The Digital Operational Resilience Act (DORA) will start to apply on 17 January 2025. With the cut-off date now only weeks away, the clock is ticking for financial entities to address their regulatory requirements under the new EU regulation.
We are here focusing on DORA’s fourth pillar, specifically with regards to contractual arrangements with ICT third-party service providers and the register of information.
Introduction
Executives recognise cyber resilience as a core priority. As a matter of fact - despite current climate and geopolitical challenges - an increasing number of organisations are planning to invest in cyber resilience in the next two years, according to PwC’s latest Global Crisis and Resilience Survey.
With DORA in sight, compliance is now non-negotiable for EU organisations which fall within scope. Failure to respect the provisions of the regulation can lead to fines of up to two percent of an entity’s total annual worldwide turnover.
Third-party risk management under DORA
As a reminder, DORA has introduced a five-pillar framework comprising ICT risk management; incident reporting; digital operational resilience testing; third-party risk management; and information sharing. Around 22,000 EU regulated entities such as banks, insurance companies and investment firms are expected to adhere to the security and resilience standards across the five pillars by January 2025.
With regards to third-party risk management, given the growing reliance of financial entities on ICT third-party service providers (ICT TPPs) in recent years, DORA has introduced a number of requirements to manage the risks related to such relationships:
The register of information
As highlighted above, financial entities must keep as part of their ICT risk management framework a detailed register of information. The document captures various details of their contractual arrangements with ICT TPPs, including the location of the ICT services, the notice period for termination, or the annual expenses related to a service provider.
It should be noted that entities must either provide the full register or specific sections of it to the competent supervisory authority upon request.
In addition, the related draft Implementing Technical Standards (ITS) developed by the European Supervisory Authorities looks to provide a standardised approach to compiling the register and to ICT TPP risk management in general. Knowledge of the ITS is in this regard often key to interpreting and adequately populating the multiple sections of the register.
Standard clauses in contractual arrangements
Article 30 of DORA outlines the standard provisions required in the contractual arrangements between financial entities and their ICT TPPs. In practice, there is often an imbalance between the parties, as in-scope organisations (especially smaller ones) face difficulties in negotiating their contractual terms with the very large players.
DORA in this regard looks to introduce a level playing field, providing for specific rights - such as access or audit rights - to be included in favour of financial entities. Such safeguards, according to the legislation’s preamble, will allow for the ‘fully-fledged monitoring of subcontracting processes’ and give EU financial entities the ability to assess the respective risks.
Going forward, some of the key requirements that financial entities need to include in their contractual arrangements with ICT TPPs are:
Why work with us?
At PwC Malta, our Privacy & Data team has the experience to help your organisation address its ICT third-party risk management challenges under DORA. We can assist you in the updating and reviewing of your contractual clauses to ensure they are aligned with DORA's requirements. We can also support you in populating and maintaining the register of information, and carry out periodic reviews to ensure it remains up-to-date. For more information, please reach out to our sector leaders below.
Contact us
