The introduction of The Digital Operational Resilience Act (DORA) has initiated much recent conversation amongst legal, technology and finance professionals. Enacted by the European Union on 17 January 2025, DORA compliance is now crucial for any business relationship established between a technology provider and an EU based financial service provider.
Whilst DORA is EU legislation, UK based technology providers supporting financial businesses within the EU are required to comply with DORA; this article focuses on the contractual requirements DORA sets out for tech providers.
Who is in scope?
DORA applies to a wide range of entities within the EU's financial sector, including but not limited to banks, credit institutions, insurance companies, investment firms, asset managers, payment service providers and financial market infrastructures, such as trading venues.
DORA's requirements extend to any third-party ICT service provider that offers services to these financial entities. This includes technology companies, cloud service providers and other technology providers that support the functions of financial institutions. With mandatory flow down requirements in subcontracting, and scope to include all non-critical ICT services, DORA seeks to ensure comprehensive coverage of the technology supply chain.
Key provisions of DORA
Building on existing UK and EU regulatory frameworks for operational resilience and regulated outsourcing, DORA aims to establish a unified framework across the EU for managing ICT risks in the financial sector, thereby reducing fragmentation and inconsistencies in how financial entities handle digital threats.
Strengthening operational resilience
As technology evolves, so do cyber risks, particularly in financial services. DORA aims to protect financial entities against cyber risks and operational disruptions. In particular, DORA addresses supply chain vulnerabilities and requires third-party technology providers to adhere to various operational and governance standards for ongoing ICT risk management, and introduces a regulatory oversight regime for 'critical' ICT service providers.
Balancing negotiating power
With financial sector businesses becoming even more dependent upon technology, DORA aims to balance negotiating powers between financial entities and major tech providers by introducing mandatory contractual requirements in respect of ICT contracts.
DORA incorporates the principle of proportionality to ensure that its digital operational resilience requirements are applied appropriately based on the size, risk profile, and complexity of financial entities. This principle allows for a tailored approach, where smaller entities, may be subject to simplified ICT risk management frameworks, reflecting their limited resources and capabilities. The principle of proportionality also guides the management of ICT third-party risks, ensuring that regulatory requirements are neither excessively burdensome nor too lenient on providers, thereby balancing robust digital resilience with the operational realities of different providers.
Key provisions of DORA - contractual requirements
Mandatory contractual requirements
DORA requires specific contractual provisions to be included in supply agreements between providers and EU based financial entities. DORA's rules apply to all new and ICT outsourcing contracts and existing contracts pre-dating 17 January 2025, when the legislation came into force. There is a transition period of 36 months (ending on 17 January 2028) for existing contracts to be made compliant. During this period, financial entities should be reviewing and amending existing contracts for DORA compliance.
DORA's mandatory provisions are listed in Article 30 and require the rights and obligations of both the financial entity and the provider to be clearly set out in writing, including service level agreements. Contracts are also required to include the following elements in order to be DORA complaint:
a) a clear description of all functions and ICT services to be provided by the provider, including conditions for subcontracting critical functions;
b) the locations, i.e., regions or countries, where the contracted ICT services are to be provided and where data is to be processed, with a requirement for the provider to notify the financial entity in advance if it envisages changing such locations;
c) provisions to ensure availability, authenticity, integrity and confidentiality of data, including personal data;
d) provisions on ensuring access, recovery and return of data in the event of the insolvency or termination of the provider;
e) service level descriptions, including any updates and revisions;
f) provisions for providers to provide assistance to the financial entity at no additional cost, or at a cost that is determined relating to future events, when an ICT incident related to the service occurs;
g) an obligation for the provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity;
h) termination provisions, including specifying exit strategies that ensure the continuity and quality of the service; and
i) requirements for the provider's participation in the financial entity's ICT security awareness programmes and threat-led penetration testing (TLPT).
Support for critical functions
A service is deemed a critical function when its disruption could significantly impact a financial entity's operations, financial stability, or the broader financial system. While further guidance is expected from the EU's Supervisory Authorities on when a service should be deemed a critical function, this determination will involve assessing factors such as the service's essential role in core activities, its contribution to financial stability, and compliance with regulatory requirements. The criticality is heightened if there are no readily available substitutes, if the service is highly interconnected with other operations, and if it is vital for maintaining the entity's reputation and trust.
Financial entities must evaluate their services against these criteria to identify critical functions and implement necessary risk management and resilience measures. For contractual arrangements in respect of critical or important functions, terms must also include:
a) quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring and corrective actions to be taken, without undue delay, when agreed service levels are not met;
b) notice periods and reporting obligations of the provider to the financial entity, including notification of any developments that might have a material impact on the service provision in line with agreed service levels;
c) requirements for the provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies aligned with regulatory frameworks;
d) an obligation for the provider to participate and fully cooperate in the financial entity’s TLPT;
e) rights in favour of the financial entity to monitor, on an ongoing basis, the provider’s performance, including:
i. unrestricted rights of access, inspection and audit by the financial entity, its appointed third-party, or the competent authority;
ii. the right to agree on alternative assurance levels if other clients’ rights are affected;
iii. an obligation for the provider to fully cooperate during any onsite inspections and audits; and
f) exit strategies, in particular the establishment of a mandatory adequate transition period to reduce disruption risks and facilitate migration to other providers or in-house solutions.
Ensuring compliance with DORA
Under the oversight framework of DORA, the EU Supervisory Authorities are tasked with the rigorous testing and inspection of third-party service providers. This initiative is crucial to safeguarding the financial sector's ability to deliver essential functions without disruption. Critical third-party service providers are subject to thorough scrutiny to identify any potential risks they may pose to the EU financial sector.
Non-compliance with DORA regulations can result in substantial financial sanctions, particularly where critical services are involved. Additional penalties for non-compliance may include orders to cease non-compliant conduct, with such penalties being publicly disclosed.
Key steps
Third-party service providers should proactively consider the steps required to help manage DORA's requirements and to help mitigate compliance risks:
- When negotiating new contractual arrangements, implement standard contractual clauses approved by relevant EU supervisory authorities, where available, and ensure customised provisions maintain compliance with DORA requirements.
- During the transition period, proactively review existing contracts and negotiate amendments to ensure they are DORA compliant.
- Implement measures that enhance visibility and control over the ICT supply chain, ensuring robust access and audit rights, especially for contracts that include flow-down requirements for subcontractors.
- Update or establish procedures for ICT incident reporting and handling, to facilitate compliance with DORA's obligations. Regular audits should be conducted to verify adherence to DORA's requirements and to identify any areas for improvement.
- Engage with relevant suppliers, subcontractors and staff to ensure they are aware of and prepared to meet DORA's requirements.
- Keep informed about further guidance and technical standards from the European Supervisory Authorities to maintain compliance and adapt to any changes that may affect regulatory obligations.
In summary
In summary, DORA represents a significant step forward in harmonising the management of ICT risks across the EU's financial sector.
By establishing a comprehensive framework that addresses the vulnerabilities inherent in the technology supply chain, DORA not only enhances the operational resilience of financial entities but also seeks to balance the negotiating power between these entities and major technology providers.
The mandatory contractual provisions and robust ICT risk management practices outlined in DORA are designed to ensure that financial institutions can withstand and recover from digital disruptions, thereby safeguarding the stability of the financial system. While the practical implications of DORA will unfold over time, its introduction underscores the EU's commitment to fostering a secure and resilient digital environment for its financial markets. It is crucial for providers involved in a European financial entity's ICT supply chain to thoroughly assess their compliance with DORA, and to review and update their contractual agreements and operational practices to ensure ongoing compliance with DORA's requirements.
