DORA: Contract Clauses. Beyond the Basics: Deepening Contractual Requirements for Robust Digital Resilience

The DORA Regulation, in its effort to ensure the digital operational resilience of the financial sector, establishes a set of fundamental contractual requirements for relationships between financial entities and third-party ICT service providers.

Below we present the collaboration also in video format in case it is of interest to you. It will take no more than 3 minutes to:

However, to effectively control the risks associated with these services and ensure business continuity, it is necessary to go beyond these basic provisions.

In this regard, contracts for the provision of ICT services that support essential or important functions must include additional clauses that allow financial entities to maintain full control over events that may affect their ICT security. These complementary clauses should specify the following:

1.- Detailed Service Levels:

Contracts must include comprehensive descriptions of service levels, with precise quantitative and qualitative performance objectives. This will enable financial entities to measure the provider’s performance and take timely corrective actions in case of non-compliance.

2.- Notification of Changes:

Third-party ICT service providers must be obligated to promptly notify the financial entity of any changes that may significantly affect their ability to deliver the contracted services. This obligation will allow the financial entity to assess the impact of such changes and take necessary measures to mitigate risks.

3.- Contingency and Security Plans:

Providers must have robust contingency plans and apply appropriate information security measures to ensure service continuity in the event of incidents. Additionally, they must be willing to participate in penetration tests conducted by the financial entity to evaluate the effectiveness of their security measures.

4.- Cooperation in Penetration Testing:

The financial entity must have the right to conduct threat-based penetration tests on the provider’s systems to identify vulnerabilities and evaluate the effectiveness of their security measures. The provider, in turn, must fully cooperate in these tests and provide the necessary information.

Si te ha interesado este artículo no dudes en leer:

DORA and Digital Trust: The Value of Standard Contractual Clauses for Cloud Services

The Digital Operational Resilience Act (DORA) represents a milestone in the regulation of cybersecurity and operational resilience within the financial sector.

In summary, the DORA Regulation establishes a robust regulatory framework for digital operational resilience in the financial sector. However, to ensure optimal protection, financial entities must go beyond the minimum requirements and negotiate contracts that include detailed and demanding clauses regarding service levels, notification of changes, contingency plans, and security. In this way, financial entities can build a strong defense against cyber threats and ensure the continuity of their operations

If you liked this article, you might also find the following reading interesting:

DORA: Essential Contractual Clauses for the Digital Resilience of Financial Entities