Preamble 51 to 60, Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) establishes a robust framework to enhance the EU financial sector's defenses against cyber threats and ICT risks. It focuses on specifying essential contractual elements, ensuring the effective oversight of ICT third-party service providers, and promoting standardized practices for operational continuity and legal certainty. Below are the key provisions outlined in Preamble 51 to 60 of DORA.

51 Specification of Contractual Elements

Contractual agreements must comprehensively define the functions and services provided by ICT third-party service providers. This includes detailing the locations where functions and data processing occur, as well as providing clear service level descriptions with both quantitative and qualitative performance targets. These specifications are critical for effective monitoring, ensuring the accessibility, availability, integrity, security, and protection of personal data. Additionally, contracts should include guarantees for access, recovery, and return of data in the event of the provider’s insolvency, resolution, or business discontinuation.

52 Notice Periods and Reporting Obligations

To maintain robust ICT security, contracts should establish clear notice periods and reporting obligations for ICT third-party service providers. These provisions are necessary for managing developments that could impact critical functions, requiring the provider's cooperation during ICT-related incidents, either at no extra cost or at a predefined rate.

53 Rights of Access, Inspection, and Audit

Financial entities must have the rights to access, inspect, and audit ICT third-party service providers to ensure ongoing compliance and performance. Providers are expected to fully cooperate during these inspections. Additionally, competent authorities of financial entities should be granted similar rights, with adherence to confidentiality requirements.

54 Termination Rights and Exit Strategies

Contracts should clearly define termination rights, specify minimum notice periods, and include comprehensive exit strategies. These strategies must ensure mandatory transition periods during which the ICT third-party service provider continues to perform relevant functions, thereby minimizing disruptions and facilitating smooth transitions to alternative providers or in-house solutions, depending on the service's complexity.

55 Use of Standard Contractual Clauses for Cloud Computing

DORA encourages the voluntary adoption of standard contractual clauses for cloud computing services, as developed by the European Commission. This initiative aims to enhance legal certainty for financial entities and their ICT third-party providers, aligning with regulatory expectations and supporting the financial services sector's broader goals. This builds on the 2018 Fintech Action Plan's measures to promote standardized contractual clauses for cloud computing outsourcing.

56 Union Oversight Framework for Critical ICT Third-Party Service Providers

To strengthen the EU's digital operational resilience and protect the financial system's stability, DORA establishes a Union Oversight Framework for critical ICT third-party service providers. This framework aims to harmonize supervisory approaches across the financial sector, ensuring comprehensive oversight of providers essential to maintaining operational continuity.

57 Designation Mechanism for Critical ICT Third-Party Service Providers

DORA introduces a designation mechanism to identify which ICT third-party service providers qualify as critical, based on quantitative and qualitative criteria that reflect the sector’s reliance on them. Providers deemed critical will be included in the Union Oversight Framework. Providers not automatically designated may opt in voluntarily, while those already subject to Eurosystem oversight under Article 127(2) of the Treaty on the Functioning of the European Union are exempt from this designation.

58 Legal Incorporation and Data Localization

While DORA requires that critical ICT third-party service providers be legally incorporated within the EU, it does not impose any additional data localization requirements. The Regulation does not mandate that data be stored or processed exclusively within the Union.

59 Member States' Oversight Competence

Member States retain the authority to oversee ICT third-party service providers that are not designated as critical under DORA but are considered important at the national level. This provision allows for tailored national oversight where necessary.

60 Coordination and Oversight Forum

DORA establishes a new Subcommittee, the Oversight Forum, under the Joint Committee of the ESAs to coordinate cross-sectoral ICT risk matters. This Forum is tasked with preparing individual decisions for critical ICT third-party service providers, making collective recommendations, and benchmarking oversight programs. The goal is to identify best practices for managing ICT concentration risks across the financial sector.

These provisions underscore DORA's commitment to fortifying the EU financial sector against ICT risks through clear contractual requirements, enhanced oversight, and the promotion of standardized practices.