SaaS Agreements – DORA – ICT Supplier Obligations

SaaS suppliers obligations under the Digital Operational Resilience Act,(“DORA”), (Regulation (EU) 2022/2554 on digital operational resilience for the EU financial sector), are effective from the 17th of January 2025. From this date DORA provisions must be included in contracts entered into between financial services entities subject to DORA and their third party providers of ICT Services. As SaaS suppliers are third party providers of digital and data services on an ongoing basis they will be third party providers of ICT services if their SaaS customers are regulated by DORA. Both the SaaS customer and the SaaS supplier must comply with their applicable mandatory obligations under DORA.

Which entities does DORA apply to?

DORA applies directly to:

  • Any SaaS customers regulated by DORA; and
  • SaaS suppliers who provide “critical” or “important” ICT services to such SaaS customers.

DORA applies indirectly to SaaS suppliers who provide ICT Services to a SaaS customer regulated by DORA, as the SaaS customer must include certain mandatory provisions in their SaaS agreement with the SaaS supplier, in order for the SaaS customer to comply with its DORA obligations.

Does DORA only apply to EU entities?

DORA applies to:

  • Financial services SaaS customers located in the EU;
  • Financial services SaaS customers located outside the EU where the non-EU parent company enters into a contract with a SaaS supplier for provision of ICT services to any group entities within the scope of DORA (i.e. a global or master services agreement).

Penalties for breaches of DORA

Supervisory authorities can impose fines of up to 2% of global annual turnover for breaches of DORA. Local EU authorities can impose personal fines on the senior management and board members of a regulated entity of up to 1 million Euros.

Mandatory contractual terms

Article 30 of DORA sets out the mandatory contractual provisions that must be included in any SaaS agreement with a SaaS suppler who provides ICT services to a DORA regulated SaaS customer.

For all SaaS suppliers

Article 30(2)(a) – (i) of DORA set out the provisions applicable to all SaaS suppliers. These include:

  • An ICT services description;
  • Sub-contracting consents;
  • Services and data location information;
  • Data availability, integrity and data protection obligations;
  • Access to data;
  • Provision of free assistance if an ICT incident occurs;
  • Obligations to fully co-operate with appropriate regulators of the SaaS customer;
  • Specific termination rights;
  • Obligation to participate in the SaaS customer’s ICT security awareness programmes and digital operational resilience training.

For SaaS suppliers providing “critical or “important” ICT services

Article 30(3)(a) – (h) of DORA set out the additional provisions applicable to SaaS suppliers who provide “critical or “important” ICT services. These include :

  • Full service level descriptions;
  • Notice and reporting obligations;
  • Provision of business contingency plans;
  • Granting penetration testing rights;
  • Monitoring of SaaS supplier’s performance;
  • Unrestricted SaaS customer audit rights;
  • Comprehensive documented and tested exit arrangements, including provision of transitional and migration services.

How to assess DORA compliance

If you are a SaaS supplier who provides ICT services to any financial services SaaS customers regulated by DORA, you need to:

  • Check your existing customers to identify any financial services SaaS customers you provide ICT services to, who are regulated by DORA;
  • Identify whether or not your provide any “critical” or “important” services to such SaaS customers;
  • Amend the terms of your existing SaaS agreements with these SaaS customers, where you provide “critical” or “important” ICT services; and
  • When requested by a SaaS supplier to add any DORA amendments to a SaaS agreement, check that your new obligations are restricted to your mandatory requirements as a third party provider of ICT services as set out in Article 30 of DORA.

Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:

irene.bodle@bodlelaw.com

www.bodlelaw.com

To register for my newsletter click here