory authorisation, or (2) the client’s financial performance, or (3) the soundness or the continuity of the client’s services and activities.
To be clear, these requirements do not apply to contracts for all ICT services; only those which support critical and important functions.
The contract requirements under the Final RTS should largely be met by Outsourcing Guidelines-compliant terms, save for the following mandatory terms which go beyond the equivalent provisions under the Outsourcing Guidelines:
- The service provider must assess all risks associated with the current or potential subcontractor’s location.
- Express wording that the service provider must ensure continuous provision of the relevant services throughout its chain of subcontractors, in the case of failure by a subcontractor.
- The service provider must identify and keep up-to-date the chain of ICT subcontractors supporting critical or important functions.
- The service provider must specify in its written subcontract:
- monitoring and reporting obligations of the subcontractor towards the (1) service provider and (2) regulated customer; and
- that subcontractors must meet the incident response and continuity planning requirements and ICT security standards established under DORA.
Analysis
The provision of ICT services to financial entities often depends on a complex chain of ICT subcontractors and so it was surprising that DORA itself, under Article 30(2)(a), is brief on addressing subcontracting under the written ICT services agreement, as compared to the Outsourcing Guidelines. The Final RTS make clear that subcontracting, where permitted for critical or important functions, will be a key focus area for contract remediation exercises in order to close any gaps identified above.
In particular, the requirement to identify and keep up to date the chain of ICT subcontractors will require clarity from ICT service providers on those service lines that support critical or important functions. This applies to both intra-group and external ICT service providers. The Final RTS clarifies that financial entities should particularly focus on subcontractors that “effectively underpin” the ICT service supporting critical or important functions, i.e. whose disruption would impair the security or continuity of service provision.
Service providers will also note that the required flow-down obligations may require them to undertake a contract remediation exercise with their own sub-contractors.
Financial entities may lament that the Final RTS were published less than six months from the implementation date for DORA, and in fact after the deadline set by DORA for final-form RTS (which was July 17). However, there is potentially a reprieve as a new sub-clause was added to the Final RTS, which states that changes to contractual agreements between the financial entity and ICT service providers that are necessary in order to comply with the Final RTS “shall be implemented in a timely manner and as soon as it is possible. The financial entity shall document the planned timeline for the implementation.”
This sub-clause was not included in the draft RTS and provides breathing space for parties that are unable to close those contractual compliance gaps before January 17, 2025. However, financial entities should note that this does not postpone the deadline for compliance and, in particular, reporting and other obligations which require information on subcontractors will still apply.