29 April 2024
DORA, the Digital Operational Resilience Act, entered into force on 16 January 2023, and will apply as of 17 January 2025.
For those procurement and contracting teams tasked with achieving compliance with the NIS directives, as well as the European Banking Authority’s (EBA) Guidelines on ICT and Security Risk Management, and the EBA Guidelines on Outsourcing Arrangements (“the Guidelines”), the scope and remit of DORA will seem quite familiar.
However, important distinctions among the regulatory frameworks exist, which will require in-house teams to once again revisit their vendor supply chains to understand the additional steps necessary to achieve compliance.
This article is designed to provide guidance to in-house legal and procurement teams to understand how to achieve DORA contracts compliance at a practical level, with discussion of the contours and overlap of the Guidelines and DORA.
DORA is binding on the entities within its mandate. The various EBA Guidelines, on the other hand, including the EBA Guidelines on Outsourcing of Critical Functions, EBA/GL/2019/02, (hereinafter the “Guidelines”), are not mandatory and were designated as criteria or a framework to be “considered” by entities within their remit.
Nonetheless, the various Member States have for many years implemented the Guidelines as if binding, and compliance with them is effectively part of regulator expectations. The Central Bank of Ireland, for example, has directed that all regulated entities ensure compliance with the Guidelines’ contract requirements and definitions.1 Despite the dictates of the individual Member States’ competent authorities, regulated entities continue to face challenges in negotiating key contractual clauses, particularly those around subcontracting, access rights, transition arrangements and termination rights.
One of the stated purposes of DORA is to remove these negotiation stumbling blocks.
Regulators have noted that, “financial entities often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements . . . such as access or audit rights, even when the latter are enshrined in their contractual arrangements.” 2
The drafters observed that because, “ICT third party service providers often provide standardised services to different types of clients, such contractual arrangements do not always cater adequately for the individual or specific needs of financial industry actors.”
In-house legal teams and procurement specialists tasked with negotiating with service providers will be well-familiar with these challenges. A common argument made by service providers during negotiations is that certain clauses must be limited because the service provider offers a “one-to-many” service.
For this reason, the service provider refuses to offer bespoke subcontracting clauses or individualised SLAs despite a demonstrated need for them. Similarly, service providers understandably push back on transition periods where service transfer risks are allocated to them or they are required to take on onerous audit and reporting requirements without adequate cost-sharing.
The question then is whether DORA will facilitate negotiations for service providers and regulated entities in line with its legislative intent. Although the contract requirements are now “enshrined” in Union Law, DORA does not go as far as requiring a particular party to shoulder the costs of, for example, audit and access rights or transition periods, which have been perennial areas of discussion in Guidelines addenda negotiations.
As an exception, DORA does require ICT service providers to assist regulated entities at no additional cost (or at a pre-determined cost) in the event of an ICT incident. Putting aside the generality of the term “assistance”, the reality is that most ICT service provider SLAs offer service credits for periods of downtime, and incident monitoring and response is integrated within the service offering, contractual KPIs and associated fees, so whether this additional term will have any teeth remains open.
Likewise, DORA now offers clarity on subcontracting, the permissibility of it, and the conditions on which it is allowed. But the Guidelines already provide quite detailed and prescriptive obligations around subcontracting (DORA is markedly less so) and thus the additional value of “truly binding” legislation is difficult to quantify.
Perhaps because the focus of DORA is on ICT service providers, rather than all outsourced critical functions, the negotiation pain points will be minimised. In other words, ICT service providers are already in the business of providing continuous, secure and optimal service, supported by robust security testing and measures and a commitment to openness via audit and access rights. By contrast, the provider of an outsourced back-office treasury function (for example) has less incentive to soften negotiations on some of the more contentious Guidelines clauses (and arguably greater cost exposure).
As noted, both DORA and the Guidelines seek to allocate risk and responsibility between regulated entities and their service providers by legislating the contractual relationship between them. However, as the remit of DORA and the Guidelines is different, previous efforts to “remediate” contracts to ensure compliance with the Guidelines will likely be insufficient to meet DORA, at least in some instances.
DORA is both broader and more narrow in scope than the Guidelines. DORA addresses itself to the financial sector’s dependence on ICT services (even those that are not considered as outsourced) while the EBA guidelines govern outsourcing of critical functions, including those that are not ICT services.
Procurement and in-house teams will know that the Guidelines require firms first to assess whether a particular service is “outsourced” and, if so, whether it is “critical” and, therefore, within the remit of the Guidelines. The Guidelines offer some examples of which arrangements are not “outsourcing”. They include those functions legally required to be performed by a service provider (e.g. a statutory audit); activities related to regulated services; market information services; and global network infrastructures, among others.
Institutions should consider functions as “critical” under the Guidelines if “a defect or failure in its performance would materially impair . . . continuing compliance with the conditions of their authorisations, [their regulatory obligations]; their financial performance; or the soundness or continuity of their banking and payment services and activities”.3
Unsurprisingly, businesses have struggled to classify outsourced and critical functions, as addressed by the Central Bank in its 2018 discussion paper, and in some instances, particularly in the fields of market research or cybersecurity, parties reached negotiation stalemates over whether a function was outsourced and critical.4
DORA, in contrast, puts its focus on all ICT contracts and requires all such arrangements to include specified contractual provisions, most of which will be familiar to those businesses that worked through a Guidelines compliance exercise.
If an ICT services contract “supports” a “critical or important function” then, under DORA, that contract must include certain additional requirements, which again substantially overlap with the Guidelines’ contractual requirements (with some deviations).
DORA’s definition of a critical or important function is materially similar to the definition of “critical” in the Guidelines (which in turn was based on its uses in the 2014 Directive on Markets in Financial Instruments (MiFID II) and the Payment Services Directive (2nd)). Thus, in considering which ICT services contracts support “critical” functions under DORA, firms may consider those deemed critical under the Guidelines.
DORA does not make any exception for intra-group ICT service providers, and, as such, intragroup contractual arrangements must include the DORA contract requirements, as well as the additional requirements when those contracts support critical functions.5 The Guidelines took a similar view, in that the regulators considered intragroup and branch activities “outsourced” for the purpose of the Guidelines.
A side-by-side comparison of the Guidelines’ contracting requirements to the DORA contract requirements shows substantial overlap. Notably, however, where the Guidelines set out quite detailed requirements in relation to subcontracting, termination and transition arrangements, DORA is far more flexible, with fewer prescriptive measures. The major new contracting requirements in DORA centre on:
As is evident from the above, compliance with the Guidelines’ contracts requirements will go a long way toward compliance with those set out in DORA and a simple updating exercise may be sufficient to address the minimum language requirements (notably no specific language is required by the statute, though it is recommended that parties consider the use of standard clauses developed by public authorities for specified services). However, as discussed below, mere linguistic similarity will only go so far.
One of DORA’s more interesting requirements is the minimisation of concentration risk, though this not a novel concept. The Guidelines (12 and 14) require regulated entities to consider concentration risk within the context of risk assessment and monitoring of performance of the outsourced function.
Under DORA, this requirement has become enshrined in Union law, albeit in much the same precatory language as used in the Guidelines. Whether this consideration will have any effect on negotiations remains to be seen, and DORA makes it quite clear that it is unwilling to draw lines in the sand with regard to minimal levels of risk so as to avoid interfering with contractual freedom.
Risk concentration and resilience go hand-in-hand, and contractual freedom of choice, if truly available, is a reflection of greater resilience. DORA mandates that regulated entities revisit their procurement mixes to assess concentration risk because, unlike the Guidelines, which focus only on outsourced functions, entities must now consider which functions are supported by ICT services, the nature of those functions (criticality) and in turn, whether those functions sub-outsource any of their work to other suppliers supported by the same ICT service (for example).
Whether to move on- or off-premise or take on a supplier based on the cloud provider used are choices that will sit alongside considerations such as cost, technology synergies and efficiency.
The question then becomes how risk concentration will affect bargaining power. Greater concentration risk suggests limited contractual freedom, not only in the choice of supplier but in the parties’ relative bargaining power.
One would hope, however, that significant ICT providers dealing with a large part of the regulated market will ultimately understand and develop a consistent and compliant approach to their general contractual arrangements with regulated entities (particularly if similar issues were raised by multiple regulated entities).
Again, while DORA’s contractual clauses are now Union law, it is unclear whether parties will find greater contractual leverage than when negotiating the Guidelines clauses. Interestingly, DORA appoints a Lead Overseer role, who will be tasked with identifying risk both toward individual regulated entities and the entire financial ecosystem. But the role does not extend to contractual governance.
Procurement and in-house teams that are tasked in the coming months with ensuring compliance with DORA’s contractual requirements will find much of the groundwork done if there has been a previous Guidelines compliance exercise.
However, important distinctions remain. In the short term, firms should therefore actively engage with new and existing service providers to determine how to map compliance.
With significant experience in drafting and negotiating licence, SaaS and other service/technology agreements, and assisting businesses in drafting contracts to win commercial success while achieving regulatory compliance, KPMG Law is best-placed to assist you in your DORA compliance journey.
