DORA: what does it mean for IT contracts?

The Digital Operational Resilience Act (DORA) has an important impact on financial entities but also on IT suppliers and cloud service providers. DORA’s main goal is to prevent and mitigate cyber threats.

What is DORA?

EU Regulation 2022/2554 (DORA) entered into force in January 2023 and shall apply from 17 January 2025.  Its goal is to strengthen operational resilience in EU financial services. It applies to banks and insurance companies, investment firms, e-money institutions, payment institutions, and CASP’s crypto asset service providers and issuers of asset-referenced tokens (MICAR), crowdfunding platforms, investment firms, account information service providers,  data reporting service providers, insurance intermediaries, etc.

The EU’s supervisory authorities for financial services will draft regulatory technical standards to supplement DORA by January 2024. These standards will describe in more detail the measures financial entities should take to ensure their DORA-compliance and will be published by the European Commission during 2024. This means that financial entities and (critical) IT service providers have two years to prepare for DORA-compliance.

DORA is considered as a lex specialis with regard to NIS2, meaning that financial entities and IT suppliers in its scope will also have to adhere to the stricter requirements of DORA.

Also relevant for IT and cloud suppliers

Financial entities must ensure that their DORA obligations are properly reflected in the contracts with their IT suppliers. Hence, IT suppliers and cloud service providers of financial entities will be faced with obligations that trickle down into their outsourcing agreements, IT services contracts and service level agreements with companies in the financial industry, banks, insurance companies, investment companies, CASP’s, data analytics services etc. IT service providers and financial entities should use 2024 to prepare for requests to renegotiate existing contracts.

DORA also creates an entirely new oversight framework for critical IT third-party service providers when providing services to financial entities. 

Five core topics focused on cyber risk management

The core requirements mentioned in DORA include (1) IT risk management (i.a. back-ups, IT continuity plan, training), (2) management of IT-related incidents, (3) testing of digital operational resilience, (4) information sharing,  and last but not least (5) IT management in relation to third party service providers. Third party risk must explicitly be factored into the IT risk management framework. Financial entities are required to adopt a strategy on third party risk and must maintain a register of information with all contracts with their IT service providers. DORA also sets out requirements for procuring new IT services, for ending these IT-services and even specific key contractual provisions to be included in contracts with IT service providers.  

Start preparation DORA compliance

Even though DORA will only take effect in January 2025, IT service providers and financial entities are advised to already start preparing now and use next year to (re)negotiate IT services agreements. 

Timelex https://www.linkedin.com/company/timelex/

Auteur : Edwin Jacobs https://www.linkedin.com/pub/edwin-jacobs/1/49/904