+DORA Ch. V Sec. I Art. 28 7.
|
1. Overview
DORA Ch. V Sec. I Art. 28 7.
7. Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances:
- (a) significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;
- (b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;
- (c) ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data;
- (d) where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Termination Rights and Conditions
Define explicit termination rights including significant breaches of laws, regulations, or contract terms, material changes in third-party risks, demonstrated ICT weaknesses, and regulator oversight constraints. Set provisions for ensuring access, recovery, and return of data in an easily accessible format in cases of termination, insolvency, resolution, or discontinuation of the service provider's business operations.
|
|
NOREA
|
Service Level Management
Define clear and measurable service level descriptions outlining expected performance and quality standards. Ensure that the service provider provides a comprehensive description of all functions and ICT services that are offered, including any sub-contracting arrangements. Establish arrangements ensuring appropriate levels of data protection in line with regulatory requirements.
|
|
NOREA
|
Service Locations and Data Processing
Specify service locations and data processing sites. Require timely notification of any intended changes to these locations.
|
|
NOREA
|
Cooperation in Incident Response
Oblige the ICT third-party service provider to fully cooperate with the regulator and provide necessary assistance in the event of an incident related to the provided service.
|
|
NOREA
|
Participation in Security Awareness Programs
Specify conditions for the participation of the service provider in security awareness and resilience programs/trainings.
|
|