Guidance on Reporting ICT Service Agreements

Guidance

This guidance applies to the reporting of ICT service agreements that support critical or important functions and the use of Altinn form KRT-1121.

Reporting of Planned Critical or Important ICT Service Agreements

ICT service agreements that support critical or important functions for the entity are subject to reporting requirements under Article 28(3), fifth paragraph, of the DORA Regulation, as implemented in Norwegian law through the DORA Act. "Critical or important function" is defined in Article 3(22) of DORA.

The entity must, in good time, report any planned contractual relationship regarding the use of ICT services that support critical or important functions, as well as when a function has become critical or important.

The rules also cover requirements for the assessments the entity must make prior to concluding the agreement and requirements for the content of the agreement, see Articles 28 to 30 of DORA.

The Financial Supervisory Authority assumes that the board is sufficiently informed about the conclusion of such agreements, cf. Article 5(2)(i). This also applies to significant changes to critical or important ICT service agreements.

Changes

The reporting obligation also applies to agreements on the use of ICT services that support a function which, after the conclusion of the agreement, is assessed as critical or important for the business, see DORA Article 28(3), fifth paragraph. The entity must also report on previously reported ICT service agreements if the service no longer supports a function considered critical or important for the entity.

The Financial Supervisory Authority assumes that material changes to existing contractual relationships are covered by the reporting obligation under Article 28(3) if the change is significant.

Timing of Reporting

Entities subject to DORA must report planned critical or important ICT contractual relationships to the Financial Supervisory Authority in good time, see Article 28(3), last paragraph. The Regulation does not specify what "good time" means. The Financial Supervisory Authority assumes that "good time" should be understood as at least 30 days before the agreement or change takes effect.

Reporting on ICT Service Agreements

Altinn form KRT-1121 must be used for reporting an ICT service agreement. The form has been somewhat modified due to DORA, among other things by no longer requiring attachments to the form.

The following information must be filled out in the form:

Name and organization number of the contractor. In reports from groups/alliances, the group company shall be listed as the contractor.

Whether the agreement regulates the following matters:

incident reporting

business continuity

the entity's right to control, including auditing the supplier's activities

The Financial Supervisory Authority's right to access information and supervise the supplier

confidentiality

exit provisions

Whether the agreement replaces an existing agreement.

Whether the risk assessment of the agreement includes elements of residual risk assessed as high.

A brief description of the agreement, a brief risk assessment, and the agreement's S-category in accordance with (EU) 2024/2956 Annex III (financing undertakings do not need to provide the S-category).

The agreement's start and end dates, including information about rolling contract periods.

Whether the contractor conducts business in Norway, through a Norwegian company, branch, or as a cross-border business. If the contractor is established abroad, it must also state which country the entity's head office is established in.

Name and organization number of subcontractors used by the contractor to perform tasks on behalf of the entity. If the subcontractor is established abroad, please state which country.

Access to Collective Reporting for Groups/Alliances

DORA does not contain provisions on reporting ICT service agreements in groups and alliances. The Financial Supervisory Authority assumes that groups/alliances may still report ICT service agreements collectively, subject to approval from the Financial Supervisory Authority.

Groups and alliances wishing to submit collective reports under DORA regarding ICT service agreements must notify the Financial Supervisory Authority, even if previously reported under the Financial Supervisory Authority Act and the Reporting Obligation Regulation. Any changes regarding which entities are covered by such collective reporting must be reported promptly before the change takes effect. For such reports, Altinn form KRT-1060 must be used with reference 25/7440 in field 2.2.

Processing of Reports by the Financial Supervisory Authority

The entity will receive an automatic acknowledgment letter confirming receipt of the report. As a general rule, the entity may implement the agreement 30 days after submission of the report.

The Financial Supervisory Authority may request further information and documentation if necessary. For example, the entity may be asked to send a copy of the risk assessment and the ICT service agreement. In such cases, the Financial Supervisory Authority will provide feedback on any issues that need to be rectified, matters requiring particular attention, or whether the report is taken for information.

If the Financial Supervisory Authority identifies non-compliance with Articles 28 to 30 of DORA, it may, under Article 50, order the entity to terminate the ICT service agreement or make changes, even after the agreement has been implemented.

Topic Page

Regulation on Digital Operational Resilience in the Financial Sector (DORA)