Question ID: DORA117 - 3153
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: Oversight framework of CTPPs (DORA)
Article: 30(4)
Status: Rejected
Date of submission: 16 Sep 2024
Question
Which public authorities are responsible for producing the mentioned standard contractual clauses? In the case that it is not the ESAs or individual Lead Overseer, are the Joint Committee/ the individual ESAs going to publish guidelines on what these standard clauses should entail (stretching further than the minimum standards set in Art. 30 section 2 and 3.)? Should it be the case that the ESAs are in fact the authorities addressed in Art. 30 section 4, where might one find these clauses and in the case that they are yet to be produced/ published, when might they be made available to the public?
Background of the question
This questions stems from a general interest in DORA and its effects on future contracts between ICT service providers and financial entities.
EIOPA answer
The question has been rejected because it is out of the scope of this Q&A process.
(For information only, it is noted that the European Commission is working on the development of standardised contractual clauses for cloud services (SCCs)[1] in the context of Article 41 of the Data Act[2], the regulation aiming at promoting exchange and use of data within the Union. Although not specifically developed to ensure compliance with DORA, the SCCs are expected to be a useful tool to be considered by the market, including in the context of DORA compliance. The SCCs will cover areas such as data portability, exit strategy, security, business continuity, termination, amendments to the contractual arrangements to mitigate the risks of unilateral amendments and liability. The SCCs should be published before 12 September 2025.
[1] Data Act: EU Commission to provide contractual guidance
[2] eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0068)