The implementation deadline for the Digital Operational Resilience Act, or DORA, is fast approaching. The financial sector has until January 17, 2025, to make all arrangements to comply with the new rules.
In the first part of our blog series on DORA, we looked at the general content of the EU regulation. You can read the details here: “DORA: Digital Operational Resilience Act EN | Fabasoft Contracts”.
In this article, we now specifically address the obligations that arise for financial companies from a compliance and contract management perspective.
Due diligence obligations of the management
The management of financial firms has ultimate responsibility for compliance, the regulation stipulates, "The management body of the financial firm defines, approves, monitors and is responsible for the implementation of all arrangements related to the ICT risk management framework.“¹
The duties of the management body include:
- The establishment of guidelines to maintain high standards of data confidentiality, authenticity, integrity and availability.
- Developing and approving the digital operational resilience strategy and setting tolerance levels for ICT risk in line with the financial enterprise's risk appetite.
- Authorizing and monitoring the ICT business continuity guideline and ICT response and recovery plans.
- To approve and continuously review the internal audit plans, ICT audit and guidelines related to agreements with ICT third party service providers.
- The allocation of appropriate budget resources for ICT risk management, including training and awareness programs for the employees.
- The completion of regular specialized training in order to be able to assess ICT risks and their consequences.
In the event of non-compliance, the competent financial supervisory authorities "may impose administrative sanctions and remedial measures on members of the management body, as well as on other natural persons responsible for the breach under national law, subject to the conditions applicable under national law."²
Stricter regulations for contracts with third-party service providers
When concluding contracts with ICT service providers, the EU sets high requirements in terms of information security. If the agreements concern critical or important functions, financial companies must check in advance whether those providers "apply the latest and highest quality standards for information security“.³
The DORA regulation also sets out a number of requirements in terms of content. In particular, the agreements must contain the following details:
- Comprehensive description of all functions, ICT services and service quality
- Data protection regulations regarding confidentiality, authenticity, integrity and availability of the information
- Obligation of the provider to support the financial company if an ICT incident occurs that is related to a service provided to the financial company
- Provisions for third-party ICT service providers to participate in ICT security and cyber resilience awareness programs and training provided by financial firms
- Important reasons for termination, such as mandatory termination if the third-party ICT service provider violates laws, contract terms, or other regulations
- Termination rights and associated minimum notice periods
In order to regulate these contents in a uniform manner, the European Supervisory Authorities (ESA) will develop standard contractual clauses by Jan. 17, 2024, which must be applied in the future when setting up contracts between financial companies and ICT third-party service providers.
In the event of an engagement, however, the financial companies will remain fully responsible for compliance with all requirements at all times.
Traceable documentation and reporting requirements
All measures to safeguard digital operational resilience must be documented by financial companies in a comprehensible and audit-proof manner. The financial supervisory authority has the right to be provided with all information as required.
In addition, a reassessment and reporting on individual points must be carried out annually or on a situational basis (in the event of major⁴ ICT incidents, on supervisory instruction, and as a result of tests and audits). These include ICT-relevant roles and functions in operations, the ICT risk management framework, and the ICT risk of service providers. All critical and important ICT systems must also undergo regular reviews of their operational stability by independent internal or external parties.
With regard to the contract portfolio, financial companies are obliged to keep an information register of all agreements with ICT third-party service providers. The services are categorized according to whether or not they fulfill a critical or important function. Upon request, the responsible parties must provide the authorities with all or a specific extract from the information register. In addition, there is a requirement to report annually on the number of new contracts and the corresponding classification of ICT third-party service providers. Which national authority acts as the central reporting point is to be defined by the respective EU member states.
Conclusion: Need for automation
To comply with the DORA regulation, financial companies need to take action at different levels. These extend far beyond the direct measures of ICT risk management (such as surveying and assessing the risks of current IT systems and third-party service providers, defining measures when an incident occurs, controlling, etc.).
In particular, the high requirements for contract management, including the strict specifications for contract content and the associated obligations to provide evidence, have a significant impact on internal business processes. Manual tools make it difficult for companies to cope with the workload involved (especially in preparation for audit and review situations).
A smart digital contract management tool provides considerable support at various levels of action, including the
- audit-proof documentation of all information,
- verifiable execution of mandated due diligence activities,
- compliance with all contractual requirements,
- standardized report generation and
- responding to ad hoc requests.
Read how to implement these provisions of DORA with Fabasoft Contracts in the next blog.
¹ Art 5 Par 2 DORA
² Art 50 Par 5 DORA
³ Art 28 Par 5 DORA
⁴ Art 3 DORA: “‘major ICT-related incident’ means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity”