Are your contracts “DORA-proof”?

The regulation on digital operational resilience for the financial sector is an EU regulation (2022/2554) that entered into force on 16 January 2023 and will apply as from 17 January 2025. This Digital Operational Resilience Act, commonly known DORA, applies to financial institutions such as banks, payment providers, and investment companies.

This Regulation fills a critical gap in EU financial regulation across financial sectors. Before DORA, financial institutions mainly managed their risks by allocating capital to cover potential losses. This approach could not offer complete protection against specific operational risks, especially risks that pertain to information and communication technology (ICT). The Regulation emphasizes that ICT incidents and lack of operational resilience can threaten the stability of the financial system, even when known capital requirements are met.

DORA aims to ensure that operational resilience concerns not only financial buffers but also the ability to withstand and recover from ICT disruptions. With DORA, financial institutions must follow strict guidelines for preventing and dealing with ICT-related incidents. This includes measures for prevention, detection, and management of ICT risks, and for the recovery and repair of ICT incidents. DORA also introduces rules on testing operational resilience and on how to manage external ICT service providers.

The latter subject-matter is an important section in the DORA Regulation, given that financial institutions call on external ICT service providers all the time. Financial institutions must abide by the following (among other binding obligations):

  • review third-party ICT service providers thoroughly and evaluate whether the services offered concern critical or essential functions;
  • keep an information register and update all contractual arrangements concerning the use of the services delivered by third-party ICT service providers;
  • report yearly to the authorities responsible (which are the NBB (National Bank of Belgium) and the FSMA (Financial Services Market Authority) about the number of new contracts for the use of ICT services, the categories of third-party ICT service providers, the types of contractual arrangements, and the ICT services and functions that are delivered;
  • guarantee that these contracts can be terminated in specific circumstances, without disrupting their business activities.

DORA requires that all contracts with third-party services providers be set out in “a written document.” The contract must have several mandatory clauses, including:

  • a clear and complete description of all the functions and ICT services that the third-party ICT service provider will deliver, stating whether the outsourcing supports an ICT service that is a critical or essential function;
  • the rights of parties to terminate the contract and the minimum termination notice period that must be given;
  • the obligation of the third-party ICT service provider to provide assistance without extra costs, or in return for a predetermined price, if an incident that relates to the financial institution’s ICT service offering occurs;
  • as regards ICT services that support a critical or essential function, the contract must contain specific provisions, such as reporting obligations, provisions on the continuity of services, and security measures.

DORA requires that parties consider the use of model contractual clauses that governmental agencies have developed for specific types of services. These model provisions will be published later.

Our team can help you align your contracts with the new regulation, which applies from 17 January 2025.

This article is written by

Looking for advice on a specific topic?

We will guide you to the right person or team.