Whilst DORA is an EU regulation, it will have an impact on UK:

• financial services businesses with operations in the EU; and

• IT service providers supporting EU in-scope financial services businesses.

For UK businesses not directly affected by DORA, the regime is still relevant insofar as it may be an indication of the direction of travel for UK regulation.

DORA includes a host of risk management and operational requirements. However, the focus of this article is on what DORA means for contracts of those businesses that find themselves in scope.

What’s different?

Much of DORA will be familiar to financial services businesses already subject to existing regimes like SYSC 8 and the EBA Outsourcing Guidelines.

However, DORA differs from those regimes in that it:

• is applicable to more financial services businesses and more contracts;

• introduces some new operational and contractual requirements; and

• includes reporting requirements not found in other regimes.

It will therefore likely necessitate a re-evaluation of existing contracts and practices, even for those businesses that are already relatively mature when it comes to operational resilience.

Who’s in scope

Most notably, DORA is more far-reaching than other regimes of its nature in that it applies directly to:

• a broader range of financial services businesses; and

• IT third-party service providers supplying in-scope financial services businesses with digital and data services.

Furthermore, any third-party service provider who has been designated as “critical” in accordance with DORA (“Critical IT Service Provider”) will be subject to enhanced direct regulation.

Criticality of services

Traditionally, regulation of outsourcing in the financial services industry has been focussed on the outsourcing of critical or important functions, and the contracts that support that outsourcing.

DORA changes this in that it brings all IT service contracts in scope, albeit with a two-tier approach based on the criticality of the service. This means that certain contractual requirements now apply to all IT service contracts, regardless of their criticality.

While organisations with a more mature compliance programme may already be applying similar levels of scrutiny across contracts for critical and less-critical arrangements, this may come as a shock to those organisations that have (fairly) focused their efforts on the contracts that they are strictly required to.

This change will not only directly impact financial services businesses’ due diligence and remediation backlogs, but some of the requirements applicable to all IT service contracts may require businesses to review their subscription levels.

For example, depending on guidance and how such requirements are ultimately enforced, the requirement to have an SLA and to have access to support may require financial services businesses to procure more costly enterprise level subscriptions where they otherwise would not have for non-critical services, directly impacting business unit’s budgets.

Critical IT Service Providers EU subsidiaries

In-scope financial services businesses are only able to contract with Critical IT Service Providers established in a non-EU country if that provider has established a subsidiary in the EU within 12 months of its designation as ‘critical’.

Specific contractual requirements

Not dissimilar to Article 28 GDPR, but unlike any existing financial services operational resilience regulation, DORA requires in-scope businesses and their IT service providers to have certain contractual provisions in place.

Many of these contractual provisions have always been considered best practice for critical services, but, absent an absolute requirement to have them, many organisations will previously have taken a risk-based approach on including them where they’ve had significant push-back from suppliers.

The requirement to ensure these provisions are in place applies directly to the IT service provider – not solely on the financial services business. This, in theory, makes it “both parties’ problem”, which will hopefully make the “who’s problem it is” argument in negotiations moot.

Recording and reporting requirements

In-scope financial services businesses are required to maintain and update a register of information on their IT service contracts, which they will need to make available to the regulator on request.

Financial services businesses will also need to report to the regulator annually on, among other things, the number of new contracts and the types of those contracts.

Further, given DORA’s specific contractual requirements, it is likely that part of any audit would include spot checks on financial services businesses’ in-scope contracts. Therefore, it would be advisable for financial services businesses to be armed with the relevant contractual metadata ahead of time as opposed to starting from scratch upon an audit request.

Contractual requirements that may prove difficult in practice

Some of the contractual provisions that DORA requires may prove challenging to agree in practice (at least not without significant cost to financial services business), such as the requirement for:

• IT service providers to participate in a financial services business’ security awareness programme and digital operational resilience training – which is likely impossible for a SaaS vendor to do, even if the customer is willing to pay; and

• a termination right if something happens that could change what the services do or how they’re provided, or which changes the circumstances of the supplier (such as a change of control or a significant change of financial covenant) – for many this may end up being a termination for convenience with early exit charges.

While some of the above additional requirements may be achievable with professional service providers who have a more flexible offering, they are very unlikely to be achievable with SaaS vendors or other vendors with a standardised service offering, even if a financial services business is willing to pay for it.

There are other requirements that, dependent on the way they are ultimately interpreted, may be at odds with the way in which IT is typically procured nowadays, particularly for less critical services. For example:

• a requirement for “clear and complete” service descriptions. Whilst this may still be common for bespoke systems and very critical applications, it is very uncommon for more off-the-shelf SaaS where organisations buy off the back of a discovery process/trial/pilot; and

• a requirement that the contract specify the regions and countries from which the service and all sub-contracted services are provided. For some services that are geographically dispersed by design, this may be impossible to do at contract stage or at all (at least to any degree of useful specificity).

In the case of those requirements that prove impractical to implement, it is likely that the regulator will need to engage with financial services businesses and IT service providers on how they should be implementing these requirements in practice.

We have already seen this to a certain extent with the European Supervisory Authorities making changes to their final advice by limiting certain reporting requirements to critical or important functions only.

How can Tacit help?

DORA ushers in a new era of regulatory scrutiny for financial services businesses, one which requires more day-to-day scrutiny of contracts, more record keeping and more reporting.

Our managed contracts solution allows in-house teams to scale up their capacity rapidly, and we create structured data about an organisation's contractual risk as we go, making gap analysis, ongoing compliance and reporting under DORA a doddle.