Search a question

Contractual agreements need to be updated to ensure that they are DORA compliant, yet Financial Entities (FE’s) do not know when standard contractual clauses will be provided by the relevant public authorities following the Article 30.4. of Regulation(EU) 2022/2554 We understand that if standard contractual clauses are not provided by the relevant public authorities' in due time, then the legal departments of FE’s and ICT providers will potentially need to develop their own contractual clauses and templates, which will not only create a huge amount of work, duplicated by the different parties, and potentially mis-interpretation of the regulation, but will lead to protracted contractual negotiations between the FE’s and the ICT providers over which template should be used to cover the services provided, i.e. the template designed by the FE, or, the template designed by the ICT provider, and which will undoubtedly lead to a situation whereby the FE’s and ICT providers are required to manage multiple different contractual arrangements (which in turn will generate a tremendous additional supervisory efforts regarding the different provisions implemented).
Could you please kindly confirm the expected date when the relevant public authorities will release a first draft of the DORA compliant standard contractual clauses and template to be used by the FE’s and ICT providers?
Notwithstanding the fact that the abovementioned article refers to standard clauses for certain specific services, the financial sector has claimed the publication of standard contractual clauses under DORA. This will not only ease negotiations between FE´s and ICT providers but will also enforce the contractual security framework, as less misinterpretations of DORA will take place.
Additionally, critical ITC providers are still to be designated by the ESAs and, therefore, negotiations between FE´s and ICT providers have not started yet in most of the cases. Therefore, we strongly request that consideration be given to the possibility of establishing a transitional period to adapt the contracts to the framework established by DORA.

When conducting the preliminary assessment of potential ICT concentration risk associated with an ICT service provider, as stipulated in Regulation 2022/2054 and its corresponding draft RTS on subcontracting ICT services supporting critical or important functions, what treatment should be applied to ICT intra-group service providers? In other words, are financial entities (FEs) required to consider this concentration risk for ICT intra-group service providers? Alternatively, would the exemption outlined in Regulation 2022/2054 article 31.8(iii) apply, thereby meaning that this risk should not be considered for intra-group service providers?

REGIS-TR SA seeks further clarification on this matter, given that the DORA Regulation establishes that
- ‘While intra-group provision of ICT services entails specific risks and benefits, it should not be automatically considered less risky than the provision of ICT services by providers outside of a financial group and should therefore be subject to the same regulatory framework. However, when ICT services are provided from within the same financial group, financial entities might have a higher level of control over intra-group providers, which ought to be taken into account in the overall risk assessment’.

Similarly, article 28.4(c) states that
- ‘Before entering into a contractual arrangement on the use of ICT services, financial entities shall: (c) identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk as referred to in Article 29’.


Furthermore, the aforementioned article 29 covers the considerations and risks to take into account in relation to ICT service providers supporting critical or important functions, when performing the preliminary assessment of ICT concentration risk.

Additionally, the draft RTS on ‘the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions’ also explains that
- ‘ICT intragroup subcontractors, including the ones fully or collectively owned by financial entities within the same institutional protection scheme, providing ICT services supporting critical or important functions should be considered as ICT third-party services providers. Intragroup ICT subcontracting should not be treated differently from subcontracting outside of the group. The risks posed by those ICT intragroup subcontractors may be different but the requirements applicable to them are the same in accordance with Regulation (EU) 2022/2054. When the use of ICT subcontractors is permitted, then those also include ICT intragroup subcontractors’, thereby making no distinction between intra-group and external service providers.

Due to these reasons, we are uncertain about whether the exemption outlined in Regulation 2022/2054 article 31.8(iii) would apply; or if exposure to a ICT intragroup service providers should also be considered during the preliminary assessment of ICT concentration risk.

Is our standing of Article 6 of the RTS correct, that an institution should submit more than one intermediate report for a major ICT-incident, if that incident continues over the 72 hours threshold for the initial intermediate report?
Art. 6 states that an institution has to submit a report in case that after 72 hours the incident is not resolved or when the incident is resolved. Our understanding is that the "or" means that an institute has to submit more than one report in case that the incident is resolved after more than 72 hours.

My questions relate to the scenario where a UK financial services firm, or an offshore financial services firm (e.g. in Guernsey), provides services to an EU financial services firm.
For example, in the scenario where an EU financial services firm outsourced its fund management to a UK asset management firm to manage a fund. Would the EU firm be expected to have sought reassurance from the UK fund manager that the UK firm is also compliant with DORA?
Thanks in advance for your help.

For complying with the regulatory provisions envisaged by the DORA Regulation, Financial Entities should consider End User Computing (EUC) tools, End User License Agreements (EULA), and the conditions of Shadow IT.
Would it be possible to obtain the regulatory references for these areas?