In this third article of our series on the EU's Digital Operational Resilience Act (DORA), we look at the requirements imposed on financial services institutions when procuring ICT services from third parties. This article is written from the perspective of the financial services institutions themselves. However, it will be followed by an article exploring what IT service providers should be doing to ensure that they are prepared for the regulation.
This article forms part of a series of articles we are publishing with our thoughts on each of the key topics covered by DORA. For an introduction to DORA, an overview of who is covered, and how the legislation interacts with other key cyber security laws, please see our article 'Dora is coming'. For an overview of the rules on incident management, classification and reporting, please see our article 'ICT incident management'.
The management of ICT third party risk is a topic that has been the subject of a great deal of regulatory scrutiny in recent years in the context of broader operational resilience initiatives, in both the European Union and the United Kingdom. Regulations such as the EU's NIS Directive and NIS 2 Directive and the UK Network and Information Systems Regulations have shone the spotlight on the importance of containing ICT risk in upholding the stability of the economy at large. For more information on those pieces of legislation, please see our previous articles NIS Directive and NIS 2 Directive.
There is a clear consensus forming amongst regulators that resilience can only be achieved where every link in the supply chain is brought up to a minimum standard of cyber security. Where industry sectors are increasingly reliant on IT services for conduct of their day-to-day operations, it is no surprise that the spotlight is being shone on IT service providers.
In very few sectors is this as relevant as in financial services. As Recital 2 of DORA makes clear: "The use of ICT has in the past decades gained a pivotal role in the provision of financial services, to the point where it has now acquired a critical importance in the operation of typical daily functions of all financial entities."
What do we mean by ICT third party risk?
Given the remit of DORA is to improve operational resilience at every level of the financial services sector, it is no surprise that the regulation casts the net widely when defining ICT third-party risk.
Article 3(18) defines the concept as "an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements".
An 'ICT risk', per Article 3(5), is "any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment".
Meanwhile, 'ICT services' per Article 3(21) are any "digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services", and 'ICT third-party service providers' are simply any "undertaking providing ICT services".
As Recitals 35 and 63 to DORA make clear, these are intentionally broad definitions designed to keep pace with technological developments. The key takeaway for firms is this: if any aspect of your operations is outsourced to a third-party IT provider, it is highly likely that you will need to comply with these provisions.
Interestingly, the regulation extends the definition of ICT third-party service providers to intra-group providers of services. As Recital 63 of DORA states: "undertakings which are part of a financial group and provide ICT services predominantly to their parent undertaking, or to subsidiaries or branches of their parent undertaking, as well as financial entities providing ICT services to other financial entities, should also be considered as ICT third-party service providers under this Regulation."
In the payment services space specifically, Recital 63 provides that "in light of the evolving payment services market becoming increasingly dependent on complex technical solutions, and in view of emerging types of payment services and payment-related solutions, participants in the payment services ecosystem, providing payment-processing activities, or operating payment infrastructures, should also be considered to be ICT third-party service providers under this Regulation".
Why is this new regulatory regime necessary?
If you are a financial services institution, you may be asking: why is this necessary? For several years now, financial services organisations operating in the European Union have been required to adhere to the principles contained in the European Banking Authority's Guidelines on Outsourcing Arrangements of 2019 and the European Securities and Markets Authority's Guidelines on Outsourcing to Cloud Service Providers of 2021, including where applicable their national equivalents (for example, the Prudential Regulatory Authority's rules on outsourcing and third party risk management in the UK). In response to those principles, many financial services institutions will have already uplifted their cyber resilience policies and contractual arrangements with third party providers.
The reason for this renewed regulatory focus at a European level is to ensure harmonisation of approaches across all Member States, as well as an acknowledgment that as IT interdependencies become more complex there is the need for pan-national regulation. As Recital 29 of DORA makes clear: "Even though Union financial services law contains certain general rules on outsourcing, monitoring of the contractual dimension is not fully anchored into Union law. In the absence of clear and bespoke Union standards applying to the contractual arrangements concluded with ICT third-party service providers, the external source of ICT risk is not comprehensively addressed…..."
What are the requirements?
Article 28 sets out the "General principles" for the "sound management of ICT third party risk". Before diving into the details of the requirements, the Article details two overarching principles, namely:
- firms that use third party ICT services to run their business operations remain ultimately responsible for compliance with their legal and regulatory responsibilities; and
- firms can have regard to the principle of proportionality in their management of third-party ICT risk (taking into account a range of specified matters – see below for more information on what this means in practice).
Subject always to the above core principles, there are a number of requirements imposed by Article 28 that firms will need to review and ensure that they can comply with, which may involve adjusting existing processes and/or implementing additional processes. Such requirements include:
ICT third-party risk strategy: Save for some limited exceptions (primarily, micro-enterprises), firms must adopt and regularly review a strategy on ICT third-party risk as part of their broader ICT risk management framework. This must include a policy on the use of ICT services provided by third-party providers supporting critical or important functions (i.e. those "the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law"). Further, the management body of the firm must, on the basis of an assessment of the overall risk profile of the entity and the scale and complexity of the business services, regularly review the risks identified in respect of contracts on the use of ICT services that support critical or important functions.
Maintenance of register: Firms are required to maintain and update a register of information in relation to all contracts with third-party service providers – which must be "appropriately documented" and distinguish between those ICT services that support critical or important functions and those that do not. The register, or specified sections thereof, must be made available upon request by a competent authority, along with any information "deemed necessary to enable the effective supervision" of the firm.
Reporting: Firms are required to:
- report yearly to competent authorities on the number of new arrangements involving the use of third-party service providers, the categories of third-party service providers, the type of contracts in place and the ICT services and functions being provided; and
- inform the competent authority "in a timely manner" of any planned contractual arrangements involving the use of ICT services supporting critical or important functions (as well as when a function has become critical or important).
Pre-contract due diligence: Prior to entering into a contract for the use of ICT services, firms will be required to consider various matters including:
- identifying and assessing "all relevant risks" in relation to the contract, including the possibility that such contract may lead to:
- contracting with a third-party service provider that is not easily substitutable; or
- having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same third-party service provider or with closely connected third-party service providers;
- weighing up the costs and benefits of alternative solutions, including, where the contractual arrangements include the possibility of subcontracting ICT services supporting a critical or important function to other ICT third-party service providers, weighing up the benefits and risks that may arise in connection with such subcontracting (in particular where the subcontractor is overseas);
- where the contract concerns ICT services supporting critical or important functions, considering the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraints relating to the urgent recovery of the financial entity’s data;
- where a contract on the use of ICT services supporting critical or important functions is concluded with an overseas provider, considering the compliance with EU data protection rules and the effective enforcement of the law in that third country;
- where a contract on the use of ICT services supporting critical or important functions provides for subcontracting, assessing whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions;
- identifying and assessing any conflicts of interest that the proposed contract may cause; and
- assessing compliance by the ICT third-party service providers with "appropriate information security standards". Where the contract concerns critical or important functions, firms must take due consideration of the use by the third-party service provider of "the most up-to-date and highest quality information security standards".
Access, audit and inspection: In exercising access, inspection and audit rights over ICT third-party service providers, financial entities must, on the basis of a "risk-based approach", pre-determine the frequency of audits and inspections over third-party service providers and the areas to be audited. Where the ICT services entail high technical complexity, firms must ensure that they verify that the relevant auditors possess appropriate skills and knowledge to effectively perform the audits and assessments.
Exit strategies: Financial entities must ensure that the contracts they have in place for the use of ICT services may be terminated in any of the following circumstances:
- significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;
- circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;
- ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; and
- where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement
Where the ICT services support critical or important functions, firms are additionally required to put in place exit strategies. These must:
- take into account risks that may emerge at the level of the third-party service provider, including (amongst others) a failure on their part, a deterioration of the quality of the ICT service provided, any business disruption due to inappropriate or failed provision of ICT services and termination of the contract with the third-party service provider for cause; and
- be comprehensive, documented and, having regard to the principle of proportionality, sufficiently tested and reviewed periodically.
Firms must ensure that they are able to exit contractual arrangements without (i) disruption to their business activities, (ii) limiting compliance with regulatory requirements, or (iii) detriment to the continuity and quality of services provided to clients.
Firms must identify alternative solutions and develop transition plans enabling them to remove the relevant ICT services and data from the third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-house. They must also have in place appropriate business continuity measures in the event of an ICT service failure.
Once a financial entity has decided to enter into a contract with an ICT third-party provider, DORA sets out prescriptive rules regarding the form the contract is required to take and its contents.
Article 30(1) provides that the contract must be in writing, and the full contract must "include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format".
Irrespective of the criticality or importance of the function supported by the ICT services, the contract must contain at least the following elements, set out in Article 30(2):
- a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
- the locations where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third party service provider to notify the financial entity in advance if it envisages changing such locations;
- provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
- provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;
- service level descriptions;
- the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
- the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;
- termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; and
- the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training.
Where the contract relates to ICT services supporting critical or important functions, it must also include:
- full service level descriptions, including updates and revisions to those with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;
- notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;
- requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;
- the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s threat-led penetration testing, as referred to in Articles 26 and 27;
- the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:
- unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
- the right to agree on alternative assurance levels if other clients’ rights are affected;
- the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and
- the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;
- exit strategies, in particular the establishment of a mandatory adequate transition period:
- during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring; and
- allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
The proportionality principle
Fortunately for small and medium sized financial entities, as with many of the requirements under DORA, the strict provisions of the regulation are tempered somewhat by the underpinning principal of proportionality.
Proportionality is a theme that is pervasive throughout DORA (and much other European legislation). Unfortunately, there is no clear-cut definition of what would be proportionate in a given context – this will come down to a case by case analysis. However, in the context of managing third-party ICT risk, Articles 4(2) and 28(1)(b) are clear that the application of the rules shall be proportionate to the entities' "size and overall risk profile", and that in determining the steps required firms should consider the "nature, scale, complexity and importance of their ICT-related dependencies" and the "the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities".
This will require firms to perform a detailed analysis of each of their ICT vendors to understand how the relevant services support their operations, and the potential consequences (in particular for end-customers) if there are service delivery or performance issues.
There is clearly quite a lot of detail to work through here. As a preliminary step, firms will need to understand all of the requirements imposed by DORA, and then do some investigatory work to understand which of those requirements are currently being met, and which are not. For many sophisticated financial services organisations, it may well be that the majority of these requirements are being met either in whole or in part, given existing compliance regimes with the EBA / ESMA Guidelines.
Once it is established where the gaps are, firms can then start to plan how to plug the gaps. In particular, firms will need to consider how they will document their compliance with the requirements so as to ensure that, if a regulator comes calling, they have the necessary records to evidence compliance (for example, in relation to pre-contract due diligence, the approach decided upon in relation to the frequency of audits, exit strategies, etc.).
In terms of updating contractual terms, our strong advice is this: there's no time like the present. Especially where contractual arrangements relate to core business operations, we would expect re-negotiation of terms or putting in place of new contracts to take quite some time – start that work now, rather than be at risk of non-compliance when the regulation comes into force.
For those financial entities who are frequent procurers of IT services, we would encourage you to think about whether it is worth developing "standard form" clauses that can be proactively proposed to suppliers in this space to meet the requirements of the regulation in a "customer-friendly" manner (or, where you have standard clauses already, updating those). We anticipate that much of the disagreement between financial entities and their supplier will not be over the types of provisions that need to be included in contracts; rather, the detail of how those are drafted and who bears the risk (and costs) of matters which are not prescribed in the legislation.
To help firms comply with the detailed requirements, the European Supervisory Authorities will be developing draft technical standards which, amongst other things, will:
- establish standard templates for the register of information which firms are required to maintain regarding their contractual arrangements with ICT third-party service providers;
- specify the detailed content required for the policy firms need to put in place regarding the use of ICT services supporting critical or important functions provided by ICT third-party service providers; and
- specify the matters which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.
These must be submitted to the European Commission by 17 January 2024. Firms will therefore need to retain a degree of flexibility and agility to enable them to respond to any further detail that emerges from the draft technical standards.
Get in touch
If you would like a to speak to one of our DORA experts, please get in touch with Jonathan Rehbein (firstname.lastname@example.org) to arrange a free 30 minute consultation.
Sign up to our email digest