DORA is now live – are your ICT contracts compliant?

On 17 January 2025, the EU's Digital Operational Resilience Act ("DORA") went live, along with the associated regulatory technical standards ("RTS") and implementing technical standards ("ITS") published by the European Supervisory Authorities ("ESAs").

DORA aims to introduce a single, harmonised framework to regulate digital operational resilience across most of the European financial services sector. It was introduced in response to the increasing digitalisation of the financial industry and the perceived dependency of financial entities on a relatively small pool of major information communication technology ("ICT") providers, notably the major US cloud providers.

Building on the existing UK and EU regulatory frameworks for operational resilience and regulated outsourcing, DORA introduces an upgraded new framework to mitigate ICT concentration risk, including: (i) mandatory contractual requirements in respect of ICT contracts, (ii) various operational and governance requirements on financial entities to manage their ICT risks on an ongoing basis and (iii) a regulatory oversight regime for "critical" providers of ICT services to financial entities ("ICT Providers") (for further detail around navigating the regime refer to our previous blog here).

To the extent not already completed:

• EU financial entities should validate whether the DORA requirements are adequately reflected in their existing ICT contracts, as well as update any templates and contracting playbooks to be DORA compliant ready for new ICT contracts. As there are no standard contractual clauses, the process for remediation can be complex. Since DORA is subject to the proportionality principle, there is room for the mandatory contractual provisions to be negotiated, especially in respect of the more contentious requirements, such as audit rights and supply chain monitoring.
• ICT Providers may want to consider preparing standard DORA-compliant terms for their financial service customers to get ahead of the curve on outstanding compliance projects.

DORA live, despite delays

There is no transition period for compliance with DORA. As of 17 January 2025, EU financial entities should have carried out all required contractual remediation and updated all internal governance policies and procedures relating to ICT risk management and governance, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk and information sharing.

Due to the scale of changes introduced by DORA and delays to guidance and technical standards, some financial entities may not have completed their DORA implementation projects. In particular, we have seen contractual remediation projects being slowed due to uncertainty around when the European Commission ("EC") will adopt all of the second batch of RTS and ITS (the final drafts of which were published in July 2024, as announced here) which address key topics including subcontracting and incident reporting. Despite these delays in the final months of 2024, the ESAs decided not to push back the compliance deadline and instead urged financial entities to aim to "meet their obligations in a timely manner" in their 4 December 2024 statement (see here). Firms should therefore make haste with their compliance efforts.

As additional guidance and technical standards are released by the ESAs, we expect that further mandatory contractual requirements may need to be reflected in ICT contracts. The final draft of the RTS on subcontracting published on 26 July 2024 ("Subcontracting RTS"), for example, has been released as a final draft but has yet to be formally adopted by the EC (and as seen with the ITS on registers of information, there is scope for the EC to reject or adjust drafts).

It also remains to be seen how some mandatory contractual provisions will be implemented in the market, as market standard practices are still evolving. In particular, it is not clear how threat led penetration testing requirements on ICT Providers (in Article 30(3)(d) of DORA) will be implemented given the technical limitations for many ICT Providers.

Key changes to ICT contracts – what's new?

The inclusion of mandatory contractual requirements in ICT (and other material outsourcing) contracts is nothing new. To the extent that the supply of ICT services amounts to regulated outsourcing, ICT contracts should already be compliant with the mandatory contractual requirements and expectations set out in the European Banking Authority's Guidelines on outsourcing arrangements ("EBA Guidelines") and (where relevant) the Bank of England's Prudential Regulation Authority (PRA) Supervisory Statement SS2/21 ("SS2/21") and the underlying regulatory requirements. While the contractual requirements under DORA and the EBA Guidelines are similar, DORA provides numerous additional requirements requiring ICT contracts to be upgraded to meet the new rules.

From a contractual perspective, to the extent that services that fall within scope of DORA already amount to “critical or important” regulated outsourcing, we would expect a certain level of overlap between financial entities that comply with the EBA Guidelines standards and the DORA contractual requirements, though the level of compliance will also depend on the nature of the financial entity (generally, banks, insurers and larger investment firms have to comply with a higher standard of outsourcing contract requirements). 

By way of example, we have set out below five key changes that will need to be considered when upgrading ICT contracts:

1. Broad definition of "ICT services"

Unlike the EBA Guidelines that only apply to outsourced functions, DORA is in one sense broader in scope and applies to all "ICT services" which include any "digital and data services provided through ICT systems… ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services". According to the ITS on standard templates for the register of information adopted on 12 December 2024 (see list of ICT services in Annex III, here), ICT services could even include on-premises software licences (without any support services), intellectual property consulting, ICT project management or auditing and ICT risk management software. Note that intra-group ICT services are also in scope.

From a contracting perspective this means that, in addition to uplifting existing ICT outsourcing agreements, EU financial entities should also consider whether there are any other supply arrangements for ICT services that will need to be upgraded in light of DORA.

2. Greater visibility over supply chain

A key objective under DORA is to ensure that EU financial entities have sufficient visibility, oversight and control over their IT supply chain. Similar to existing regulations, DORA requires EU financial entities to include robust access and audit rights in their contracts. However, DORA goes a step further by requiring more granular rights (e.g., including a new right to take copies of documentation on-site from the ICT Provider as part of the audit process). The final draft of the Subcontracting RTS also requires ICT contracts to include obligations on ICT Providers to provide information on the "chain of ICT subcontractors" involved, so that financial entities can maintain and update their registers of information (capturing a wide amount of information about supply chains and contracts) mandated by DORA.

3. Express flow-down requirements into sub-contracts

Importantly, the Subcontracting RTS introduces mandatory provisions not only for the ICT contract between the financial entity and ICT Providers, but also for sub-contracts between such ICT Providers and their sub-contractors. For example, Article 4 of the Subcontracting RTS includes contractual requirements to ensure that ICT Providers have sufficient monitoring and audit rights over their sub-contractors, and that sub-contractors have in place adequate business continuity and ICT security standards.

From a contracting perspective, this means that EU financial entities will need to include flow-down obligations in their ICT contracts to ensure that the ICT Providers have reflected such requirements in their sub-contracts. ICT Providers may conversely want to consider whether to upgrade their vendor contracts to pre-empt these obligations being negotiated into their ICT contracts with EU financial services clients and their groups.

4. Non-critical services now within scope

While many of the contractual requirements under DORA are similar or equivalent to those in the EBA Guidelines, DORA has expanded the application of these requirements. The EBA contractual requirements only needed to be implemented where the relevant contract dealt with "critical or important functions". However, DORA has made several of these mandatory for all ICT contracts (including in respect of non-critical or important functions). For example, the obligations on ICT Providers to provide exit assistance was previously only required for a critical ICT contract but now applies to all ICT contracts.

5. Assistance with ICT incidents

Along with monitoring, DORA also reinforces the importance of incident handling and cybersecurity in particular. For example, Article 30(2)(f) of DORA introduces mandatory contractual provisions requiring ICT Providers to provide assistance to financial entities at "no additional cost, or a cost that is determined ex-ante" on the occurrence of ICT incidents relating to the services being provided. This mandatory contractual requirement sits under the broader framework for ICT-related incident management, classification and reporting (see Chapter III of DORA), which introduces new rules on how EU financial entities should deal with such incidents. 

How will regulators react?

Non-compliance with DORA by "critical" ICT third-party service providers could lead to enforcement action being taken by supervisory authorities, including substantial fines, the amounts of which are to be specified by national laws. Operational resilience and cybersecurity have been key focuses for supervisory authorities over the past few years, as financial entities have become increasingly vulnerable to technology failures and data breaches. For example, in 2023, the credit reporting agent Equifax was fined £11m by the FCA for failing to manage risks relating to its intra-group outsourcing of consumer data (see our insights here), and in 2019, Raphaels Bank was fined £1.98m in relation to a technology failure by its ICT Provider to which the bank had outsourced the authorisation and processing of card transactions (see our insights here).

Despite the focus on regulating operational resilience, it is not yet clear whether supervisory authorities will immediately start to take meaningful enforcement action under DORA. The overall view in the market is that supervisory authorities may show some leniency during the first weeks and months of the DORA implementation, though we expect that the supervisors' approach will differ per EU Member State. When enforcement action is taken, it is possible that supervisory authorities will be mainly focusing on certain priority areas, such as the DORA registers of information, which are due for submission by the national supervisory authorities to the ESAs by 30 April 2025 at the latest.  

Comparisons with the UK operational resilience and outsourcing regimes

EU-incorporated and regulated financial entities (including their UK branches) and ICT Providers (regardless of their place of incorporation or operation) fall within the scope of DORA. Regulated entities can themselves be ICT Providers. Certain provisions of DORA also apply on a prudential consolidation group basis. Although the EC has confirmed that DORA does not apply to EU branches of third-country (non-EU) financial entities, DORA is still likely to be relevant to many UK regulated firms and third-party service providers that will also be subject to the UK operational resilience regime.

From a non-contractual perspective, we note that the UK has recently put in place a new regulatory oversight framework for critical third parties that is similar to DORA (the "UK CTP regime"), though the UK and EU regimes differ in many ways, including in terms of their scope. For example, where DORA applies only to ICT-related critical third-parties, the UK CTP regime applies to any critical third-party (see our HSF blog on a high-level comparison between the UK and EU regimes). In-scope entities for both the EU DORA and UK CTP regimes could benefit from certain overlaps between the two regimes and develop synergies when updating their compliance framework.