Article 27 Digital Operational Resilience Act (DORA), Key Contractual Provisions

The Digital Operational Resilience Act (DORA) is a critical piece of legislation aimed at enhancing the digital resilience of financial entities within the European Union (EU). Article 27 of DORA focuses on the contractual provisions between financial entities and ICT third-party service providers. These provisions are essential for ensuring that all aspects of the relationship, particularly those related to the management of ICT risks, are clearly defined and legally enforceable.

Clear Allocation of Rights and Obligations

At the core of Article 27 is the requirement that the rights and obligations of both the financial entity and the ICT third-party service provider be explicitly defined and documented. The entire contract, including the service level agreements (SLAs), must be captured in a single written document that is easily accessible to both parties. This documentation can be in physical or digital format, provided it is downloadable and accessible.

This clarity in contractual terms is vital to prevent any misunderstandings or disputes regarding the responsibilities of each party, particularly in relation to the management of ICT services, data protection, and incident response.

Comprehensive Contractual Arrangements

Article 27 outlines a comprehensive set of contractual provisions that must be included in any agreement between a financial entity and an ICT third-party service provider. These provisions cover a wide range of critical areas:

• Description of Services: The contract must clearly describe all functions and services to be provided, including whether sub-contracting is allowed, and under what conditions. This ensures that the financial entity is fully aware of how its services are being managed and any potential risks associated with sub-contracting.

• Location of Services and Data: The contract should specify where the services will be provided and where data will be processed and stored. Any changes to these locations must be communicated to the financial entity. This provision is crucial for maintaining data security and compliance with regulatory requirements related to data residency.

• Data Protection and Continuity: Provisions must be made for the protection of personal and non-personal data, including access, recovery, and return of data in the event of the ICT third-party service provider’s insolvency or business discontinuation. These measures ensure that the financial entity can maintain continuity and data integrity, even in the event of a provider failure.

• Service Levels and Monitoring: The contract must include detailed service level descriptions, with clear performance targets that allow the financial entity to monitor the provider’s performance effectively. This monitoring is essential for identifying any deviations from the agreed service levels and taking corrective actions promptly.

• Incident Response and Contingency Planning: The ICT third-party service provider is obligated to assist the financial entity in the event of an ICT incident, either at no additional cost or at a pre-agreed cost. Additionally, the provider must implement and test business contingency plans and have robust ICT security measures in place. These requirements are critical for ensuring that the financial entity can respond effectively to incidents and maintain its operations.

• Right to Monitor and Audit: The financial entity must have the right to monitor the provider’s performance continuously. This includes rights of access, inspection, and audit, with no impediments from other contractual arrangements. These rights are essential for ensuring transparency and accountability in the provider’s operations.

• Cooperation with Authorities: The ICT third-party service provider must fully cooperate with the financial entity’s competent and resolution authorities. This cooperation is vital for maintaining regulatory compliance and ensuring that the financial entity can meet its legal obligations.

• Termination and Exit Strategies: The contract must include clear termination rights, with adequate notice periods, and well-defined exit strategies. These strategies should include a transition period during which the provider continues to offer services, reducing the risk of disruptions. This provision allows the financial entity to switch to another provider or return to on-premises solutions smoothly, minimizing operational risks.

Standard Contractual Clauses

When negotiating these contractual arrangements, financial entities and ICT third-party service providers are encouraged to use standard contractual clauses developed for specific services. The use of standardized clauses can help ensure consistency across contracts and simplify the negotiation process.

Development of Regulatory Technical Standards

The European Supervisory Authorities (ESAs), through their Joint Committee, are tasked with developing draft regulatory technical standards to further specify the elements that financial entities need to consider when sub-contracting critical or important functions. These standards will provide additional guidance on how to effectively implement the provisions of Article 27, particularly those related to sub-contracting. The ESAs are required to submit these standards to the European Commission within a year of DORA’s entry into force, after which they will become binding.

Conclusion

Article 27 of DORA lays out essential contractual provisions that financial entities must include in their agreements with ICT third-party service providers. These provisions are designed to ensure that all aspects of the relationship are clearly defined, from service descriptions and data protection to monitoring rights and termination strategies. By adhering to these requirements, financial entities can better manage ICT risks, ensure compliance with regulatory standards, and maintain their digital operational resilience. The development of regulatory technical standards by the ESAs will further refine these provisions, providing financial entities with the tools they need to navigate the complexities of outsourcing critical functions.