With the Digital Operational Resilience Act (DORA), the European Union has introduced a groundbreaking regulation that aims to standardize and strengthen digital resilience in the financial sector across the Union. From January 17, 2025, affected companies will have to meet the new requirements. DORA is intended to meet the challenges posed by advancing digitalization and increasing networking in the financial sector, which has been massively driven by the use of information and communication technologies (ICT) in recent years. DORA aims to effectively combat risks such as cyber threats and operational disruptions by requiring financial companies and specialized ICT service providers to implement comprehensive measures to improve their digital resilience. Relevant players include banks, investment firms, payment institutions, cryptocurrency providers and issuers of value-referenced tokens. These companies must analyze their internal processes and adapt them to the new regulatory requirements, which includes the introduction of contingency plans, robust security measures and regular risk analyses. The implementation of DORA requires significant investment in IT infrastructure and risk management, but at the same time offers the opportunity to strengthen the security and resilience of the financial sector in the long term. Good ICT risk management also involves companies structuring their contracts with third-party ICT service providers in such a way that the risks can be adequately countered. But what consequences does this have for future and existing contracts between financial companies and ICT third-party service providers?

Better Handling of ICT Third-Party Risk Through Minimum Contractual Content

DORA requires financial firms to manage ICT third party risk as part of the ICT risk management framework. This includes ensuring that financial businesses that have entered into contractual arrangements for the use of ICT services in the conduct of their business remain fully responsible at all times for compliance and fulfillment of all obligations under DORA and applicable financial services law. Financial companies may only conclude contractual agreements with ICT third-party service providers that comply with appropriate information security standards. To this end, the regulation sets out requirements for the essential contractual provisions, i.e. certain minimum contents that must be included in a contractual agreement with an ICT service provider. To give just one example, there is an obligation to provide a clear and complete description of all functions and ICT services to be provided by the third-party ICT service provider, indicating whether subcontracting of ICT services supporting critical or important functions or essential parts thereof is permitted. If this is the case, there is also an obligation to state which conditions apply to this subcontracting. At this point, DORA once again codifies the importance of a complete and accurate service description, which is essential for IT contracts anyway. In addition to many of the typical requirements for IT contracts, the ICT third-party service provider must, for example, also agree to cooperate fully with the authorities and resolution authorities responsible for the financial company.

Extended Scope of Application of DORA and its Impact on Contract Drafting

An important new feature of DORA, which goes beyond the requirements previously set out by BaFin in its circular, is that the scope of application of DORA is broader than the previous regulation. While the minimum content required in the previous circulars primarily relates to outsourcing relationships, DORA covers all contracts with third-party ICT service providers in its scope of application. A third-party ICT service provider is a company that provides ICT services. In this respect, ICT services are digital services and data services that are permanently provided to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support from the hardware provider by means of software or firmware updates, with the exception of conventional analog telephone services. Thus, an outsourcing relationship does not necessarily have to exist in order to trigger DORA’s contract design requirements. In principle, DORA applies its requirements for the essential contractual provisions to all contracts with ICT third-party service providers. Nevertheless, the principle of proportionality runs throughout DORA and stricter requirements are placed on contractual arrangements for the use of ICT services to support critical or important functions. Among other things, the financial institution must contractually grant itself the right to continuously monitor the provision of services, which also includes unrestricted access, inspection and audit rights of the financial institution or a commissioned third party and the competent authority. If a critical or important function is affected, a corresponding agreement may therefore be necessary. This example shows that once DORA comes into force, it will also be necessary for existing contracts to be examined for their compatibility with the new requirements and renegotiated if necessary.

Attorney Anton Schröder

I.  https://fin-law.de

E. info@fin-law.de

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.