DORA Defines ICT Services and Outsourcing Arrangements

The Digital Operational Resilience Act (DORA) aims to strengthen the digital resilience of the financial sector in the European Union. A key element of DORA is the definition of "ICT services" (Information and Communication Technologies) and the establishment of new standards for agreements with third-party ICT providers and outsourcing agreements. Definition of ICT Services According to DORA, ICT services are broadly defined to cover all digital and data services used by financial institutions. This definition includes, among other things, cloud computing services, software, data analytics, and cybersecurity services. The regulation recognizes that financial institutions are increasingly dependent on these services for their operations and, therefore, it is important to ensure their resilience and security. New Forms for ICT Agreements DORA introduces new requirements for agreements between financial institutions and third-party ICT providers. These requirements aim to ensure that agreements are clear, comprehensive, and protect the interests of financial institutions and their customers. Specifically, DORA requires financial institutions to: Conduct thorough due diligence of third-party ICT providers before entering into an agreement. Set clear security and resilience requirements in the agreements. Monitor the performance of third-party ICT providers on an ongoing basis. Have contingency plans to address potential disruptions in ICT services. In addition, DORA introduces a new category of third-party ICT providers that are classified as "critical." These providers are subject to stricter supervision by European supervisory authorities. ICT Outsourcing Agreements DORA also extends the requirements for ICT outsourcing agreements. Financial institutions must ensure that outsourcing agreements comply with DORA requirements and that they have adequate controls to manage the risks associated with outsourcing. Implications for the Financial Sector DORA has significant implications for the financial sector. Financial institutions need to review their existing ICT agreements and outsourcing agreements to ensure compliance with DORA requirements. In addition, they need to strengthen their ICT risk management processes and improve the supervision of third-party ICT providers. In Conclusion The DORA regulation is an important step towards strengthening the digital resilience of the financial sector in the European Union. The definition of ICT services and the new forms for ICT agreements will help ensure that financial institutions are better prepared to address digital risks and protect the interests of their customers.