Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) will come into effect on 17 January 2025, imposing new obligations on financial and insurance entities regarding digital operational resilience.
Article 30 of DORA is particularly crucial, as it details the contractual requirements between these entities and their third-party ICT (Information and Communication Technologies) service providers.
Article 30 applies to all financial entities, including insurance companies, that outsource ICT services to third-party providers. It aims to ensure that contracts with these providers are clear, comprehensive, and compliant with the new standards of digital operational resilience.
Mapping and Reviewing Existing Contracts
Companies must undertake a comprehensive mapping of their current contracts with third-party ICT service providers.
The objectives are to:
Contractual Provisions from Article 30
1st layer: General Obligations Compliance
To be compliant, each contract must include at least the following elements:
1- Description of ICT Services:
2- Location of Services and Data:
3- Data Protection:
4- Access and Recovery of Data:
5- Descriptions of Service Levels:
6- Assistance in the Event of ICT Incidents:
7- Cooperation with Competent Authorities:
8- Termination Rights:
9- Participation in Security Programmes:
2nd layer: Critical or Important Functions
Additional requirements apply if the ICT services support a critical or important function, which is defined as a function whose disruption could seriously impair a financial entity’s financial performance, or the soundness or continuity of its services and activities, or where an interruption, defect, or failure in its execution could seriously undermine the financial entity’s ability to continuously comply with the conditions and obligations of its authorisation, or its other obligations under applicable financial services law.
Again, each contract must include at least the following elements:
1- Comprehensive Descriptions of Service Levels:
2- Notification of Impacting Developments:
3- Emergency Plans and ICT Security:
4- Participation in Penetration Testing:
5- Audit and Inspection Rights:
6- Exit Strategies:
– An obligatory adequate transition period during which the supplier continues to provide the services to reduce disruption risk?
– A plan to migrate to another supplier or to utilise suitable in-house solutions?
3rd layer: Register Requirements
Regardless of the criticality of functions, all financial entities must maintain and update a detailed register of information in relation to all contractual arrangements on the use of ICT services provided by third-party ICT service providers.
Be prepared and ensure your contractual arrangements are compliant with DORA by 17 January 2025!
MOLITOR Avocats à la Cour is ready to assist you in this complex process to ensure a smooth transition towards DORA regulatory compliance.