Using third parties to provide ICT services to financial institutions is a well known practice to the point that the financial sector as a whole has become largely dependent on ICT third-party service providers. This of course is not without its risks. DORA therefore aims to mitigate this ICT third-party risk by introducing specific powers for financial supervisors, governing the contractual relationship between financial institutions and ICT third-party providers and establishing an oversight framework for so-called critical ICT third-party providers. This article, which is the fifth in our series introducing the proposal for DORA, provides you with a closer look at some of these regulatory measures.
DORA primarily mandates that financial entities have to monitor any risk arising through third-party providers. In this matter, financial institutions must assess whether they plan to enter into contractual relationships with an ICT third-party service provider which is not easily substitutable and, as such, the so-called vendor lock-in is likely to occur; or whether they already have multiple contractual arrangements in relation to the provision of ICT services with the same ICT third-party service provider. In other words, DORA obliges financial institutions to be aware of possible dependency issues on single (or closely connected) ICT provider(s).
Similarly to another well known European regulation - GDPR, which in its article 28 governs the contractual relationship between controller and processor, DORA introduces obligatory provisions that have to be present in any contract concluded between a financial institution and an ICT third-party provider. These provisions enable the financial institution to have control over important aspects of the contractual relationship. To name a few, the contract must contain provisions describing all the functions and services provided, provisions on accessibility, availability, integrity, security and protection of data, rights of access, clear exit strategies and so on. A significant part of these provisions can serve as a measure to reduce the occurrence of already mentioned vendor lock-in. Their mandatory use could thus undoubtedly be described as positive progress in this area.
DORA also introduces a complex supervisory approach to the ICT third-party risk in the financial sector. ICT third-party service providers that are deemed critical, will be subject to the EU oversight framework and will be closely regulated by the ESAs designated as so-called Lead Overseers. This oversight framework is built on and will coexist with other forms of supervision already existing in the EU (notably Directive (EU) 2016/1148 focused on cloud computing services). The Lead Overseer will have substantial powers over critical ICT third-party service providers, such as the power to conduct investigations, the right to access all relevant premises and so on.
Although, in general, financial institutions still may very well choose with which ICT third-party service provider it will enter into a contractual relationship, there are some limitations, most notably when considering the ICT third-party service providers established in third countries. A financial institution cannot use an ICT third-party service provider
established in a third country that would be designated as critical if it were established in the EU. According to DORA, contractual freedom is here limited in favour of securing overall financial stability.
DORA does not try to completely eliminate the dependency of the financial sector on ICT third-party providers. Nevertheless, if successful, DORA will put financial entities more in control of their contractual relationships with ICT third-party providers, which could in the end benefit the clients as well.
Jan Svoboda
PwC Legal