DORA for IT suppliers: what do you need to know?
As of Jan. 17, 2025, financial entities must comply with the requirements of the Digital Operational Resilience Act (DORA). This European regulation aims to increase the digital resilience of financial entities by setting requirements for the security of network and information systems so that they can withstand disruptions and cyber-attacks.
Almost all (Dutch) financial entities are currently working intensively to implement the measures resulting from DORA, spurred on in part by messages from the Dutch Central Bank (DNB) and the Financial Markets Authority (AFM).
One aspect that receives less attention is the consequences of DORA for IT suppliers that provide their services to financial entities and in practice face questions and contractual adjustments at the request of their customers. With this article, we clarify the various aspects that may be relevant for IT suppliers in this regard.
To which IT suppliers does DORA apply?
DORA refers to (third-party) providers of IT services to financial entities, with a broad definition of IT services. This makes DORA applicable to most IT services provided by IT providers to financial entities located in the EU. Some examples of ICT services covered by DORA are:
- Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS);
- Software;
- Cybersecurity services;
- Data center services;
- Data analysis services;
- Managed Services, such as network management.
However, digital doorbells, digital thermometers and the self-service cash register can also qualify as an IT service under DORA. In short, in many cases, an IT supplier providing its services to a financial entity will have to deal with DORA.
What implications does DORA have for an IT vendor that has financial entities as customers?
A financial entity is at all times responsible for complying with its obligations under DORA and monitoring compliance. It will therefore contact its existing and potential IT suppliers. In doing so, an IT supplier can expect the following topics to be addressed:
- Risk assessment and due diligence: Before contracting, the financial entity should conduct due diligence to ensure that the IT vendor is suitable and meets information security standards.
- Continuity and Resilience: Assessing the IT vendor’s risk management and business continuity measures, and ensuring that they are effective in ensuring the operational resilience of the financial entity.
- Subcontractors: Requests for information from the financial entity on the use of subcontractors used by the IT vendor.
- Contractual requirements: DORA provides a comprehensive overview of the requirements that the provisions in an agreement between a financial entity and an IT vendor must meet, more on that in the next section.
- Information register: financial entities are required to establish a (detailed) information register in which all contracts with ICT suppliers must be recorded. The information to be recorded in the information register is comprehensive and therefore it is likely that a financial entity will request further information, for example on subcontractors engaged (or to be engaged).
What contractual requirements apply under DORA?
DORA sets requirements for agreements between IT suppliers and financial entities. More comprehensive agreements often already partially meet these requirements. Below is a summary of DORA’s contractual requirements.
First of all: critical or important function?
To determine which contractual requirements apply, it is first important to analyze whether the ICT service qualifies as a “critical or important” function. Under DORA, a “critical or important function” is defined as a function whose disruption would significantly harm the financial performance of a financial entity. Thus, these are the functions and processes that cause the financial entity’s operations to grind to a halt if such a function is disrupted. Examples include the processing of payments (payment services), the administration of transactions and records (asset management) and the payment of benefits (pensions). If a critical or important function is involved, additional requirements apply to the agreement in addition to the standard requirements.
Contractual requirements for all IT services
Termination rights
The financial entity should be able to terminate the agreement in case of a serious breach of applicable laws or contractual terms. A termination right also applies in case of apparent weaknesses in the IT supplier’s overall ICT risk management. In addition, agreements on applicable minimum notice periods are necessary.
Description of services and subcontracting to subcontractors
There must be a clear and complete description of all services; in addition, in the case of a critical or important function, it must be indicated whether outsourcing is permitted and, if so, under what conditions. In any case, the IT supplier remains responsible for the services it outsources and is obliged to continuously monitor the performance of the outsourced services.
Locations
The locations where the services are provided and processed are defined; in addition, the supplier must notify the financial entity in advance if it intends to change the location.
Data protection
Provisions regarding availability, authenticity, integrity and confidentiality regarding the protection of data, including personal data.
Data access, recovery and return
Provisions to ensure access, recovery and return in an easily accessible format of the data in situations of insolvency, cessation of the IT provider’s business, or termination of the agreement.
Service levels
Agreements on the level of services, for example by agreeing Key Performance Indicators (KPIs) in a Service Level Agreement (SLA).
Assistance in the event of ICT incidents
An obligation on the IT vendor to provide assistance to the financial entity in the event of an ICT-related incident.
Cooperation obligations supervisors
The IT supplier is obliged to cooperate fully with the competent authorities.
Awareness programs
Agreements on IT supplier participation in IT security awareness programs organized by the financial entity.
Additional contractual requirements at critical or important functions
In addition to the above requirements, the following contractual requirements apply if there is a “critical or important function” as defined in DORA.
Exit strategies (critical/important only)
The financial entity is required to have exit strategies in place so that, for example, if the IT vendor fails or the agreement is terminated, a transition during an appropriate transition period to another IT vendor without disruption to business operations is assured. The exit plans that are put in place are comprehensive, adequately tested and regularly reviewed.
Monitoring performance goals (critical/important only)
Descriptions of the full level of service (see also “service levels”), including updates and revisions thereof with precise performance targets so that the financial entity can effectively monitor ICT services.
Reporting requirements (critical/important only)
The IT supplier is required to report developments that may materially affect the delivery of the agreed services.
Company emergency plans (critical/important only)
The IT vendor has an obligation to implement and periodically test company emergency plans.
Periodic pen testing (Threat Lead Penetration Tests, TLPT) (critical/important only)
The IT vendor is required to participate and cooperate in TLPTs of the financial entity.
Continuous monitoring (audit) (critical/important only)
The financial entity has the right to permanently monitor the IT suppliers performance, including through unrestricted rights of access, inspection and audit.
How are the contractual requirements resulting from DORA implemented in practice?
An IT supplier providing services to financial entities will sooner or later have to deal with the requirements resulting from DORA. With an existing agreement, there is a possibility that the IT vendor may be asked to amend the agreement, for example through an addendum setting out missing contractual requirements. For IT suppliers providing services to multiple financial entities, it may be prudent to proactively draft a standard DORA addendum. This avoids the need to negotiate a separate custom addendum for each financial entity.
What are “critical third-party service providers”?
DORA identifies “critical third party services providers” (CTPP). These major IT providers are critical to the operational resilience of the entire financial sector. These CTPPs are designated by the European Supervisory Authorities (ESAs) based on established criteria. Interestingly, an IT supplier designated as a CTPP can be monitored by the competent European financial regulator, for example, by conducting inspections. Supervisors are also empowered to impose periodic penalty payments if, for example, a CTPP fails to cooperate with a supervisor.
DORA services from Penrose for IT suppliers
Penrose can assist in reviewing a DORA addendum prepared by a financial entity to ensure that only the minimum obligations under DORA are included. We can also support you in preparing your own DORA addendum, should you have multiple financial entities as clients. In addition, we can review existing agreements for DORA compliance and incorporate applicable DORA requirements.
To do so, contact Martijn Berk at m.berk@penrose.law or 06-29575351 for a no-obligation introduction