The most important contractual arrangements for the use of ICT services are set forth in Article 30 of Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter referred to as “DORA” or “the Regulation”), which distinguishes contracts between financial entities and third-party ICT service providers into contracts for critical and important functions and contracts that do not support these functions.
According to DORA, a contract for the use of ICT services should mandatorily include, among other things:
-
-
- clear and complete description of all functions and ICT services, with an indication whether allowed is subcontract ICT service supporting critical or important function or its important parts, and if so, what conditions apply to such subcontract;
-
The mandatory elements indicated above, which a financial entity must identify and assess when subcontracting ICT services supporting critical or essential functions, will be further clarified in draft regulatory technical standards (RTS) being developed by the ESAs. Regulation provides for the publication of the final RTS projects by July 17, 2024.
-
-
- indication of the locations where the contracted or subcontracted ICT functions and services are to be provided;
- provisions regarding availability, authenticity, integrity and confidentiality in connection with data protection;
- the obligation of the third-party ICT service provider to provide assistance to the financial entity, either at no additional charge or for a predetermined fee, in the event of an ICT-related incident;
- termination rights and related minimum notice periods for contractual arrangements;
- terms and conditions for participation of third-party ICT service providers in ICT security awareness programs developed by financial entities.
-
In the case of contractual arrangements for the use of ICT services supporting critical or essential functions, additional obligations have been imposed in addition to the elements indicated in Article 30(2) of the Regulation, which include:
-
-
- full descriptions of the guaranteed service levels, together with precise quantitative and qualitative performance targets within the agreed guaranteed service levels;
- notice periods and reporting obligations of the external ICT service provider to the financial entity;
- obligation for external ICT service providers to participate in penetration testing for threat discovery;
- requirements for the third-party ICT service provider to implement and test contingency plans in connection with its operations;
- having ICT security measures, tools and policies to ensure an adequate level of security for the provision of services by the financial entity in accordance with its regulatory framework;
- the right to monitor the performance of the third-party ICT service provider on an ongoing basis;
- exit strategies, in particular the establishment of a mandatory adequate transition period.
-
Significantly, it will be mandatory for contracts concluded with ICT service providers prior to the application of DORA (January 17, 2025) to adjust their content with regard to the requirements under Articles 28-30 of the Regulation.
