Article IT and Data Protection | 21/11/22 | 10 min. | Mahasti Razavi Antoine Boullet
On November 10, 2022, the European Parliament adopted the Digital Operational Resilience Act (DORA).
This regulation aims to harmonize and strengthen the rules for managing the IT-related risks faced by financial entities in the European Union.
It will enter into force on 17th January 2025, leaving a very short period of time for the companies concerned to adjust their internal processes and contractual relations, including existing contracts.
DORA has a significant impact for all financial entities, and their technology partners, as the DORA regulation requires them to:
The DORA regulation thus provides for minimum mandatory contractual provisions regardless of the criticality of the services - notably in terms of description of service levels, audit rights or termination - as well as additional provisions for contractual arrangements supporting critical or important functions.
Finally, the regulation also requires an oversight framework of critical IT service provider, which will be subject to increased risk management processes.
General overview
The DORA regulation has a very broad scope and covers almost the entire financial sector. It applies to twenty-one categories of entities, including credit institutions, payment institutions, electronic money institutions, insurance undertakings and management companies. It also applies directly to third-party IT service providers.
DORA aims in general to improve the IT operational resilience of financial entities, in particular by:
These obligations necessarily lead to internal transformations for the financial entities concerned but also have a major impact on their technological partners.
Focus sur l’encadrement des risques liés aux prestataires de services informatiques tiers
The DORA regulation addresses the risks associated with IT providers in two ways:
According to Article 28 of the Regulation, general principles must be respected by financial entities in their relations with third party IT service providers, resulting in particular in:
More specifically, Article 30 of the Regulation also provides a list of elements that shall at least be included in all contracts between a financial entity and an IT provider, including:
For IT services supporting critical or important functions other obligations apply, including those relating to:
The regulation also encourages the development of standard contractual clauses to be developed for particular services by the European Supervisory Authorities (ESAs) and adopted by the European Commission.
The Regulation establishes an oversight framework of critical IT service providers, which will be designated by the ESAs based on various criteria: systemic impact on the stability, continuity or quality of the provision of financial services, reliance of financial entities, degree of substitutability, etc.
Oversight of critical IT service providers consists of an assessment of the rules, procedures, mechanisms and arrangements to manage the IT risks they may pose to financial entities. Within this framework, the overseers have broad powers, including the power to request all relevant information and documents, to conduct general investigations and inspections or to issue recommendations.
This body of rules will have an impact on all parties, both in terms of processes and contractual relationships, and will have to be implemented within a timeframe that is ultimately very short given the scope of the work to be carried out in order to comply with the regulation on the date it enters into force.