Your DORA questions answered – ICT third party contracts

This fourth of a series of six articles covering a practical session organised by Ashurst focuses on information and communication technology third party contracts.

The specialist team at Ashurst organised a helpful follow-up to their successful initial session on DORA. The number of questions from attendees of the first webinar was the primary motivation for organising a session focusing specifically on answers to practical questions posed by those attending.

A theme apparent throughout the session was that with the January 2025 DORA compliance deadline fast approaching, key aspects of the DORA regime – including the technical standards (RTSs) – remain incomplete. As a result much of the advice from even experts remains couched in conditional language. The team was very sympathetic to the pent-up frustration from those who will be responsible for ensuring their institutions are DORA-compliant apparent in both the number as well as the tenor of the questions posed.

We have tried to summarize the Ashurst team’s answers to each of the questions tackled during the session. The Ashurst team very helpfully organized the questions into broad thematic categories that are reflected in a series of bite-size articles.

2.ICT services in scope
5.Business resilience
6.Extraterritoriality and existing rules

A list of the Ashurst specialists contributing is included below. Any errors or omissions are those of the GRIP team.

The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions.

How are financial entities approaching the contractual repapering exercise and what are you seeing in the market (in particular, given the outstanding final RTSs and the impending implementation deadline)?

This is a challenge for everyone because it looks like the final RTSs are only due to be released in July.

Firms should start by identifying the population of ICT service providers and critical functions. Then prioritize these lists. Having all contracts remediated by January is admittedly a tall order, but you must be able to, at the very least, demonstrate that you have been working towards becoming compliant. One approach may be to order negotiations pragmatically in accordance with how much leverage you may have and target quick, easy wins first.

Complicating matters is the fact that some of the biggest vendors have already said that they will not produce new contracts until the RTSs are finalized. Smaller vendors are also being affected by this because they are unable to agree to contractual terms without knowing what the sub-contracting terms might be (in a situation where they themselves are dependent on the services of one of the larger cloud providers, for example).

Given the January deadline and lack of a transitional or bedding-in period, the relevant teams are likely looking at a December ‘crunch time’ and should begin negotiating with vendors in earnest now. Many firms have already started on this work, but it was suggested that after Easter would be a very good time to begin negotiations.

Are any tech providers drafting their own “standard clauses” for repapering purposes to avoid the battle of the forms with multiple financial entities, and who is the onus on to prepare the DORA addendum?

Yes, many providers will be preparing their own addendums. However, the onus is on the regulated firm because DORA applies to the financial entity and not to the provider.

GRIP Comment

Depending on your various providers and hoping and waiting that they will have contractual clauses ready in time may be attractive given the fact that they may well have more expertise and a better understanding of the technology that they provide.

But it is a risky strategy and means that both understanding and preparedness within your organization, ultimately responsible for complying with DORA, may be lacking. And it is the onus on the regulated firm to comply which is critical here, because the regulatory consequences for non-compliance will always be felt by the financial entity rather than the vendor. 

In practical terms it is also much easier to engage and negotiate with a vendor having an adequate internal understanding of what clauses and changes to contracts are required in order to ensure organizational compliance with DORA.

In a negotiation, would a ICT third-party service provider be able to use the principle of proportionality in its favour (not implement cumbersome expensive security measures if not commensurate or proportionate to services it provides), even though it applies to financial entities under DORA?

It will be difficult for the provider to use the principle of proportionality in negotiations because the principle, like DORA, applies to the regulated firm and not the provider. It may be possible for third parties to challenge a decision by a firm and ask ‘why have you deemed us material?’, but ultimately that determination is one for the regulated firm to make and it is difficult to see a vendor successfully using the principle of proportionality to place itself out of scope of the rules.

Is the only obligation on the ICT third-party service provider to include the contractual obligations set out in Art. 28 and Art. 30?

Yes. But the key obligation is not only to agree on a contract, but also to fulfil its requirements.

In order to ensure that these requirements are fulfilled you need to ensure that your contractual obligations flow down to include:

  • subcontracting;
  • audit and access;
  • security audits;
  • penetration testing;
  • exit planning; and
  • business continuity.

All ICT service providers who wish to work with financial services entities in the future will need to consider this (and in the case of CTPs the more onerous obligations) because they will become an industry norm not only in the EU, but also globally with the US, Asia and Australia all moving in the same direction.

GRIP comment

In the past, as many firms invested heavily in proprietary technology solutions, the sector was naturally resilient. An attack against one bank would have been less likely to affect its peers because of the disparate technology mix in place.

Financial institutions (and organizations in other industries) have continued pivoting away from in-house technology solutions and teams and toward third parties whose solutions are considered better and more cost-effective.

Another motivating factor has, of course, been the pace of technological change. Vendors who specialize in a certain line of business and whose bread and butter is keeping their solution up to date is are more easily able to keep up with the rapid pace of development. Non-specialist parties with in-house teams have tended to lag behind, losing competitve advantage against rivals as a result of an inability to keep key systems and processes up to date. 

The concern around the resilience in the provision of technology services by these third parties has been prompted by the gradual realisation of the vulnerability and potential systemic risk involved as a result not only of the outsourcing of services to them, but also because of the continuing consolidation in the sector. The attack on or failure of a single critical cloud provider or the provider of a specific specialist service that multiple institutions depend on for day-to-day functions has the potential of bringing to a stop all of their operations all at once.

It is not difficult to see why regulators around the world are concerned and while compliance with DORA requirements may be painful, it is likely that organizations that put in the effort will reap rewards that go beyond this specific regional regulatory regime. 

It will be interesting to observe what variation there will be between the various resilience regimes and whether an “industry norm” really does emerge over the next few years as the Ashurst team implied.