A number of the contractual requirements set out in DORA and the RTSs are consistent with the outsourcing guidelines and the ICT security risk management guidelines issued by EBA, ESMA and/or EIOPA (Existing Requirements). However, DORA builds on these and differs in a number of important respects, including:
Financial entities that have already achieved, or are on the path to achieving, compliance with the Existing Requirements will have less work to do to meet the new DORA contractual requirements, but action will still be required.
DORA also contains a special oversight mechanism for those designated critical ICT service providers. This is in parallel to similar developments in the UK through the proposed Critical Third Parties regime.
Financial entities need to conduct a review exercise to identify the extent of compliance with the new DORA contractual requirements and develop a plan to ensure compliance is achieved in both existing and new ICT service contracts.
Typical activities include:
‘Time is of the essence’. The final RTSs are due to be finalised by 17 July 2024, and contractual requirements must be met by 17 January 2025.
Our multidisciplinary team of commercial lawyers and paralegals, TPRM specialists and technologists have the expertise and experience to help clients meet the challenge of DORA contractual compliance. We have significant experience of working alongside our clients on similar compliance journeys, using a technology enabled discovery and contract remediation model that has evolved through supporting many clients. We often work as a strategic partner, either in relation to certain aspects or from end to end.
Contact us today to find out how we can help you.
Raj Chavda
Senior Manager, Legal Business Solutions, PwC United Kingdom
Tel: +44 (0)7483 387500