DORA is Here - Key Considerations for Financial Services Firms

The Digital Operational Resilience Act formally enters into force on 17 January 2025. We examine some of the negotiation friction points associated with DORA-enforced changes faced by financial services firms when agreeing contractual arrangements with technology and data service providers. We also focus on the Act’s regulation of third-party ICT contracting.

What you need to know

• The Digital Operational Resilience Act will apply from 17 January 2025.
• DORA compliance is not a zero-sum game. In order to agree contract changes quickly, financial entities should critically analyse any DORA addendums they are seeking to impose from an ICT supplier’s perspective. It is prudent to do so in order to reduce the friction associated with getting them in place, while also ensuring DORA compliance.
• The uncertainty regarding some of the subcontracting regulatory technical standards has been causing a delay to financial entities and ICT providers agreeing the necessary contract uplifts for DORA compliance.

Introduction

“DORA” or the Digital Operational Resilience Act[1] will apply from 17 January 2025. The European Supervisory Authorities (ESAs), which comprise the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority, published a statement on 4 December 2024. The statement called on financial entities and third-party ICT providers to “advance their preparations to ensure their readiness”. We examine some of the current negotiation friction points associated with contract changes required for DORA compliance.

Negotiating contractual changes

As one would expect, many in-scope financial entities' contract remediation exercises are ongoing at this stage. Given that the process is subject to the agreement of a third-party, well-advised financial entities have been adopting a pragmatic approach when looking to negotiate contract changes with their third party ICT providers in order to comply with DORA ahead of the upcoming deadline.

In our experience, these exercises are assisted greatly by financial entities critically analysing their DORA addendum, or the relevant DORA provisions they are seeking to impose, from a supplier’s perspective. This initial review can reduce delays, as financial entities are then not seeking to impose terms that sophisticated ICT providers are unlikely to agree to. Even if the changes are being presented as required for DORA compliance, in our experience, many times they are not.

The DORA requirements related to termination rights is an example of where this balance can be achieved. Some of the termination triggers prescribed by DORA are not set out in contractual language. Therefore, it is unlikely that a well-advised ICT supplier would agree to the DORA termination triggers on the basis that that are broad, vague and arguably onerous. For example, DORA requires that ICT contracts can be terminated in the event that

“circumstances identified throughout the monitoring of ICT third-party risk […] are deemed capable of altering the performance of the functions provided through the contractual arrangement […]”.

In order to ensure DORA-required changes can be agreed efficiently, in-scope financial entities and ICT providers may prefer to adopt a pragmatic approach to this type of vague requirement. Instead, they may interpret the DORA provision into workable contractual mechanisms. The process of doing so can include reviewing the financial entity’s existing termination rights to ensure the contract can be terminated in the event of insolvency or change of control of the ICT provider, or if the ICT provider materially breaches the agreement.

Regulatory technical standards

As well as the DORA regulation itself applying from 17 January, the adopted regulatory technical standards, or ‘RTS’, and guidelines developed by the ESAs will also apply from this date. The uncertainty concerning some of the RTS has been causing delays in some contract remediation exercises.

In particular, the European Commission is currently finalising its review of the RTS on subcontracting, which includes requirements relating to third-party contracting. It stated in December that adoption is planned for early 2025. The European Commission also said it expects in-scope entities to take into consideration the content of any DORA implementing acts that have been adopted by the European Commission but not yet scrutinised by the European Parliament and the European Council and published in final form.

The delay in approving the subcontracting RTS has led to uncertainty as the contractual requirements in it must be reflected in any contract between financial entities and their relevant ICT providers. However, given that the RTS has not yet been finalised, some ICT providers are understandably slow to agree to the current publicly available version. As a result, once the subcontracting RTS is eventually adopted, financial entities may have to undertake another round of contract variations in order to reflect the finalised requirements of this RTS.

Comment

The DORA application date of 17 January 2025 will bring a renewed focus and urgency to contract variation negotiations between financial entities and relevant ICT providers. We recommend that in-scope financial entities who have not already engaged in remediation exercises with their relevant ICT providers do so now without further delay to ensure that their contracting arrangements comply with DORA.

Although the final approved subcontracting RTS is not yet clear, parties can consider the current draft, and undertake any necessary steps that can be taken now to ensure that these technical standards can be incorporated as soon as they are adopted by the European Commission.

If you have any queries about how DORA will impact your organisation, please contact a member of our Technology team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector