- Jacob George Naur
- #compliance, #cybersecurity, #DORA, #GDPR, #ISMS, # ISO27001, #itriskmanagement, # NIS2
The IT contract began, widely regarded in the 90s, as a means of describing the delivery of services that the parties responsible did not have much experience with or technical insight into. Therefore, the first IT contracts were extensive, wordy and difficult to negotiate in place.
Then came the cloud wave. The IT contract narrowed down to describing the price and perhaps the service level in addition to the usual disclaimers. With the exception of hosting agreements, even the description of the service level eventually slipped out.
Now, however, the purchasing departments are at a new crossroads. The IT contract must contain a number of Third Party Terms. The terms can be said to be foreign, because the purchasing organization itself has no interest in setting these terms, as the terms are often expensive and, as a rule, do not provide better functionality. Finally, the Foreign Terms are rarely negotiable.
The Foreign Terms come mainly, but not exclusively, from GDPR, NIS 2 (October 18, 2024) and DORA (January 17, 2025).
The IT contract has become the extended arm of the EU. Today, for example, according to the GDPR, you may only purchase IT services that process personal data if the IT contract – in addition to the price – contains terms that the IT supplier must help ensure that the data subjects can enforce their rights to deletion, data portability etc. In addition, through the IT contract, the authorities must have access to control the IT supplier. Finally, the organization is obliged to set conditions regarding the IT security level in the IT contract, so that the organization can, through the IT contract, meet the requirement to set IT security at an appropriate level. As you know, the mentioned Third Party Terms are collected in the data processing agreement.
With NIS 2 and DORA in particular, several Foreign Terms must be included in the IT contract, which effectively means in the IT contract's appendix - this is also typically where you find the data processing agreement. The content of the IT contract is thus increasingly less an expression of the parties' negotiation on the basis of the traditional commercial and operational needs. To a greater extent, the IT contract thus reflects the authorities' requirements for IT use according to 1) which processing is to take place, 2) of which data, 3) where the processing is to take place and 4) which organization outsources, 5) to whom.
This development is even happening at a time when, as mentioned, the buyers and IT suppliers are used to the IT contract being reduced to a minimum. In the case of SaaS solutions in particular, it thus applies that the IT contracts are not actually negotiated on anything other than price, if that is the case at all.
The IT contract, with its increasing number of Foreign Terms, will resemble more and more a building permit than a classic agreement between two independent parties. As you know, building permits are only issued if the building project, which the client has drawn up, takes into account the building regulations' requirements for, for example, access conditions, waste water, parking, etc.
When the relevant Foreign Terms have been added to the IT contract's annex, and the different sets of rules such as GDPR, NIS 2, DORA etc. have been taken into account, the IT contract can be "issued" as a kind of permission. However, the IT contract is not issued by the municipality, but by the compliance function of the purchasing organisation, regardless of how the compliance function may otherwise be concretely placed in, for example, IT, Law or Information Security.
The idea is then that the authorities can supervise
- the content of the self-issued license (does the IT contract have the right Third Party Terms?) as well as supervise
- the purchasing organization's control of whether the IT supplier actually complies with the Foreign Terms.
- If there are deficiencies in the first part of the process (the IT contract does not have the correct Foreign Terms) or the second part of the process (the supplier's compliance with the Foreign Terms is not monitored), the natural next step for the authorities is to supervise with whether the purchasing organisation's procurement process is working as it should (if you have the right written procedures).
The Danish Agency for Digitalisation has for years provided guidance on include information security in IT contracts. What is thus almost new is that GDPR, and especially NIS 2 and DORA, make the inclusion of information security in IT contracts mandatory by law as Foreign Terms. In particular, many private companies have not necessarily had enough focus on this in the past.
Over time, there has been plenty of focus on the GDPR and the requirements therein that organizations acting as data controllers must comply with.
The data controllers must therefore generally, among other things:
- comply with the principles for the processing of personal data (Article 5),
- risk assess the processing in relation to the impact on the rights of data subjects and implement appropriate security measures (Articles 24 and 32),
- implement data protection through design and through standard settings (Article 25), enter into data processing agreements (Article 28) as well as
- in the event of a high risk for the data subjects carry out impact analyzes (Article 35).
However, there has been significantly less focus on how the work of complying with the requirements is linked to the organisation's various activities. Overall, it must be fair to conclude that the management's management of information security (ISMS) ends up to a large extent in the IT contracts with especially, but not exclusively, cloud and SaaS suppliers. This is obviously not the case where the organization has all or parts of its IT environment in its own machine rooms in the basement.
It is thus difficult to comply with the requirement to prepare GDPR risk assessments and implement appropriate security measures without involving the IT supplier through the IT contract. The Foreign Terms must appear in the data processing agreement, which must therefore contain the security measures that are the result of the organisation's GDPR risk assessments.
In fact, it has happened in several places that the connection between the compliance efforts and the generated Foreign Terms for the IT contract has unexpectedly and inconveniently appeared down in Procurement as an afterthought. In many places, the parts of the organization that assess, decide and formulate security requirements are simply not connected to the procurement process.
NIS 2 requires that the NIS 2 units' network and information systems are protected against cyber attacks.
The board of directors and the executive board ("management bodies") of entities covered by NIS 2 must, among other things, but most significantly (articles 20 and 21),
- identify cyber security risks to the network and information systems that the entity uses for its operations or to provide its services;
- assess the methods for managing cyber security risks,
- approve mitigation measures (and secure funding thereof) and
- oversee that the mitigating measures are carried out by the rest of the organisation.
In addition, the members of the management bodies are personally responsible for NIS 2 compliance and may be fined depending on whether the violation was committed intentionally or negligently (articles 32 and 33).
The right management body must also be able to delegate its NIS 2 duties within some agreed framework down to a working committee or an operating organisation. At the same time, however, it must be assumed that the management body remains fully responsible for compliance, cf. the general principle of responsibility, that the work, including investigations of the facts of the case and recommendations based on this, can be left to others, but not the responsibility, including in particular the decisions based on the settings.
Finally, the management bodies must ensure that the appropriate NIS 2 authority is notified without undue delay of any incident that has a significant impact on the provision of services, for example the provision of water, heat, etc. depending on the sector and, depending on the circumstances, ensure that the recipients of the service also receive notification of this, for example water consumers (Article 23).
Again, one must be able to conclude that it is extremely difficult to comply with the requirement that the management must manage security, ensure incident notification, etc., if you have not included the relevant Foreign Terms in this regard in the IT contracts.
It is therefore also not difficult to understand that the EU legislator with NIS 2 regulates procurement and contract management to a certain extent. NIS 2 thus imposes a requirement on supply chain security, which must be observed when IT contracts are entered into (Article 21, subsection 2):
"Those in para. The measures referred to in 1 [which must provide a level of security in network and information systems commensurate with the risks] shall be based on an all-hazards approach and aimed at protecting network and information systems and the physical environment of these systems against incidents, and at least includes the following:
d) supply chain security, including security-related aspects relating to the relationship between the individual entity and its direct suppliers or service providers”
NIS 2 expands a bit on what the requirement for supply chain security contains (Article 21, paragraph 3):
"3. Member States shall ensure that the entities, when considering which measures referred to in paragraph of this article 2(d) [supply chain security requirement], as appropriate, takes into account the vulnerabilities specific to each direct supplier and service provider and the general quality of their suppliers' and service providers' products and cyber security practices, including their secure development procedures. Member States shall also ensure that the entities, when considering which measures referred to in that point are appropriate, are obliged to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1). XNUMX.”
Supply chain security thus implies not least that the entities covered by NIS 2 must map the concrete vulnerabilities of a given direct supplier or service provider as well as map the same supplier or service provider's general product quality and cyber security practices with the aim of mitigating any risks discovered.
Such a mitigating effort probably cannot take place without introducing well-considered Foreign Terms into the IT contract. In other words, the IT management-related decisions here also flow down to the management of the suppliers through the IT contract in the form of Foreign Terms.
The reference to them "coordinated security risk assessments" in the quote above implies that, in principle, the Foreign Terms of the IT contracts must take into account the results of a kind of EU supervision of the IT suppliers.
NIS 2 states that there can be found "coordinated security risk assessments" af "specific critical ICT services, systems or product supply chains" place (Article 22, paragraph 1).
The Commission thus identifies the specific critical ICT services, systems or products that may be subject to the coordinated security risk assessment (Article 22(2)). Such coordinated security risk assessments, modeled on the EU's handling of the establishment of the 5G network, must, among other things, identify measures, mitigation plans and best practices that can mitigate the consequences of critical dependencies, as well as examine how NIS 2 entities can be encouraged to introduce these measures, mitigation plans and best practices.
Overall, supply chain security can be said to contain at least the following three supervisory activities, which, after a risk assessment, must be carried out at appropriate intervals:
- Assessment of the direct IT supplier,
- assessment of the IT supplier's products or services as well as examination of,
- whether the EU, through its coordinated risk assessments, has restricted access to the use of this particular product or service.
Again, it is easy to see how the IT contract stands as an absolutely crucial element that must ensure compliance with the duty to ensure supply chain security.
DORA is a regulation that is in many ways similar to NIS 2. This applies not least as the purpose of DORA is to "consolidate and upgrade the requirements for ICT risk as part of the requirements for operational risk, which have so far been dealt with separately in various EU legal acts." (recital 12). General information about DORA can be found quite easily, so the content of DORA does not need to be described here.
However, it can reasonably be stated that DORA means that the approx. 22.000 financial entities in the EU, which from 17 January 2025 must comply with DORA, will have ample opportunity to ensure that the correct Foreign Terms are included in the IT contract.
DORA must be understood as a waterfall with several vessels under one another, where the Foreign Terms are an end product of the organization having complied with the overlying, broader requirements for the organization's management of the ICT risk.
Thus, at the top level of DORA we find the general requirement that financial entities must put in place a robust, comprehensive and well-documented framework for ICT risk management that enables them to "to handle the ICT risk quickly, efficiently and adequately, and which ensures a high level of digital operational resilience" (Article 6, paragraph 1).
However, the framework for ICT risk management is only the top level in DORA – there is a level above DORA. ICT risk management is thus just an offshoot of the financial entities' overall overall risk management, including the financial risk management, which is also regulated.
If we follow the flow downwards from the ICT risk management framework, we naturally end up in the IT contracts. DORA does not hold back here. DORA takes a very hands-on approach and regulates the entire IT procurement process (articles 28 – 30).
It is worth noting here that in DORA's system, IT contracts are so-called contractual arrangements, which must primarily contribute to managing the ICT third-party risk. De Fremmede Vilkår, in other words, plays first violin here. All IT contracts must therefore include, among other things, the elements that appear in Article 30, paragraph 2 and, in the case of IT contracts that support critical or important functions, also para. 3. If you have not already complied with the higher, broader requirements set by DORA, you cannot form the Foreign Terms in your IT contracts at all, as you must according to articles 28 – 30.
It is not enough that the financial entities must ensure that the correct Foreign Terms are incorporated into the IT contracts. As under NIS 2, DORA creates an EU supervision of the IT suppliers.
DORA gives the EU supervisory authority the title "Supervisory framework for critical third-party providers of ICT services" (Chapter V, Section II).
Under of the European Committee treatment of DORA, the EU supervisory authority was described as follows by the Minister of Finance:
"The government supports a joint European supervision of critical IT suppliers, [..]. It is not yet clear which IT suppliers are designated as critical and come under joint supervision. We will only know for sure when the Council and the European Parliament have negotiated the regulation in place and the framework for the designation of critical IT suppliers is fixed. The immediate expectation from the Commission is that approx. 10-15 IT suppliers will be considered critical.
Possible candidates could e.g. be Amazon, Google, Microsoft, IBM, Alibaba, Huawei, Apple and Cisco.”
The EU supervisory authority, to which certain IT suppliers will be permanently subject, will continuously result in additional demands being placed on these IT suppliers from the EU. In other words, the results of the EU inspection, namely the recommendations to the IT suppliers, must also be included in the financial entities' purchasing process and considerations before an IT contract is entered into.
Some will respond to the above that it must all be managed through compliance certificates, which the IT suppliers already make widely available today in the form of, for example, ISO27001 certifications, ISAE 3402/3000 declarations, SOC II reports, CSA STAR ratings and the like.
Certificates of compliance are indeed here to stay, but in that case they must be expanded and clarified so that they better suit the individual organisation's Foreign Terms and the individual service or product that is delivered.
The use of compliance certificates finally places demands on the organisation's ability to decode the content of the received compliance certificates in relation to scope and depth. It is not rare that, upon closer inspection, compliance documentation does not actually constitute the required proof of compliance, whereby the organization (customer) does not comply with the requirements for which the management is basically personally responsible for ensuring compliance, cf. again the principle that you can delegate the work, but not the responsibility.
Om Cyber Resilience Act can create the necessary transparency is unfortunately too early to say. In any case, the following is promised about the CRA:
- Ensure that products with digital elements placed on the EU market have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout a product's life cycle;
- Improve transparency on security of hardware and software products;
- Business users and consumers benefit from better protection.
The EU also has other measures on the way to strengthen transparency and facilitate supervisory work. We will write about the measures here on the blog as soon as they and the CRA become more current.
It is difficult to predict, especially about the future. And there are certainly other perspectives than the following:
- IT managers, digitization managers, CIOs, CISOs, IT contract managers, IT operations managers, IT supporters, IT buyers, IT business partners will all feel in the coming years that the framework for choosing an IT supplier is narrowing in light of the above. And they will find that the IT contract is again written on many pages full of Foreign Terms. Under DORA, so-called technical standards, which will help the development on its way.
- Organizations should already now consider how to make information security also play smoothly with the law through the IT procurement process, as well as keep management informed so that they can exercise their decision-making right and duty. In many places around, work continues in silos and without real management involvement. It must be changed by, as a starting point, establishing or strengthening an existing management system for information security according to ISO27001/2 (ISMS).
- Public purchasing organizations must be assumed to be in a better position when dealing with Foreign Terms, as they are used to a large extent to including Foreign Terms regarding, for example, the environment, chain responsibility, labelling, etc. However, it is difficult to rule out that an organization that is subject to the tendering rules, will find that the ISMS and the derived Foreign Terms, as far as security is concerned, get an extra complicating layer.
- It is a reasonable claim that the IT suppliers, no one mentioned and no one forgotten, must receive the Foreign Terms with more goodwill than seen during the first years of GDPR, if NIS 2 and DORA are really to work as intended. The IT contract needs to become more flexible from customer to customer and have a real connection with what is delivered. If it does not happen, we will have to see how far the authorities will go to ensure that it happens, as well as see if the authorities put pressure on the management or on the suppliers or both and how hard.
- All companies and organizations that are subject to NIS 2 or DORA in particular should establish or strengthen the existing ISMS. It is virtually impossible to ensure that the managements all around actually manage safety without a systematic way of solving the task. The fact that the managers are personally responsible should make them interested in the work.