Digital Operational Resilience Act (DORA)

Implementing DORA contractual requirements for ICT service providers to EU financial entities

The Digital Operational Resilience Act (DORA) seeks to consolidate and upgrade information communication technologies (ICT) risk requirements for EU financial entities to help mitigate the risks associated with rapid digitalisation and growing interconnections and dependencies within the financial sector and with third-party infrastructure and service providers.

This includes targeted rules on ICT third party risk management, with specific contractual requirements for ICT service provision. The key contractual requirements are set out both in the text of DORA itself, and within additional regulatory technical standards (RTSs), the first tranche of which was released in January 2024 with the second tranche to be released by 17 July 2024.

How does DORA differ from existing outsourcing requirements?

A number of the contractual requirements set out in DORA and the RTSs are consistent with the outsourcing guidelines and the ICT security risk management guidelines issued by EBA, ESMA and/or EIOPA (Existing Requirements). However, DORA builds on these and differs in a number of important respects, including:

DORA provides obligations for both the financial entities and the ICT service providers, while the Existing Requirements only provide obligations for the financial entities.
DORA is much more prescriptive in relation to contract clauses than the Existing Requirements (which provide high level provisions on ICT security, risk management and resilience (e.g. as regards ICT incident handling procedures)

Financial entities that have already achieved, or are on the path to achieving, compliance with the Existing Requirements will have less work to do to meet the new DORA contractual requirements, but action will still be required.

DORA also contains a special oversight mechanism for those designated critical ICT service providers. This is in parallel to similar developments in the UK through the proposed Critical Third Parties regime.

What do financial entities need to do to ensure compliance with DORA contractual requirements?

Financial entities need to conduct a review exercise to identify the extent of compliance with the new DORA contractual requirements and develop a plan to ensure compliance is achieved in both existing and new ICT service contracts.

Typical activities include:

Discovery and mapping: Identify and locate all ICT third party contracts, review and categorise them according to DORA requirements (to the extent not already achieved in complying with existing regulations)
Gap analysis: Identify the gaps in compliance with DORA contractual requirements
Remediation: Review and update templates and contracting standards to meet new requirements, develop a plan for remediation of legacy ICT contracts
Outreach and negotiation: Carry out contract remediation as per the plan, reaching out to all ICT third parties and negotiating DORA amendments.

‘Time is of the essence’. The final RTSs are due to be finalised by 17 July 2024, and contractual requirements must be met by 17 January 2025.

How can PwC help?

Our multidisciplinary team of commercial lawyers and paralegals, TPRM specialists and technologists have the expertise and experience to help clients meet the challenge of DORA contractual compliance. We have significant experience of working alongside our clients on similar compliance journeys, using a technology enabled discovery and contract remediation model that has evolved through supporting many clients. We often work as a strategic partner, either in relation to certain aspects or from end to end.

Contact us

Jenny Chambers

Director, Legal Business Solutions, PwC United Kingdom

Tel: +44 (0)7710 037509

Raj Chavda

Senior Manager, Legal Business Solutions, PwC United Kingdom

Tel: +44 (0)7483 387500