DORA: Repercussions for ICT third party service providers

PUBLISHED: 18th November 2024

The Digital Operational Resilience Act (DORA) takes effect from 17 January 2025.  While your business may not fall within the definition of a “financial entity” under DORA, you may not have escaped its tentacles. 

If you are a third-party service provider providing information and communication technology services to certain financial entities, you may be impacted by DORA as an “ICT third party service provider” and will need to align your services and contractual arrangements with DORA to support the financial entities’ compliance requirements.

The meaning of “ICT  services” is broadly defined in DORA and covers all types of digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. This broad definition also means that ICT third party service providers will cover a multitude of suppliers such as software suppliers, consultancy and managed ICT services, providers of cloud services, data analytics, cybersecurity and data centres. Certain critical ICT third-party service providers will be designated under DORA by European Supervisory Authorities and designated critical ICT third-party service providers will be subject to specific obligations under DORA.

• The majority of ICT third-party service providers will be non-critical ICT third-party service providers. Even though such ICT entities are not directly subject to DORA, in order to continue to supply services to their financial entity customers they will likely be required to amend the form and content of their agreements to satisfy the mandatory contractual  provisions imposed on financial entities under Articles 28 (7) and 30 of DORA. Such obligations include documenting the full contract on one written document rather than having multiple contract documents such as cross referencing other terms and conditions and policies. Additionally, the new form contracts will need to detail: clear descriptions of the ICT services including any subcontracting terms
• The locations where the ICT services and any subcontracted functions are to be provided
• The locations of where data will be processed and stored
• Notification obligations if the ICT third party service provider envisages changes to the locations from where it provides the services or processes and stores data
• Protection of data including personal data
•  Rights for the financial entity to access and recover its data in the event the ICT third party service provider becomes insolvent, discontinues its business or the contract is terminated
• Service levels
• The provision of incident support by the ICT third party service provider at no additional cost or at a pre-determined agreed cost
• Obligations on the ICT third party service provider to cooperate with the financial entity’s regulator
• Obligations on the ICT third party service provider to participate in the financial entity's security awareness programmes and digital operational resilience testing
• Specific termination provisions

The Central Bank of Ireland held a DORA Industry Briefing on 6 November 2024 where it reminded firms that “DORA is a regulation targeting the EU-wide ecosystem designed to enhance digital operational resilience both at the entity and system wide level”.   

In addition, the Central Bank reminded firms that:

The DORA toolkit will help to further boost operational resilience by setting out requirements about how firms must approach their own operational risk, resilience and recovery.  Furthermore, and given the ever increasing reliance on third-party providers, DORA puts in place requirements as to how financial entities must approach the management of their relationships with third party service providers. This is a crucial aspect given the way in which digitalisation is a phenomenon which has relied to an unprecedented extent on outsourcing and subcontracting as the means to harness change.

Submissions by financial entities of related registers of information to the Central Bank are expected during the first week of April 2025 and this information will also be used to assess if an ICT third party service provider should be designated as a critical ICT third party service provider, falling under the direct supervision of a European Supervisory Authority.

If you require assistance in assessing the application of DORA to your business, please contact David Naughton at dnaughton@lkshields.ie or Katrina Smyth ksmyth@lkshields.ie in our Financial Services team or Jane O’Grady jogrady@lkshields.ie in our Technology and Innovation team.