Brussels is not sleeping either and regulation in the European Economic Area is constantly increasing. The area of IT security is not spared. More and more new compliance requirements are being added, affecting an increasing number of companies. One example of this is the NIS2 Directive, which must be implemented by October 2024 and further develops the NIS Directive from 2016. In addition, the Cyber Resilience Act (CRA), which aims to protect consumers and companies that buy or use products or software with digital components, is currently in the draft phase. Another comprehensive regulation to strengthen IT security is the Digital Operational Resilience Act (DORA). DORA primarily affects financial companies such as banks, credit institutions, investment firms, payment institutions, management companies and insurance companies, as well as companies that provide them with information and communication technology (ICT) (so-called ICT third-party service providers). From January 17, 2025, these companies will have to comply with the new regulations. DORA is intended to meet the challenges of advancing digitalization and increasing networking in the financial sector. The aim of the regulation is to effectively counter risks such as cyberattacks and business interruptions. Financial companies and third-party ICT service providers are obliged to take far-reaching measures to strengthen their digital resilience and thus ensure greater security and stability in the sector. In practice, it is now common for IT infrastructure or even entire work processes/business processes to be outsourced to specialized service providers. DORA brings with it new challenges in the area of compliance, which also have a concrete impact on the scope for negotiation in contracts between financial companies and third-party ICT service providers. Will the DORA regulation shift the balance of power in favor of financial companies?

DORA and the Management of ICT Third Party Risks

The DORA obliges financial companies to manage ICT third party risk. Financial companies may only enter into contractual agreements with ICT third-party service providers that comply with appropriate information security standards. Two basic principles are established to manage ICT third party risk: First, financial companies remain fully responsible at all times for complying with and fulfilling all obligations under DORA and applicable financial services law. Secondly, financial undertakings must comply with the principle of proportionality. Accordingly, DORA prescribes mandatory contractual content that must be agreed between financial companies and ICT third-party service providers. This includes the right to continuously monitor the performance of the ICT third-party service provider, which includes unrestricted access, inspection and audit rights for the financial company, a commissioned third party or the competent authority. The frequency of inspections must be determined on a risk basis. In addition, termination rights must be agreed for the cases provided for in DORA. For example, detailed service descriptions are required for ICT services that affect critical or important functions. In addition, the third-party ICT service provider must be required to implement and test contingency plans and have measures, tools and ICT security policies and guidelines in place that provide an appropriate level of security for the provision of services by the financial undertaking in accordance with its legal framework. In addition, exit strategies with binding appropriate transition periods must be agreed.

Little Room for Negotiation

The requirements of DORA basically leave the contracting parties little leeway. They simply have to be fulfilled by the financial companies. Supervisory law exerts a strong influence on the contracting parties’ private autonomy. The requirements are extensive and are primarily aimed at enabling financial companies to audit ICT services and ensure their stability and security. For medium-sized financial companies in particular, this can lead to them being able to assert themselves against ICT third-party service providers with strong negotiating power. The ICT third-party service providers will often simply have no choice but to accept the requirements and implement them accordingly. It remains to be seen whether DORA will also have an impact on the largest ICT third-party service providers, such as Google, Amazon and Microsoft. To this end, critical third-party ICT service providers are obliged by DORA to cooperate with the supervisory authority and are subject to special monitoring, whereby the latter has been given far-reaching powers. It remains to be seen to what extent the DORA will achieve its stated objectives and whether it will be beneficial for Europe as a business location. It is to be feared that the numerous compliance requirements will place an additional burden on companies and that it will become increasingly difficult for the companies concerned to meet all requirements. In addition, the regulation is still new and there is therefore no extensive literature, established administrative practice or case law to guide practice.

Attorney Anton Schröder

I.  https://fin-law.de

E. info@fin-law.de

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.