DORA impacts IT service providers

The EU regulation on digital operational resilience in the financial sector (Digital Operation Resilience Act – DORA, Regulation (EU) 2022/2554), which came into force on January 17, 2025, establishes comprehensive, uniform, and improved standards for risk management and cybersecurity for EU financial companies in the field of information technology (ICT). DORA not only affects financial companies, but also establishes a series of essential adjustment obligations for their IT service providers, graded according to their importance to the contractual partner. These include, among other things, the specific supplementation of existing IT service provider contracts in accordance with DORA requirements in order to avoid sanctions and otherwise imminent premature contract terminations. If implementation has not yet taken place, affected IT service providers should, in their own interest, take measures to make their contractual relationships with their clients in the financial industry “Dora-compliant.”

 

I. Application to ICT service providers

 

According to Art. 2 (1), Dora initially applies to a broad spectrum of financial companies operating within the EU. In addition to credit institutions and insurance companies, this includes payment services, investment firms, crypto service providers, and service providers for the provision of financial data.

 

Third-party ICT service providers (cf. Art. 2 (1) (u) DORA) are also directly or indirectly covered by the scope of the regulation. According to the definitions in Art. 3 No. 19 and No. 21 DORA, these are service providers who provide their services to their users for a certain period of time, including outsourcing service providers, cloud computing service providers, and providers of technical support for software or hardware applications. Conversely, DORA does not apply, for example, to sellers of software products if these are not accompanied by additional ongoing IT services (support, etc.). DORA further differentiates between critical third-party ICT service providers (Art. 3 No. 23 DORA) and other third-party ICT service providers.

 

The classification of service providers as critical third-party ICT service providers is carried out by the European Supervisory Authorities (ESA) and depends on whether, in the opinion of the authority, their services could have a systemic impact on the stability, continuity, or quality of the financial companies’ service provision (cf. Art. 31 (1) Dora). Such third-party ICT service providers classified as critical are subject to direct and extensive supervision by the competent authorities within the EU (cf. Art. 31, 33 DORA). These and other ICT service providers are also subject to indirect supervision and risk assessment by their contractual partners in the financial industry in accordance with DORA.

 

It should be noted that third-party ICT service providers based outside the EU (see the definition in Art. 3 No. 24 DORA) may also be subject to direct supervision by competent authorities or indirect supervision and risk assessment by their contractual partners when providing ICT services to EU financial companies, including within the framework of existing contracts.

 

II. Key areas of the DORA Regulation

 

In terms of content, the regulatory requirements of DORA cover five key areas. Firstly, improved ICT risk management, including a series of requirements and measures for improved governance, control, and organization, including internal documentation and review of ICT risks (see Art. 5 f. DORA).

 

An additional key area of the DORA Regulation consists of harmonized requirements for testing the digital operational resilience of financial companies (Art. 24 f. DORA). These include appropriate tests, including vulnerability assessments, network security assessments, performance tests, or penetration tests (Art. 25(1) DORA) up to extended tests (Art. 26 DORA) based on the TLPT (Thread-Led Penetration Testing) rules.

 

Central to all third-party ICT service providers are new DORA requirements for the risk management of financial companies vis-à-vis their third-party ICT service providers (Art. 28 f. DORA). In this regard, financial companies must, among other things, maintain a consolidated information register listing all contractual agreements, including any changes. As part of the necessary comprehensive monitoring of third-party ICT service providers, existing contracts must also be adapted (cf. Art. 30 Dora) and assessed in terms of concentration risks arising from the commissioning of certain third-party ICT service providers, including subcontractors. The fifth key area of the DORA Regulation consists of rules on the handling, classification, and reporting of ICT-related incidents and cyber threats (Art. 17 et seq. DORA).

 

The DORA Regulation is not applied in isolation. In many cases, there will be overlaps with other regulations and laws, such as the German Banking Act (KWG), the GDPR, or the NIS 2 Regulation. In addition, there are technical regulatory standards (RTS) issued by the competent authorities, such as RTS TPPol (Regulation (EU) 2024/1773) or RTS-SUB, some of which are not yet available or are not available in all EU languages. Further guidance on application can be provided by guidelines or notices from the competent authorities, in Germany for example the BaFin (https://www.bafin.de/DE/Aufsicht/DORA/DORA_node.html.

 

III. Impact on new and existing IT contracts

 

Both existing and new IT contracts must be measured against the standards of DORA from January 17, 2025, provided that they relate to ICT services in accordance with Art. 3 No. 21 DORA. As part of their risk management obligations, financial companies must assess the ICT third-party risk Art. 3 No. 18 DORA, from such contracts according to proportionality standards, and in particular assess ICT-related dependencies and risks of the contract due to the criticality or relevance of the IT services and the potential impact on the continuity and availability of their financial services, Art. 28 (1) b) DORA. The higher the risks of an IT contract, the more stringent its design and monitoring must be.

 

1. Before concluding a contract

 

Accordingly, before concluding a new ICT third-party service provider contract, a kind of due diligence (cf. Art. 28 (4) DORA) must be carried out and documented to determine whether

 

• the contract relates to services supporting a critical or important function of the financial institution;
• any regulatory conditions for the conclusion of the contract are met;
• a positive assessment of all relevant risks associated with the contract, including concentration risks, has been made;
• the potential third-party service provider appears suitable after assessment, and
• the conclusion of the contract does not give rise to any harmful conflicts of interest.

 

The financial institution must also ensure in advance that the potential contractual partner complies with appropriate and, when supporting critical or important functions of the financial institution, the latest and highest quality standards for information security (Art. 28 (5) DORA). To simplify the conclusion of contracts, affected third-party ICT service providers should proactively cooperate in providing information and evidence for this risk assessment from their sphere. In this context, third-party ICT service providers based in other EU countries should also provide information on how EU data protection law (GDPR, etc.) can be complied with and effectively enforced in their country of residence.

 

2. Additional contract content according to DORA

 

New third-party ICT service provider contracts or addenda to such existing contracts are subject to formal requirements under DORA, Art. 30 (1) DORA. In this respect, the parties should create a uniform document without electronic links to further contractual content. This can be done traditionally in writing with original signatures (wet ink) of the legal representatives of the parties, which in many cases may not be considered particularly practical. It is also possible to conclude a contract in an electronic, downloadable, durable, and accessible document (e.g., PDF) with at least a simple electronic signature (e.g., DocuSign, etc.).

 

Art. 30 (2) and (3) DORA contain a list of necessary supplementary contractual provisions for ICT third-party service provider contracts. Art. 30 (2) contains minimum elements for any such contracts. Namely:

 

• a clear and complete description of the functions and ICT services to be provided by the service provider, including rules on the permissibility of subcontracting and, in the case of support for critical or important functions of the client, the conditions for subcontracting. In the case of subcontracting, the provisions of the new RTS Sub (Delegated Regulation (EU) 2025/532) must be complied with;
• the locations where services are to be provided or data processed, including storage locations, with the requirement to notify the contracting authority in advance of any changes to such locations;
• Regulations on availability, authenticity, integrity, and confidentiality with regard to data protection, including the protection of personal data;
• Regulations to secure the client’s access to personal and non-personal data in the event of insolvency, liquidation, or cessation of business activities of the service provider or termination of the contract, including provisions for the restoration and return of such data in an easily accessible format;
• Descriptions of service quality (probably via an SLA);
• Free support from the third-party ICT service provider in the event of ICT incidents;
• Cooperation of the third-party ICT service provider with the competent authorities;
• Regulation of termination rights with minimum notice periods in accordance with the requirements of the competent authorities; and
• Regulations on the participation of employees of the third-party ICT service provider in training courses on ICT security and digital operational resilience provided by the financial company.

 

Article 30(3) contains additional and, in some cases, stricter minimum requirements for contracts for ICT services supporting critical or important functions of the financial company. These are:

 

• Complete descriptions of service quality with precise quantitative and qualitative performance targets (i.e., a qualified “sharp” SLA) to enable the client to monitor effectively and take immediate corrective action in the event of violations;
• the specification of notice periods and reporting obligations for the third-party ICT service provider, including reports of all events that could have a significant impact on the service provider’s ability to support critical or important functions in accordance with the contract. In this context, the grounds for termination pursuant to Art. 28 (7) DORA must also be taken into account;
• the implementation and testing of contingency plans by the third-party ICT service provider, as well as the provision of measures, tools, and guidelines to ensure an appropriate level of ICT security;
• the service provider’s obligation to participate in the TLPT test provided for in Articles 26 and 27 DORA and to cooperate fully in this test;
• the granting of unrestricted access, inspection, and audit rights to the client, an authorized third party, or a competent authority at the service provider’s premises, including the right to make copies if these are of crucial importance. Furthermore, the right to agree on alternative levels of confirmation if the rights of other customers are affected, the service provider’s obligation to cooperate fully in on-site inspections and audits, and the obligation to provide details on the scope and frequency of such inspections and the appropriate procedures to be followed; and
• the regulation of a reasonable exit strategy, in particular including the establishment of a binding, appropriate transition period during which the service provider continues to provide services in order to reduce the risk of disruption to the financial company or to ensure its orderly winding up and restructuring, and to enable the financial institution to switch to another third-party ICT service provider or to switch to internal solutions that correspond to the complexity of the services provided.

 

New third-party ICT service provider contracts or addenda to existing contracts should always include all the essential contractual provisions applicable under Article 30 DORA. Under no circumstances is it advisable to waive individual clauses that may be perceived as particularly detrimental, as this constitutes a sanctionable violation of the DORA Regulation, the right to terminate the contract without notice, or even its invalidity.

 

If an ICT third-party service provider refuses to make the necessary adjustments to an existing ICT service agreement, this will justify the financial company’s right to terminate the agreement, if necessary after prior warning with a threat of termination.

 

In their own interest, all affected third-party ICT service providers should, if they have not already done so, bring all service agreements with financial companies into line with the requirements of the DORA Regulation. This is also true because, in practice, EU financial companies will tend to impose additional or more stringent regulations beyond the minimum regulatory requirements, which third-party ICT service providers can better address with their own proposals.