+DORA Ch. V Sec. I Art. 30 3.
|
1. Overview
DORA Ch. V Sec. I Art. 30 3.
3. The contractual arrangements on the use of ICT services supporting critical or important functions shall include, in addition to the elements referred to in paragraph 2, at least the following:
- (a) full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;
- (b) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;
- (c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;
- (d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27;
- (e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:
- (i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
- (ii) the right to agree on alternative assurance levels if other clients’ rights are affected;
- (iii)the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and
- (iv)the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;
- (f) exit strategies, in particular the establishment of a mandatory adequate transition period:
- (i) during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring;
- (ii) allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a microenterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
(Critical) Service Level Management
Ensure the contract with ICT third-party service provider delivering critical or important services encompasses comprehensive service level descriptions, including updates and detailed reporting (both quantitative and qualitative). Evaluate the service provider's compliance with performance and quality standards by reviewing reports on activities and services, incident reports, security and business continuity measures, and testing. Assess performance using key performance indicators, key control indicators, audits, self-certifications, and independent reviews. Receive relevant information from the service provider regarding their activities and services and ensure timely notification and response to incidents. Conduct independent reviews and compliance audits with legal and regulatory requirements and policies. Specify notification periods for any material changes that may impact the entity or agreed service levels.
|
|
NOREA
|
Contractual Clauses
Secure rights for continuous performance monitoring, including unrestricted rights to access, inspection, and audit. This encompasses alternative assurance levels, cooperation with regulator inspections, and full disclosure of audit scope, procedures, and frequency. Include a mandatory transition period upon termination, allowing the service provider to continue services during migration, affording the entity time to transition to another provider or in-house solutions based on service complexity. Mandate the implementation and testing of business contingency plans and the establishment of a security management system by the service provider.
When negotiating contractual arrangements, consider the use of standard contractual clauses developed by public authorities for specific services.
Require the service provider's participation in the entity's (advanced) testing program (TLPT), where required. Where participation of an ICT third-party service provider in TLPT may adversely impact services or data confidentiality for customers outside the scope of DORA, it may be agreed in writing to perform a pooled TLPT.
|
|
NOREA
|
Third-party Critical Subcontracting Management
Delineate critical and important ICT services in contracts with third-party ICT service providers, specifying conditions for subcontracting. Require continual monitoring of subcontracted services supporting critical functions to ensure compliance with contractual obligations. Detail monitoring and reporting responsibilities of the third-party service provider to the financial entity, including risk assessments related to subcontractor locations and data ownership. Mandate incident response and business continuity plans for subcontractors, along with adherence to specified service levels and security standards. Retain termination rights for the financial entity in cases of unauthorized subcontracting or failure to meet agreed-upon service levels. Implement changes relative to contractual agreements as soon as possible and document the planned timeline for the implementation.
|
|