Time is running out to comply with the European Union’s (EU’s) Digital Operational Resilience Act (DORA). The legislation came into force in January 2023, with the January 17, 2025, deadline for compliance approaching rapidly. The pressure is on, including to ensure financial-services entities (firms) have the right contractual provisions in place with information and communications technology (ICT) service providers (suppliers).
DORA aims to strengthen firms’ operational resilience and security against all types of ICT disruptions. It applies to a wide range of EU-based firms, including credit institutions, payment institutions, investment firms and insurers, as well as to their suppliers. It can also apply to non-EU-based firms that have business links with or operations in the EU.
DORA embeds a more robust approach to delivering digital capabilities to firms within the EU. It introduces a harmonised framework to mitigate the increasing risks posed by the rapid digitalisation of firms and their growing dependence on suppliers and infrastructure. Most firms have set up programmes to understand what DORA means for them, including in relation to third-party risk management (TPRM).
As part of TPRM, DORA stipulates that all ICT contracts must contain specific baseline contract terms. There are also more onerous additional requirements for contracts supporting critical or important functions (CIFs). CIFs are those functions that, when disrupted, would have material impacts on firms’ operational continuity and/or performance or the wider financial system’s stability.
Failure to comply with DORA can have significant repercussions, including fines and other penalties, as well as reputational damages. However, achieving contractual compliance by the deadline is a significant challenge; many firms are still doing the groundwork. This includes the need to:
- map ICT services and classifications: defining and mapping CIFs and defining and identifying the population of ICT services that support CIFs and non-CIFs;
- identify, digitise and categorise ICT contracts: identifying, locating and digitising all ICT contracts and categorising them as CIFs or non-CIFs;
- identify intragroup arrangements: identifying intragroup arrangements whereby ICT services within the scope of DORA are provided by one group member to another (such as ICT services provided by group services companies).
Happily, this work does not have to be completed before contractual-compliance activities can begin. Given the looming deadline, many firms are doing this work in parallel with commencing their contractual-compliance and remediation programmes.
PwC’s (PricewaterhouseCoopers LLP’s) experience with clients has highlighted common challenges firms face in preparing for contractual compliance. Many are struggling to map ICT services that support CIFs and non-CIFs and to identify and locate all ICT contracts requiring remediation. It can also be tricky to assess the extent of DORA compliance within existing contracts. In other cases, firms are receiving pushback from suppliers against DORA’s far-reaching requirements. Some suppliers dispute whether their services are within its scope and if they support CIFs or non-CIFs.
It is also important for firms to consider how to mitigate the risks arising from not achieving full contractual compliance by January’s deadline.
DORA’s contractual requirements explained
The devil of DORA is in the details. The contractual requirements are a combination of those set out in DORA and additional regulatory technical standards (RTSs). All contracts between firms and suppliers must include various requirements, such as:
- a clear ICT service description and service levels;
- identification of the locations of services, data processing and storage;
- data-related obligations, including the firm’s right to access data on the supplier’s insolvency;
- ICT-incident assistance from the supplier;
- ICT-supplier participation in the firm’s security-awareness and training programmes and its cooperation with regulators;
- appropriate termination rights and notice periods for the firm.
More onerous additional contractual requirements apply to contracts involving ICT services and systems that support the firm’s CIFs. These aim to ensure firms have robust control of such services and systems. Examples include details on whether and when subcontracting is permitted; detailed service levels; appropriate notice periods and reporting obligations; business-contingency provisions; penetration testing; audit, access and inspection rights; and exit arrangements.
The Subcontracting RTS
DORA also addresses regulators’ determination to ensure greater transparency and control in relation to subcontracting, particularly regarding CIFs. To support this objective, the European supervisory authorities (ESAs)—the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)—drafted the Subcontracting RTS, which sets out the approach to assessing applicability, required due diligence and contractual conditions for subcontracting.
The requirements of the Subcontracting RTS are challenging because suppliers often subcontract many aspects of their services—and subcontractors may then further subcontract elements of such work. Additionally, many suppliers may not be able to give individual customers control over to whom they subcontract or any changes in subcontracting, as services are provided on a one-to-many basis.
Even so, given the risks that arise from failures by subcontractors, firms must have visibility and ensure they maintain control over the subcontracting chain for services supporting CIFs. Whilst the ESAs have recognised the complexities arising from this, they reiterated the need for firms to identify the overall subcontracting chain, clarifying that they should “particularly focus their monitoring on those subcontractors that effectively underpin the provision of the service”.
Applying the Subcontracting RTS
To assess applicability, firms must consider factors such as size, overall risk profile and the nature, scale and elements of increased or reduced complexity of services, activities and operations. These considerations are extensive and vary according to the nature of the ICT services concerned, the number of subcontractors and their locations (including their parent company’s location). They will also depend on the data-processing circumstances, impacts if the subcontracted services were transferred and whether the suppliers or subcontractors are authorised, registered or subject to supervision or oversight by an EU regulator or the oversight framework.
Due diligence
Due diligence represents an additional burden, with firms expected to undertake significant checks before allowing a supplier to subcontract any part of its services. These include:
- the supplier’s ability to identify, notify and inform the firm of any subcontractors in the supply chain;
- the supplier’s abilities, expertise and financial/human/technical resources for monitoring subcontractors;
- the impacts of a subcontractor’s possible failure on the relevant services;
- the risks associated with a subcontractor’s geographical location and any ICT risks;
- any obstacles to the exercise of audit, information and access rights by regulators, the firm or its auditors.
Conditions for subcontracting arrangements
In addition to the general contractual requirements under DORA, the Subcontracting RTS requires firms to include additional provisions to control subcontracting, including:
- monitoring and reporting obligations of the supplier and subcontractor(s);
- business-contingency plans and service levels, as well as security standards and requirements;
- audit rights and information access for the firm and regulators;
- notice provisions regarding material changes to subcontracting arrangements;
- additional termination rights;
- right to information regarding the subcontract(s).
How to approach contractual compliance and remediation
DORA builds on the existing outsourcing guidelines and the ICT security risk-management guidelines issued by the ESAs (existing requirements). Firms that have already successfully complied with some or all of these requirements will have less to do to achieve contractual compliance.
The complexity and diversity of the regulatory landscape and ICT-services provision in the financial sector mean there is no single right approach to contractual compliance and remediation. PwC’s experience is that firms are adopting one of three approaches to remediation.
Some firms are taking a blanket approach, applying standard amendment templates for CIF and non-CIF contracts; this is common among those not subject to the existing requirements. Some are taking a tailored approach, applying a customised template that incorporates only those DORA contractual requirements not already covered by the existing requirements in the ICT contract; this is typically used by entities that are fully compliant with the relevant existing requirements. Others are taking a hybrid approach, with minimal customisation of standard amendment templates, e.g. to reflect definitions and key specifics of the ICT services involved.
In previous regulatory-remediation efforts (such as EBA outsourcing), firms often preferred a blanket approach. But with an increasingly complex regulatory landscape, the pushback from suppliers due to similar provisions (such as audits) having already been negotiated and the tight timeframe for achieving compliance, many firms subject to existing requirements favour the tailored approach.
Recommended steps for DORA contract remediation:
Regardless of the approach adopted, a DORA contractual-compliance and remediation programme will include the following steps:
- Drafting template clauses for use in new ICT contracts and amendment templates for remediating existing contracts for CIFs and non-CIFs, as well as negotiation playbooks.
- Developing a remediation plan, including the prioritisation methodology and outreach strategy to prioritise ICT contracts, and a standard operating procedure.
- Carrying out a gap analysis of ICT contracts against DORA contractual requirements to identify the extent of compliance with existing requirements.
- Drafting amendment agreements and outreach to all suppliers in prioritised tranches.
- Negotiating and finalising DORA contract amendments, following the playbooks.
- Extracting the contract information to populate the relevant parts of the DORA register of information, which must be completed for all ICT contracts.
Author: Jennifer Chambers