Contractual agreements need to be updated to ensure that they are DORA compliant, yet Financial Entities (FE’s) do not know when standard contractual clauses will be provided by the relevant public authorities following the Article 30.4. of Regulation(EU) 2022/2554 We understand that if standard contractual clauses are not provided by the relevant public authorities' in due time, then the legal departments of FE’s and ICT providers will potentially need to develop their own contractual clauses and templates, which will not only create a huge amount of work, duplicated by the different parties, and potentially mis-interpretation of the regulation, but will lead to protracted contractual negotiations between the FE’s and the ICT providers over which template should be used to cover the services provided, i.e. the template designed by the FE, or, the template designed by the ICT provider, and which will undoubtedly lead to a situation whereby the FE’s and ICT providers are required to manage multiple different contractual arrangements (which in turn will generate a tremendous additional supervisory efforts regarding the different provisions implemented).
Could you please kindly confirm the expected date when the relevant public authorities will release a first draft of the DORA compliant standard contractual clauses and template to be used by the FE’s and ICT providers?
Notwithstanding the fact that the abovementioned article refers to standard clauses for certain specific services, the financial sector has claimed the publication of standard contractual clauses under DORA. This will not only ease negotiations between FE´s and ICT providers but will also enforce the contractual security framework, as less misinterpretations of DORA will take place.
Additionally, critical ITC providers are still to be designated by the ESAs and, therefore, negotiations between FE´s and ICT providers have not started yet in most of the cases. Therefore, we strongly request that consideration be given to the possibility of establishing a transitional period to adapt the contracts to the framework established by DORA.

When conducting the preliminary assessment of potential ICT concentration risk associated with an ICT service provider, as stipulated in Regulation 2022/2054 and its corresponding draft RTS on subcontracting ICT services supporting critical or important functions, what treatment should be applied to ICT intra-group service providers? In other words, are financial entities (FEs) required to consider this concentration risk for ICT intra-group service providers? Alternatively, would the exemption outlined in Regulation 2022/2054 article 31.8(iii) apply, thereby meaning that this risk should not be considered for intra-group service providers?

REGIS-TR SA seeks further clarification on this matter, given that the DORA Regulation establishes that
- ‘While intra-group provision of ICT services entails specific risks and benefits, it should not be automatically considered less risky than the provision of ICT services by providers outside of a financial group and should therefore be subject to the same regulatory framework. However, when ICT services are provided from within the same financial group, financial entities might have a higher level of control over intra-group providers, which ought to be taken into account in the overall risk assessment’.

Similarly, article 28.4(c) states that
- ‘Before entering into a contractual arrangement on the use of ICT services, financial entities shall: (c) identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk as referred to in Article 29’.


Furthermore, the aforementioned article 29 covers the considerations and risks to take into account in relation to ICT service providers supporting critical or important functions, when performing the preliminary assessment of ICT concentration risk.

Additionally, the draft RTS on ‘the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions’ also explains that
- ‘ICT intragroup subcontractors, including the ones fully or collectively owned by financial entities within the same institutional protection scheme, providing ICT services supporting critical or important functions should be considered as ICT third-party services providers. Intragroup ICT subcontracting should not be treated differently from subcontracting outside of the group. The risks posed by those ICT intragroup subcontractors may be different but the requirements applicable to them are the same in accordance with Regulation (EU) 2022/2054. When the use of ICT subcontractors is permitted, then those also include ICT intragroup subcontractors’, thereby making no distinction between intra-group and external service providers.

Due to these reasons, we are uncertain about whether the exemption outlined in Regulation 2022/2054 article 31.8(iii) would apply; or if exposure to a ICT intragroup service providers should also be considered during the preliminary assessment of ICT concentration risk.

If a structured deposit has only one variable affecting the return received on maturity (the agreed term), and has an exit fee that is either a fixed sum, a fixed sum for each month remaining until maturity (the agreed term) or a percentage of the original sum invested, would it still be considered a non-complex financial instrument, in accordance with point (v) of Article 25(4)(a) of MiFID II, if the client is entitled to receive the positive market value of the underlying option, if any, if the client exits prematurely, e.g. in the event of unforeseen liquidity requirement? If the structured deposit is exited prematurely, and not on the agreed upon maturity date, the market value of the underlying option will depend on more than one variable, i.e. the underlying index, the volatility of the index, time to maturity.

Would an EU-based Firm providing ICT Services wholly to non-EU-based Firms be deemed in or out of scope for DORA?

The activities of credit bureaus (credit reporting agencies) are not directly referenced within the scope of DORA. These services may not traditionally seen as "ICT Services", but they could be interpreted as "data services provided through ICT systems". Are these intended to be within scope for ICT services?