Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 1 month ago
In 2023, as part of the preparations for the application of DORA and the establishment of this oversight framework, the European Supervisory Authorities (ESAs) jointly started conducting a high-level exercise identifying and mapping ICT third party service providers (hereinafter “ICTPs”), with a focus on concentration and substitutability of service provision. This collection of data was the first of its kind, covering contractual arrangements for many types of entities across the financial sector.
The report identified that most ICTPs serve only a small number of EU financial entities, though some of these entities may play a significant role in the financial system. The most popular ICTPs also typically provide services supporting the largest number of critical or important financial functions, which suggests that the market is highly concentrated despite the high number of ICTPs identified and the number of ICT services provided. The ICT services supporting most of these critical or important financial functions are often non-substitutable, which exacerbates the concerns over the concentration risk in the sector.
What are ICT Services?
The first important question is thus, how does DORA define the term “ICT Services”?
‘ICT services’ means “digital and data services provided through the ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which include the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
The preamble to DORA highlights that the term should be understood in a broad manner, which should, for instance, include so-called ‘over the top’ services, which fall within the category of electronic communications services. It should however exclude the limited category of traditional analogue telephone services qualifying as Public Switched Telephone Network (PSTN) services, landline services, Plain Old Telephone Service (POTS), or fixed-line telephone services. This broad interpretation is further emphasised in the final version of implementing technical standards (ITS) on standard templates for the register of information which provides a description on the type of ICT Services.
In turn DORA defines the term ‘ICT third-party service provider’ as “an undertaking providing ICT services”.
How does DORA impact ICT Services Contractual Arrangements?
Article 30 of DORA specifies the importance of ensuring that the rights and obligations of the financial entity and of the ICTP are clearly allocated and set out in writing, including the service level agreements.
The preamble to DORA notes that financial entities often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements to which they are subject, or otherwise in enforcing specific rights, such as access or audit rights, even when the latter are enshrined in their contractual arrangements. Furthermore, most contractual arrangements typically fail to provide the necessary safeguards to ensure proper monitoring of subcontracting processes, thus leading financial entities to be unable to properly assess the associated risks.
DORA thus establishes certain minimum elements that need to be included in these contractual arrangements, including:
(a) a clear and complete description of all functions and ICT services to be provided by the ICTP;
(b) the locations where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed;
(c) provisions on availability, authenticity, integrity and confidentiality on the protection of data;
(d) provisions on ensuring the access, recovery and return of certain personal and non-personal data in an easily accessible format;
(e) service level descriptions;
(f) the obligation to provide assistance when an ICT incident occurs;
(g) the obligation of the ICTP to fully cooperate with the relevant authorities;
(h) termination rights and related minimum notice periods;
(i) the conditions for the participation in the financial entities’ ICT security awareness programmes and digital operational resilience training.
Additional requirements apply in the case of contractual arrangements on the use of ICT services which support critical or important functions. This will be analysed in our next article in this series.
What should Financial Entities do to comply?
The contractual requirements under DORA apply to any contract for the provision of ICT services. Financial entities must thus first take stock of all the contractual arrangements they currently have in place and assess how these are to be re-aligned with DORA.
It is also important to note that the requirements relating to contractual arrangements set out under DORA are different to the requirements set out under the EBA Guidelines on outsourcing arrangements which operate as guidance for in-scope regulated financial entities.
Thus, although financial entities’ contractual arrangements may already be compliant with certain elements of DORA, a review of all contractual arrangements with ICTPs is still required to evaluate the necessary amendments and conduct proper re-negotiations. In this way, even though DORA’s scope primarily focuses on financial entities, it still has a significant impact on ICTPs who would not necessarily fall within its remit.
What challenges do Financial Entities face in ensuring compliance?
Financial entities may encounter resistance from ICTPs when attempting to align contracts with DORA. Such ICTPs may be reluctant to accept additional obligations related to monitoring, reporting, or accountability due to increased operational and legal risks. Furthermore, legacy contracts may lack the flexibility needed for such amendments, necessitating extensive re-negotiation efforts.
In addition, aligning contracts with DORA, and compliance with DORA ingeneral, carries substantial economic implications for financial entities and ICTPs. Financial entities face direct costs related to revising contracts, implementing enhanced monitoring and reporting frameworks, and bolstering cybersecurity measures. On the ICTPs’ side, adapting their service delivery to meet DORA standards can involve significant investments in infrastructure, personnel, and processes.
Another challenge is the disparity in bargaining power; large ICTPs may dictate terms, leaving financial entities with limited room for negotiation. If an ICTP refuses to amend a contract to align with DORA, financial entities face a compliance dilemma. Regulatory authorities could impose penalties on non-compliant institutions, leading to reputational and financial damage. These financial entities may need to seek alternative providers, which can disrupt operations and incur transition costs. Additionally, the refusal of a key service provider to comply might create operational risks, particularly if the ICTP supports a critical or important function.
Termination rights in contractual arrangements also present a significant challenge during DORA contract re-negotiations. Financial entities may struggle to enforce termination clauses if ICTPs are unwilling or unable to adapt or in the inverse may be bound by termination clauses despite the ICTP’s reluctance to align the arrangement with DORA’s requirements. Long-term contracts without clear exit provisions exacerbate this problem. Even where termination is possible, transitioning to a new provider involves significant costs, potential service disruption, and operational risks. Furthermore, disputes over termination can lead to protracted legal battles.
In conclusion, aligning contracts with DORA introduces a multifaceted set of challenges. Financial entities must navigate resistance from ICTPs, bear what could amount to be substantial costs, and address legal and operational risks. Proactive and collaborative approaches to contract re-negotiations are thus essential to achieving compliance and mitigating these issues.
posted 4 hours ago
posted 14 hours ago
posted 3 days ago
posted 3 days ago
posted 4 days ago
posted 4 days ago
posted 4 days ago
No results available
ResetFind the right Legal Expert for your business
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.