DORA Article 30(2)-(3) outlines the minimum elements that must be included in any contractual arrangements on the use of ICT services:

• Description of functions and services (including an indication whether subcontracting is permitted).
• The location where functions and services are provided and where data is processed.
• Provisions around data protection.
• Provisions ensuring data access and recovery.
• Service level descriptions.
• An obligation to provide assistance in the case of an ICT incident connected to the service being provided.
• An obligation to cooperate with the relevant regulator.
• Termination rights and notice periods.
  In the case of critical or important services being outsourced the contractual arrangements above must also be supplemented with:
  • measurable performance targets;
  • reporting obligations;
  • adequate business contingency and security measures;
  • an obligation to cooperate in penetration testing;
  • the right to monitor performance (including unrestricted access); and
  • exit strategies.

The policy needs to specify that the contractual arrangements must include:

• information access;
• inspection;
• audit; and
• ICT testing rights.

The final responsibility for inspection, audit and testing rests with the financial entity who can employ the following in order to carry these out:

• Internal audit function;
• Appointed third party;
• Pooled audits and ICT testing where appropriate;
• Third party certification;
• Third party or internal audit reports made available by the ICT third-party service provider

The financial entity cannot only rely on third party certification or reports supplied by the ICT third-party service provider and these can only be used if the financial entity:

• Is satisfied with the ICT providers audit plan;
• Ensures that they cover all key systems and controls required to ensure compliance;
• Thoroughly assesses their content on an ongoing basis and ensure that they remain up to date;
• Ensures that key systems and controls are covered in any future versions;
• Is satisfied with the aptitude of the certifying or auditing party;
• Is satisfied that they:
  • Are performed consistently with widely recognized relevant professional standards;
  • Include a test of the operational effectiveness of key controls in place; and
  • Has reserved the right to expand their scope.
• Retains the right to perform individual and pooled audits at its discretion.

Any material changes to these arrangements must be:

• Made in writing;
• Dated; and
• Signed.

By all parties