How to implement DORA in your company: Use of third-party ICT providers under DORA (Part 2)

In practice, every ICT service must be classified as either critical or non-critical, and the corresponding minimum requirements must be defined in the contract. It is particularly important to document exactly where in the contract these minimum contents are agreed. As contracts with external service providers often consist of several documents (such as framework agreements, service level agreements, annexes, etc.), this task requires a considerable amount of time and ties up corresponding resources.

Step 1: Applicability of DORA (see Part 1)
For DORA to be applicable, it is first necessary that one party to the contract is a financial institution, while the other is a third-party ICT service provider. Furthermore, the contract in question must be a contract for the use of ICT services provided by the third-party ICT service provider.

Step 2: Classification of the service used (see IV. 6.)
In order to determine the specific DORA requirements, it must be determined whether the ICT service serves to support critical and important functions within the meaning of Art. 3 No. 22 DORA.

Step 3: Determining the minimum contractual content (see II.-IV.)
Depending on the classification made, the minimum contractual content must then be determined. These result from Art. 28 - 30 DORA. The requirements for outsourcing agreements pursuant to Art. 30 DORA are largely similar to the requirements of AT 9 of MaRisk and the provisions of the BaFin circulars BAIT, KAIT, ZAIT and VAIT. However, there may be an increased need for adjustment for contracts relating to the “other external procurement of IT”.

Step 4: Comparison of the existing service contract
The minimum contractual content identified must be compared with the existing service contract.

Step 5: Amendment or revision of the contract
Finally, the last step is to add the necessary contractual content. Depending on how extensive this is, a comprehensive revision of the contract may make sense. According to BaFin, the significant expansion of the scope of application and the mandatory contractual content will in many cases make it necessary to renegotiate or renegotiate a large number of contracts with third-party ICT providers.

Financial entities that use external ICT service providers must assess and monitor the risks of these third parties before the contract is concluded and throughout the entire period of cooperation. The aim is to conduct a thorough review of the third-party provider's ICT security practices and capabilities to ensure that the third-party provider is able to meet the contractually agreed security requirements.

Art. 28 DORA contains a detailed list of general principles for the risk management of ICT service providers, including several principles relating to contractual arrangements. Here is a summary of the key content:

Appropriate documentation of contractual arrangements (Art. 28 para. 3 DORA): Financial entities shall maintain and update an information register relating to all contractual arrangements for the use of ICT services. The contractual agreements shall be appropriately documented.

Reporting to the competent authority (Art. 28 para. 3 DORA): Financial undertakings shall report at least once a year on the number of new agreements on (1) the use of ICT services, (2) the categories of third-party ICT service providers, (3) the type of contractual agreement and (4) the ICT services and functions.

Duty to provide information (Art. 28 para. 3 DORA): Financial undertakings shall inform the competent authority in a timely manner of any planned contractual arrangement for the use of ICT services to support critical or important functions and in the event that a function has become critical or important.

Pre-contractual assessment obligations (Art. 28 para. 4 DORA): Due diligence must be carried out when selecting a service provider. Before concluding a contract with an ICT service provider, the financial company must: (1) assess whether a critical or important function is affected, (2) assess whether regulatory conditions for awarding the contract are met, (3) identify and assess all relevant risks, (4) carry out an appropriate selection and evaluation process of the third-party service provider and (5) identify and assess conflicts of interest.

The regulation differentiates between ICT services that support critical or non-critical internal functions. Extensive requirements apply to both types of ICT services, including requirements for the drafting of contracts with the respective service providers. Financial entities must therefore not only take technical measures, but also review their existing contracts. This is because ICT risks arise not only through the use of in-house technologies, but also through the integration of third-party providers.

For this reason, Art. 30 para. 2 DORA regulates the minimum content of outsourcing contracts between financial institutions and ICT service providers. Art. 30 para. 3 DORA also contains minimum content for contracts with ICT service providers to support critical or important functions.

In this regard, BaFin has published non-binding implementation instructions and an overview of the minimum contractual content that contracts between supervised entities and third-party ICT service providers must contain. According to BaFin, around 70 minimum contents must be contractually agreed for critical ICT services, while around 20 minimum contents are required for non-critical ICT services.

The financial institutions themselves are responsible for compliance with and fulfillment of all obligations under the DORA at all times. They are therefore also required to ensure that the obligations are fulfilled. Thus, even in the practically frequent case that financial institutions are presented with model agreements by their technical service providers, the financial institution itself must check whether such an agreement meets the legal requirements and what risk the contractual service entails.

1. General requirements for the contract

Art. 30 para. 1 DORA: The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.

Pursuant to Art. 30 para. 2 lit. a DORA, the contract must contain: a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting.

2. Security standards (Art. 28 para. 5 DORA)

Art. 28 para. 5 DORA: Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.

Which security standard is appropriate in an individual case is largely determined by whether the ICT service supports critical or non-critical internal functions. The contract should include an assurance from the service provider that it will maintain the required security standard or certification under the agreement, as well as the conditions in the event that the ICT provider is unable to comply with it or the audits carried out lead to observations, and the timeframe for remedying the problems and the exit strategy that could be applied in such a case.

3. Handling of data (Art. 30 para. 2 lit. b-d DORA)

The DORA also sets out specific requirements for the handling of data. This includes determining the locations where the contracted and subcontracted ICT services are provided and where the data is stored. There is also a reporting obligation in the event of a change of location. Provisions on availability, authenticity, integrity and confidentiality must be defined to protect personal and non-personal data. Furthermore, regulations are required to ensure access to the data as well as its recovery and return in the event of insolvency, dissolution, cessation of operations of the ICT provider or termination of the agreement.

4. Termination rights (Art. 28 para. 7 DORA)

The contract must also provide for the possibility of termination by either party in certain cases. The termination rights and the corresponding conditions must be clearly defined, including the minimum notice periods. The DORA also requires that these rights are formulated in accordance with the expectations of the competent authorities and decision-making bodies. To ensure clarity, details such as the definition of a material breach in a particular contract should also be specified.

5. Subcontracting (Art. 29 para. 2 DORA, RTS 30.5)

As a rule, IT outsourcing takes place in a long chain of various subcontractors. Art. 29 para. 2 DORA places the monitoring of the subcontractor chain in the hands of the bank. They must ensure that they have a complete overview of the risks associated with subcontracting. They must be able to effectively monitor, manage and mitigate the risks affecting the provision of outsourced ICT services for critical or important functions.

Regulatory Technical Standard (RTS) 30.5 supplements the regulation with specific requirements in the event that ICT third-party providers subcontract essential or critical functions to subcontractors. This enables banks to be relieved of operational tasks, as ICT third-party service providers will in future be responsible for their subcontractors and can take on risk assessments and comprehensive monitoring.

As part of their ultimate responsibility, banks then carry out targeted monitoring, similar to "second-level controls", which focus on critical subcontractors that significantly support important functions. This importance is described in the RTS as "effectively underpin".

6. Additional requirements for ICT service providers that support critical or important functions

According to Art. 3 No. 22 DORA, critical or important functions are those whose failure would materially adversely affect the financial performance of a financial entity or the soundness or continuity of its operations and services, or whose interrupted, failed or omitted performance would materially adversely affect a financial entity's continued compliance with its licensing conditions and obligations or its other obligations under applicable financial services law.

Art. 30 para. 3 DORA contains additional contractual requirements for contracts with ICT service providers to support critical or important functions. These include a full description of the quality of service (lit. a), the agreement of notice periods and reporting obligations of the ICT third-party service provider to the financial company (lit. b) as well as requirements for the ICT third-party service provider to implement and test emergency plans and to have sufficiently secure measures, tools and guidelines for ICT security (lit. c).

Of particular relevance is the obligation to contractually grant access, inspection and audit rights that serve to monitor the ICT service provider (lit. e). The audits can be carried out either by the financial company itself or by third parties or competent authorities, whereby comprehensive cooperation on the part of the ICT service provider is required.

In accordance with Art. 28 para. 6 DORA, financial companies must determine in advance the frequency and scope of audits and inspections of third-party ICT service providers on the basis of a risk-based approach. Recognized audit standards and any supervisory instructions must be complied with. In the case of technically complex agreements with ICT service providers, they must ensure that the internal or external auditors have the necessary skills and knowledge to carry out the audits and assessments effectively.

Furthermore, exit strategies in accordance with Art. 28 para. 8, Art. 30 para. 3 lit. f DORA must be set up by financial companies. These must be sufficiently detailed and contain contractual clauses that set out requirements to minimize disruptions to the financial undertaking's activities without circumventing compliance or compromising service quality. This requires a clear agreement on the necessary cooperation with the ICT provider, including liability provisions in the event of a lack of support. In addition, provisions for data handling in the event of termination and exit must be defined both during and after the process.

7. Standard contractual clauses

When concluding contracts, standard contractual clauses developed by public authorities for specific services should be taken into account (Art. 30 para. 4 DORA). However, no such standard contractual clauses are currently available. As there are no extended transition periods for the adaptation of existing contractual agreements (such as risk analyses and contract content) and implementation must therefore take place within a few months, supervised entities should not wait for the publication to implement the minimum contract content.