Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Legal

The negotiating impacts of the DORA Regulation

DORAeng foto orizz

By providing a range of tools to manage risks linked to cyber incidents, as well as measures to prevent and mitigate them, the DORA Regulation aims to ensure the security of digital technologies used by entities in the financial sector.

This Regulation is embedded within a complex regulatory framework designed to align with the cybersecurity strategies adopted by the Member States, in order to strengthen the resilience of the financial sector in the European Union through ICT service providers. At the European level, therefore, specific obligations and preventive measures are established which also affect contractual clauses between ICT service providers and financial entities, influencing business operations, negotiation dynamics, and the rights and obligations of the parties involved in the contractual relationship.

 

DORA Regulation

Adopted with the aim of achieving a high and uniform level of digital operational resilience, Regulation (EU) 2022/2554, known as the “Digital Operational Resilience Act” (DORA Regulation), represents the European response to the emerging cybersecurity challenges of the financial sector, a sector that has always been fundamental to the stability of political and social systems.

The scope of application of this regulatory framework is set out in Article 2, paragraph 2, which lists “Financial Entities,” such as credit institutions, investment firms and funds, and providers of crypto-asset services. Pursuant to Article 2(1)(u), the Regulation also applies to “third-party ICT service providers,” meaning entities that provide “digital and data services delivered through ICT systems to one or more internal or external users on a continuous basis […]” (Article 3(1)(21)).

 

The approaches

negoziazione contrattuale DORAThe approach adopted by DORA is based on risk management, establishing a variety of tools designed to achieve digital security objectives, such as penetration testing, source code review, and network security assessments. More specifically, financial entities are required to subject their ICT solutions to digital operational resilience testing, to be carried out at least annually by independent parties. They are also required to implement systems and tools in line with the highest security standards, in order to monitor ICT use, respond swiftly to anomalies, manage incidents related to ICT use, and activate plans capable of preventing further damage (Articles 10 and 11).

The innovative impact of this European intervention lies in its explicit recognition that financial entities cannot rely solely on in-house technological solutions, thus placing external service providers at the core of ensuring business continuity. External parties carrying out such tests must meet specific requirements, including a high degree of reputation and proven, certified expertise in risk management (Article 27).

 

Obligations and responsibilities

The obligations and responsibilities stemming from DORA are not limited to technical or operational aspects but also extend to the contractual negotiation and drafting phase between the parties concerned.

Indeed, Article 30 specifies the minimum clauses that must be included in contracts between ICT service providers and financial entities, such as a clear and comprehensive description of data security management (including personal data) and service levels. Furthermore, third-party ICT service providers are required to provide financial entities with assistance, either free of charge or at a pre-agreed cost, in the event of an ICT service-related incident. Equally relevant are the obligations to monitor the performance of ICT service providers, to establish measures, tools, and policies ensuring the security of ICT provision, and to participate in ICT security awareness programmes.

business continuity DORAComplementing these stringent contractual obligations applicable to industry operators, Regulation (EU) 2024/1773 was adopted, setting out the policies that DORA-subject entities must follow in their use of ICT. Specifically, under Article 8 of that Regulation, financial entities are entitled to obtain information and conduct inspections, tests, and audits on ICT solutions (whether through internal or external actors, provided they offer sufficient guarantees of independence), while retaining discretion to adopt further measures they deem necessary.

The Italian legislator has also intervened with Legislative Decree No. 23/2025, which, by amending previous legislative frameworks (such as the TUF and TUB), introduced substantial administrative fines for all DORA-subject entities that breach its provisions. Notably, Article 144(8-bis)(a) of the amended TUB provides that banks and financial intermediaries may face fines starting at €30,000 and up to 10% of turnover, while under subparagraph (b) of the same provision, payment institutions and electronic money institutions may be fined between €30,000 and €5 million, or up to 10% of turnover if higher. The same penalties apply symmetrically to their respective ICT service providers. Finally, Article 144-ter of the TUB stipulates that, where there is a violation “…of the duties of one’s office or body, and the conduct has significantly impacted the overall organisation or risk profile of the company, or contributed to non-compliance by the company,” fines ranging from €5,000 to €5 million may be imposed on “persons performing management, supervisory or control functions, as well as staff.”

 

Conclusions on DORA

In conclusion, DORA, as lex specialis to the NIS 2 Directive, is situated within an extremely complex regulatory landscape aimed at “ensuring coherence with the cybersecurity strategies adopted by the Member States” (Recital 16), complementing the post-2008 national reforms designed to strengthen the EU’s financial sector digital resilience. At the same time, the Regulation profoundly reshapes the existing legal framework by recognising the essential role of ICT services in the financial sector, whose high level of interconnection “may pose a potential systemic vulnerability, as localised cyber incidents could rapidly spread” (Recital 3). This shift in perspective can be clearly seen at the European level in the detailed preventive obligations and safeguards, which extend even to contractual clauses between ICT service providers and financial entities, influencing negotiation dynamics as well as the rights and duties of the contracting parties.

 

The authors

Federica Lucrezia Romeo, graduated in Law from La Sapienza University in Rome with a thesis in criminal law entitled “Risk nexus and interruption of the causal relationship in the most recent jurisprudential developments,” which earned her an internship at the Public Prosecutor’s Office in Frosinone. Previously, she worked as a lawyer and currently holds the position of Legal Specialist at Telsy.

Erica Onorati, Law Graduate from LUISS Guido Carli University in Rome with a thesis in civil law entitled “The renegotiation clauses,” focusing on the analysis and applicability of renegotiation in contractual matters. She then obtained an Executive Master’s Degree from the Il Sole 24 Ore Business School in Cybersecurity and Data Protection, focusing on the analysis of strategies to protect corporate assets and prevent cyber risks. Specializing in the civil law profile, she has delved into topics related to contractual and non-contractual liability and corporate and commercial law. After several experiences gained in the legal field in corporate contexts as a corporate lawyer, she currently holds the position of Legal Supervisor in Telsy, with a focus centered on the management of corporate contracts, legal advice provided to the business lines involved in the various areas of corporate operations, extraordinary transactions, and corporate secretarial work.

Niccolò Francesco Terracciano, law student at LUISS Guido Carli University in Rome, he has gained experience in non-profit associations, having the opportunity to deepen his knowledge related to commercial law and business consulting. Currently, he holds the position of Legal Specialist in Telsy where he is developing, in the corporate field, the theoretical knowledge learned during his studies in civil, corporate and new technology law.