The Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”) is on the horizon. DORA officially entered into force in January 2023, with compliance becoming mandatory from January 17, 2025. From this date forward, financial sector firms will be required to implement DORA's standards to ensure their digital operational resilience. Under DORA, contracts must include specific minimum contractual requirements
Objective of DORA
DORA aims to enhance the resilience of the financial sector against digital threats, ensuring that all relevant organizations can withstand, mitigate, and respond to disruptions in their information and communications technology (ICT) systems. The regulation standardizes and optimizes risk and security management strategies across ICT environments, emphasizing robust third-party risk management practices.
What Minimum Contractual Terms Does DORA Require?
A key component of DORA is the regulation of contracts that financial institutions establish with third-party ICT service providers. The minimum contract requirements include:
- ICT Security Requirements: Contracts must include explicit provisions on information security compliance by ICT third parties, especially concerning data availability, integrity, and confidentiality. This requirement is crucial to minimize potential risks to critical functions.
- Access and Audit Rights: Financial institutions must have the right to regularly assess and test third-party compliance with security standards. This provision includes detailed audit and testing procedures, with the potential for unannounced inspections to ensure high security.
- Subcontracting: Contracts must stipulate the conditions under which subcontracting is permitted. They must also ensure that all information security and resilience requirements apply equally to subcontractors.
- Termination Rights: DORA requires contracts with ICT third parties to contain clear termination provisions, particularly when third parties fail to meet security standards. Termination rights and notice periods are designed to protect the financial institution from prolonged risks.
- Change Management and Reporting: Changes in service delivery must be reported promptly to the financial institution to allow adjustments to evolving risk assessments and conditions.
- Risk Measurement and Performance Monitoring: Contracts must set measurable Key Performance Indicators (KPIs) for the services provided by ICT third parties, including penalties for non-compliance. These metrics aid in ongoing performance and security monitoring.
- Advance Notification Obligations: Third parties must notify the financial institution of any relevant changes in business strategy, ownership, or material contract amendments to maintain transparency in the risk profile.
How Do Contracts Under DORA Support Risk Mitigation?
DORA-compliant minimum contract requirements are essential for effective risk management. Contracts adhering to DORA standards allow financial institutions to systematically monitor their dependencies on third parties and respond effectively to security breaches or performance issues. A structured ICT third-party risk management framework, as required by DORA, provides a solid foundation for minimizing potential financial and operational damages and preserving customer trust.
Update Contracts: Act Now!
Prepare for DORA by updating your existing third-party contracts to meet DORA’s minimum contractual requirements. We are here to assist with adapting your agreements to keep your digital risks effectively managed.
Have Further Questions on the Digital Operational Resilience Act? If you have additional questions on this topic or seek legal advice in other areas of commercial law, our team offers comprehensive guidance on DORA implementation for financial institutions and IT service providers. Feel free to contact our office at office@geuer.at or by phone at +43-1-4380072. We look forward to assisting you.
Link to the Regulation: Regulation (EU) 2022/2554