We review how the Digital Operational Resilience Act regulates financial services firms' contractual arrangements with technology and data service providers. Dermot McGirr, Commercial Partner, focuses on the Act’s regulation of third party ICT contracting and discusses the specific requirements the legislation imposes.
“DORA”, or the Digital Operational Resilience Act, means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector. Its impacts on the financial services sector are wide ranging. In this article, we focus on its regulation of third party ICT contracting and the specific requirements it imposes in this regard.
Entry Into force in January 2025
Since our previous update the final text of DORA has been published. DORA will apply to in-scope financial services entities from 17 January 2025.
This period leading up to January 2025 gives relevant financial services entities an implementation period to thoroughly review their ICT contractual arrangements and implement any changes which may be required in order to ensure compliance with DORA. The good news for those entities which have already complied with regulatory guidance on outsourcing, such as that provided by the European Banking Authority (EBA) or the Central Bank of Ireland (CBI), is that DORA closely tracks many of the same contractual requirements. This being the case, the gap analysis exercise required to assess compliance with existing contracts should be relatively limited for relevant entities, noting though the broader application of DORA to ICT services as opposed to just outsourcing providers which we discuss in more detail below.
Not just outsourcing anymore
One of the key points to note about DORA is that it does not just apply to outsourcing arrangements, as is the case with existing regulatory guidance on outsourcing. The contractual requirements of DORA apply to the use of “ICT Services”. These are defined as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. This rather broad definition will cover the vast majority of IT related services procured by a financial services entity. It also contrasts with the typical definition of “outsourcing” provided for in regulatory guidance which requires the relevant service to be something that the financial services entity would normally undertake itself.
In practice this broader definition means that financial services entities who have already gone through a project to comply with regulatory guidance on outsourcing will need to revisit those services which were not deemed to be outsourcing but which will come within the DORA definition of ICT Services. They will then need to assess those contracts against the contractual requirements of DORA.
Third party contracting
Similar to the approach with the existing regulatory guidance on outsourcing, DORA requires financial services entities to assess and divide their ICT providers into two categories - those who provide services that support critical or important functions and those who don’t.
A “Critical or Important Function” is defined under DORA as a function:
- The disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or
- The discontinued, defective or failed performance of which would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law
In a contractual context, the reason for the financial services entity’s assessment of its ICT Services as supporting a “critical or important function” or not is because there is a difference between the contractual requirements DORA applies for those two categories (with contracts for the provision of “critical or important functions” attracting more (in detail and extent) requirements).
If the financial services entity is already complying with existing regulatory guidance on outsourcing, such as the EBA and CBI outsourcing guidelines, many of the contractual requirements will be familiar, for example:
- Requirements to include specific termination rights
- Wide ranging (and from the service provider’s perspective, onerous) audit rights
- A laundry list of contractual specifics, e.g. description of the services, locations of services provision and data storage and processing, etc
- Requirements dealing with management of exit and transition
- Obligations on the ICT provider to, amongst other matters, comply with appropriate information security standards
- Provisions to ensure access, recovery and return of data in the event of the insolvency, resolution or discontinuation of the operations of the ICT provider, or in the event of the termination of the contract
- Whether subcontracting of the ICT Service supporting a Critical or Important Function (or material parts thereof) is permitted and, if so, the conditions applying to such subcontracting.
It is not however simply a matter of DORA being a “cut and paste” from regulatory guidance on outsourcing. The DORA requirements are more detailed in places and also raise some novel issues. This approach suggests learnings from the practical application of the regulatory guidance on outsourcing have been applied. This approach was also evident, although to a more limited extent, when comparing the contractual requirements of the CBI and EBA outsourcing guideline requirements. This issue means that financial services entities who have already complied with regulatory guidance on outsourcing still need to assess their outsourcing agreements against the requirements of DORA. However, relevant entities will have some degree of comfort of knowing that there will be significant elements of compliance already in place.
Penalties for non-compliance
Although DORA has direct effect as a regulation, one area which does require national implementation is the penalties and sanctions regime which will be applied for non-compliance. DORA requires Member States to provide for their own rules in this regard. We will therefore wait to see what approach Ireland takes to this issue. One point which is clear is that, in contrast to the current regulatory guidance on outsourcing, DORA will be a legal requirement with linked penalties for non-compliance. This will sharpen the focus of both financial entities and the service provider community when it comes to the practical implementation of the contractual requirements.
Financial services entities which comply with the regulatory guidance on outsourcing are in a good position to implement the contractual requirements of DORA, but they do need to consider:
- Their non-outsourcing arrangements in the context of DORA contractual requirements, and
- The differences between DORA and the relevant regulatory guidance on outsourcing in order to ensure those differences are addressed in their contracts with ICT providers.
Financial services entities within the scope of DORA have until January 2025 to undertake this exercise. We have market leading experience in the implementation of the contractual requirements of regulatory guidance on outsourcing and as such are very well placed to assist with the implementation of DORA.
The content of this article is provided for information purposes only and does not constitute legal or other advice.