Around this time 25 years ago the world was counting down to the turn of a new century and, with it, the dreaded Y2K / Millennium Bug. Remember that? It was the bug that was anticipated to take down our technology and plunge us back into the stone age… Thankfully it didn’t.
A quarter of a century on we have learnt to accept that sometimes technology, as great as it is, will have hiccups (not always malicious) and even a tiny hic can have a negative impact on financial services. DORA is a law that also recognises this and focuses on ensuring there are qualitative measures in place for restoration in the event of an incident with minimal delay. So, let’s take a closer, but brief (it is nearly Christmas after all) look at what DORA is about and how it could affect your business and your contracts.
17 January 2025: That is the deadline financial entities have up to for ensuring DORA compliance.
Wait, you’re not in the EU and you’re not a financial entity, so why should you read on?
Financial entity is interpreted widely under DORA to including banks, investment firms, insurance companies, credit institutions, payment institutions (just to name a few). You might be thinking ‘this still does not describe my business’ but it could describe your client’s business and if your client has to adhere to DORA it means they will need to ensure their supply chain (of which you are a link in) has digital resilience.
Similarly, you may be based outside the EU but your business network (your clients, your suppliers etc) may be operating in or from the EU.
But what does digital resilience mean?
Financial entities need to demonstrate that their customers can receive effective continued service even if an incident arises. This means the ICT providers who the financial entities receive services from have to show their services can recover and continue if something goes wrong.
Are you an ICT provider?
DORA has cast its net wide again here. If you are providing any digital or data services through information and communications technology (ICT) on an ongoing basis (this reaches as far as even technical support via software updates), then yes you are.
Some ICT providers will be categorised as ‘critical providers’ by the European Supervisory Authorities (“ESAs”) from around mid-2025 (predicted timeline); you do not need to self-classify but if your client is a financial entity they might ask for some contract clarifications from you to help them gather the relevant information to help the ESAs make their designations. We won’t go into detail here about what it means if you’re deemed a critical provider, but if you are concerned or want more information please do contact us.
So you are providing ICT services to a financial entity who needs to comply with DORA by 17 January 2025, what does this mean to you and how can we help?
If you haven’t already, you may be receiving requests to amend your contracts with such financial clients. Article 30 of DORA sets out the key contractual elements expected in contracts between financial institutions and their ICT services provider, including:
- Service levels;
- Data locations;
- Protection of data;
- Sub-contracting details;
- Incident management;
- Termination rights.
What should you do with such request?
Firstly, don’t panic. Take a look at the high-level list above, a lot of this should already be in your contracts as a matter of good practice anyway. Have a discussion with your customer and point them to the relevant parts of your contract.
If any of your existing contract provisions are not robust enough to satisfy the customer of DORA compliance, or if your contract does not have the required provision, then look at strengthening or adding such provision(s) into your contract via an addendum.
A couple of tips:
- Article 30 of DORA is not intended to be treated as mandatory contractual language to be copied and pasted exactly into ICT services agreements. It is a list of principles that should be considered carefully and applied in appropriately and proportionately to the nature and context of the services.
- Beware of the sneaking commercial nice-to-haves that some clients might try to slip into contract addendums for DORA. If it is not DORA related and does not concern cyber security, it is not a DORA requirement.
We can help you with any of the above so please don’t hesitate to contact us.