DORA: Essential Contractual Clauses for the Digital Resilience of Financial Entities

The Digital Operational Resilience Act (DORA) Regulation imposes new requirements on financial entities regarding cybersecurity and digital operational resilience. One of the key tools to comply with these demands is the inclusion of specific contractual clauses in agreements with third-party ICT service providers. These clauses are crucial to ensure business continuity, data protection, and the ability to respond to security incidents.

Below, we leave you the video of the collaboration, in case it is of interest to you:

Typology of Fundamental Contractual Clauses and Their Requirements:

The DORA Regulation mandates that contracts with third-party ICT service providers include, at a minimum, the following clauses:

1. Comprehensive Description of Functions and Services: It is necessary to precisely detail all functions and services that the provider will deliver to the financial entity, including, for example, the development and maintenance of applications, cloud storage, network management, cybersecurity services, etc.
2. Service Delivery and Data Processing Locations: The contract must specify where the services will be provided and where data will be processed, both within and outside the European Union.
3. Service Level Agreements (SLAs): The expected service levels must be clearly defined in terms of availability, performance, and response time.
4. ICT Risk Monitoring: The contract must include clauses allowing the financial entity to continuously monitor ICT-related risks, such as periodic reports on security status and incidents.
5. Security and Data Protection Guarantees: The provider must ensure the accessibility, availability, integrity, security, and protection of personal data processed under the contract, complying with applicable data protection regulations.
6. Data Access and Recovery in Case of Insolvency: Mechanisms must be established to ensure that the financial entity can access, recover, and restore its data in the event of the provider’s insolvency, resolution, or operational disruption.
7. Cooperation with Authorities: The provider must be obligated to fully cooperate with competent authorities and the financial entity’s resolution authorities in the event of security incidents or investigations.
8. Contract Termination: The rights of termination and minimum notification periods for contract termination must be established, considering the expectations of competent authorities and resolution authorities.

Si te ha interesado este artículo no dudes en leer:

DORA and ICT Incident Notification: A Digital Big Brother for Banking?

The entry into force of DORA (Regulation (EU) 2022/2554) has marked a turning point in the regulatory landscape of cybersecurity in the financial sector. This new legal framework, designed to strengthen the digital operational resilience of financial entities, raises a crucial debate: Is greater centralization in the notification of cyber incidents necessary?

By ensuring that contracts with third-party ICT service providers include these fundamental clauses, financial entities can take proactive measures to protect their technological infrastructure and minimize cybersecurity-related risks.

If you enjoyed this article, you might also find the following one interesting:

DORA and Digital Trust: The Value of Standard Contractual Clauses for Cloud Services