[Elisabeth Marrache - Partner, IP/IT and Data protection at Addleshaw Goddard] DORA highlights the necessity of managing relationships with third-parties to ensure digital resilience for financial institutions. One of the key requirements under this regulation is to formally outline ICT-Related risks in contracts.
The contracts must in particular include provisions on availability, authenticity, integrity, and confidentiality of data including personal data. Additional provisions must also be provided in contracts covering critical important functions. In practice, we find that clients have mostly adopted a risk-based approach, focusing on dealing with their key in-scope ICT service providers. However, this analysis is no walk in the park, mainly because DORA requires financial institutions to verify that their ICT third party service providers meet specific information security-standards - a requirement that could be particularly burdensome for some smaller ICT service providers. Thus, collaboration among all stakeholders, involved in the process, not just the legal teams, becomes necessary in order to offer pragmatic and tailored solutions that meet each parties' concerns and requirements. *
[Erwan Brouder: Deputy head of cyber-security business unit at Sopra Steria] To operationalize DORA, banks and subcontractors must move beyond compliance and turn contract terms into actionable realities. Clear agreements on resilience standards must be defined upfront. Both banks and subcontractors need to engage in regular crisis management exercises to test response strategies, identify gaps, and refine their coordinated actions. Although banks are now mostly focused on reviewing contracts with their critical subcontractors, they must recognize that all ICT suppliers are included in DORA's scope.
Banks can then play a vital role by providing clear guidelines, on resilience, offering frameworks, tools, and best practices that help subcontractors meet DORA's stringent requirements. Moving hand in hand is in the best interest of both parties as it enables shared expertise and resources, ensuring a robust compliant and secure operational environment for all. This is our vision at Sopra Steria, and something we promote with our clients and their ecosystem of suppliers.