+DORA Ch. V Sec. I Art. 30 2.
|
1. Overview
DORA Ch. V Sec. I Art. 30 2.
2. The contractual arrangements on the use of ICT services shall include at least the following elements:
- (a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
- (b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations;
- (c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
- (d) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;
- (e) service level descriptions, including updates and revisions thereof;
- (f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
- (g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;
- (h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;
- (i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6).
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Termination Rights and Conditions
Define explicit termination rights including significant breaches of laws, regulations, or contract terms, material changes in third-party risks, demonstrated ICT weaknesses, and regulator oversight constraints. Set provisions for ensuring access, recovery, and return of data in an easily accessible format in cases of termination, insolvency, resolution, or discontinuation of the service provider's business operations.
|
|
NOREA
|
Service Level Management
Define clear and measurable service level descriptions outlining expected performance and quality standards. Ensure that the service provider provides a comprehensive description of all functions and ICT services that are offered, including any sub-contracting arrangements. Establish arrangements ensuring appropriate levels of data protection in line with regulatory requirements.
|
|
NOREA
|
Service Locations and Data Processing
Specify service locations and data processing sites. Require timely notification of any intended changes to these locations.
|
|
NOREA
|
Cooperation in Incident Response
Oblige the ICT third-party service provider to fully cooperate with the regulator and provide necessary assistance in the event of an incident related to the provided service.
|
|
NOREA
|
Participation in Security Awareness Programs
Specify conditions for the participation of the service provider in security awareness and resilience programs/trainings.
|
|