Vincent Wellens, Ottavio Covolo and Sigrid Heirbrant. Photo: NautaDutilh Avocats Luxembourg

Vincent Wellens, Ottavio Covolo and Sigrid Heirbrant. Photo: NautaDutilh Avocats Luxembourg

Financial institutions and ICT suppliers are intensively reviewing and updating their ICT contracts to ensure compliance with the upcoming Digital Operational Resilience Act (commonly known as DORA). DORA addresses the ICT risk of financial institutions (including insurance companies and fund managers) from a holistic perspective. It has a significant impact on their ICT contracts (including outsourced managed services, software agreements etc.).

The final sprint

After mapping their ICT contracts and identifying those covering critical or important functions, financial institutions are completing their DORA gap analysis and updating their contractual arrangements with their ICT suppliers.

The CSSF DORA readiness survey revealed that, as at last September, 70% of institutions considered themselves partially or not ready when it comes to ICT third-party risk management (CSSF, ), so a lot of work remains to be done before the deadline of 17 January 2025. This is challenging, as the latest Regulatory Technical Standards (RTS) relating to subcontracting ICT necessary for understanding the requirements were adopted only at the end of July 2024.

The rise of the templates

Both financial institutions and ICT suppliers are adapting their model contracts, often with a template-based addendum (like data processing agreements, DPAs, when the GDPR entered into force).

Even when they receive templates from their ICT suppliers, financial institutions remain liable for DORA compliance. Templates should be adequate for medium to low-risk ICT services, with the proviso that--despite the template approach--several items still must be agreed upon. High-risk ICT services need a more tailored approach, which is especially challenging given the time constraints of both DORA and the busy nature of the end-of-year season.

Furthermore, the template approach may also run counter to the requirement that the complete contract between a financial institution and its ICT supplier must be documented in one single written document containing all parties’ rights and obligations (in practice, this is a package comprised of the main agreement and a number of annexes such as the service level agreements, SLAs).

This requirement may impact the current market practice to refer to SLAs or DPAs through hyperlinks to one party’s website. From both a compliance and legal certainty standpoint, it is preferable that such SLAs and DPAs be included in the signed contract package, as they contain rights and obligations.

Overlapping requirements

The EBA Outsourcing Guidelines and CSSF Circular 22/806 continue to apply to outsourced ICT services and contain several more stringent requirements than DORA.

Often, the ICT contracts and the related subcontracting arrangements will also have to comply with GDPR requirements, and with the newest EDPB Opinion 22/2024 of 7 October 2024 on certain obligations following from the reliance on processor(s) and sub-processor(s).

It is therefore essential that DORA-specific amendments are made in a coherent manner and do not contravene past or current compliance efforts.

Main challenges

Financial institutions have indicated that renegotiating such material contracts with their ICT suppliers within a short time frame is particularly challenging. DORA does not make any distinction between new and existing contracts, so that all contracts must comply by 17 January 2025.

Furthermore, financial institutions often depend on their group for internal coordination or other purposes, which can create delays in the overall compliance process.

Feel free to reach out to , and --experts in ICT contract law at --for further assistance.

This promotional article was written by NautaDutilh Avocats Luxembourg as part of the company’s membership with the Paperjam Club. If you wish to become a member of the Club, contact us at .