The IT contract is no longer just a commercial contract.
Today, its primary purpose is to support the IT department's KPIs on availability - as close to 100% as possible.
Therefore, it is important that you are aware of the requirements that the comprehensive cybersecurity regulation, such as NIS 2 implementation legislation and DORA, impose on the terms of an IT contract.
The increased cyber threat and increased regulatory pressure have given the IT contract a key role in the organization's ability to manage risks associated with outsourcing IT.
The organization must fundamentally be able to implement the same initiatives and actions as if the IT function were located in-house.
Through the IT contract, the organization must set relevant terms for the IT supplier that reflect the legal requirements to which the organization is subject.
This will often happen by translating conditions into internal policies as an organization.
More generally, the IT contract is another tool that management uses to realize the objectives that will generally be found in management's cybersecurity strategy.
What do you do in practice?
- The organization first identifies any legal regulations to which it is subject.
- As stated above, this could be, for example, NIS 2 implementation legislation or DORA, which contains requirements for contractual arrangements regarding outsourcing of IT.
- Relevant requirements that the law imposes on the outsourcing contract are then identified.
- The requirements are then translated into specific contract terms that support the fulfillment of the requirement. To ensure that the terms actually meet the requirements, other sources can be included in the preparation of the terms, such as material from the Danish Digital Agency.
Examples of requirements that should be made into terms:
- Point 5.1.4 of the Annex to the NIS 2 Implementing Regulation for IT suppliers (Implementing Regulation – EU – 2024/2690 – EN – EUR-Lex)
- Article and 30, paragraphs 1-3 of DORA (Regulation – 2022/2554 – EN – EUR-Lex)
- Section 30 of the draft executive order on resilience and preparedness in the energy sector (Draft executive order on resilience and preparedness in the energy sector.pdf)
Need help?
At Unitas We will help you with the above exercise. We are ready to help you too.
Jacob Spliid – Legal Compliance Specialist & DPO – 30 11 65 08