Get in Touch

DORA Terms

These Digital Operational Resilience Act Terms (“DORA Terms”) supplements the Agreement between the Parties and shall apply if and to the extent that: (a) Customer is a Financial Entity to whom DORA applies; and (b) DORA Services are purchased. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

1. Application.

1.1 Part A of the DORA Terms apply to all DORA Services provided by Actimize to the Customer pursuant to the terms of the Agreement that are ICT Services. Part B of the DORA Terms apply only to the DORA Services (or part(s) thereof) provided by Actimize or its Subcontractors which are ICT Services and are used by the Customer to support a Critical or Important Function.

1.2 If  Customer ceases to be within scope of or otherwise subject to DORA in connection with its use of DORA Services, the provisions of the DORA Terms that arise as a result of the aforementioned legislative or regulatory requirements shall terminate immediately and shall cease to have any further effect.

2. Definitions.

"Agreed Service Levels" means the service levels set out in the Agreement which shall include any performance standards or timescales for performance of Actimize obligations even if not expressed to be a service level.

"Competent Authority" means the national regulatory entity that is responsible for overseeing the Customer's activities.

"Cyber Threats" means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.

"Critical or Important Function" means a function, the disruption of which would materially impair the financial performance of the Customer, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of the Customer with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

"DORA" means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, and any legally binding delegated or implementing regulation issued by a Competent Authority pursuant to DORA including regulatory technical standards (the “Implementing Regulations”).

"DORA Services" means the Software or Cloud Services provided by Actimize to the Customer under the Agreement which constitute ICT Services.

"Financial Entity" has the meaning given in Article 2(2) of DORA.

"ICT Services" means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

Regulator” means a government body, regulatory body, Competent Authority or resolution authority (wherever located) with binding authority to regulate the Customer's business activities under DORA.

"Required TLPT" means Threat-led Penetration Testing or pooled Threat-led Penetration Testing by an external tester that: (a) the Customer is required to undertake in accordance with DORA and the Implementing Regulations; (b) concerns a Critical or Important Function that is supported by DORA Services; and (c) will or may impact on DORA Services.

"Resolution Authorities" means the national regulatory entity that is empowered to apply resolution tools and exercise resolution powers in respect of the Customer.

"Threat-led Penetration Test" or "TLPT" means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine Cyber Threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the Financial Entity’s critical live production systems.

PART A

1. Service Description. A description of the DORA Services is set out in the Order. Actimize is entitled to subcontract part or all of the provision of the DORA Services in accordance with the Subcontractors section of the Terms and Conditions.

2. Location of Service. The Agreement shall prescribe: (a) the location(s) of DORA Services; and (b) the Content storage location (collectively the “Locations"). Actimize shall notify the Customer in advance of any changes to the Locations in advance.

3. Information Security Standards. Actimize shall implement and maintain appropriate information security standards to ensure availability, authenticity, integrity and confidentiality of the Content in accordance with Corporate Security Terms and  Cloud Security Policy.

4. Recovery of Data. If the Agreement terminates or expires, or on the insolvency, resolution or discontinuation of the business operations of Actimize, Actimize shall, subject to its retention of any data required to be maintained to comply with applicable law, either: (a) provide the Customer with access to, and the means to recover, Content in Actimize' possession or control (in an easily accessible format); or (b) return Content in Actimize' possession or control (in an easily accessible format) pursuant to a mutually executed SOW detailing the scope of work and fee for Actimize to recover its reasonable time and costs.

5. Service Levels and Monitoring

5.1 Actimize will ensure that the DORA Services are provided so as to meet the Agreed Service Levels (as updated from time to time).

5.2 If such right is required by applicable law or regulations and such functionality is not already made available to the Customer elsewhere in the Agreement, Customer shall be entitled to monitor the performance of the DORA Services on an ongoing basis through regular access to the DORA Services and reports and dashboards which may be provided within the Cloud Services.

6. Incident Management.

6.1 Actimize shall provide such assistance as the Customer may reasonably require where an ICT incident occurs that is related to the DORA Services.

6.2 Actimize may charge a fee to the Customer for any assistance provided pursuant to Section 6.1 above in accordance with Actimize' then-current rates.

7. Co-Operation with Regulators.

7.1 The Customer shall promptly notify Actimize if it receives inquiries from a Regulator which relate to the DORA Services. Actimize shall fully cooperate with Regulators (including other persons appointed by them) in the course of such Regulators performing their regulatory functions in relation to the DORA Service. 

7.2 Actimize may charge a fee to the Customer for any assistance provided pursuant to Section 7.1 above in accordance with Actimize' then-current rates.

8. Additional Customer Termination Rights.

8.1 The Customer may, upon written notice to Actimize, terminate the applicable Order: (a) due to a breach that is incapable of being cured; or (b) where Actimize has failed to cure within a reasonable timeframe of no less than sixty (60) days from the date of its receipt of written notice from the Customer. For the avoidance of doubt, Customer may exercise the rights set forth in Section 8.1 solely in the following circumstances where: (i) Actimize has committed a significant breach of applicable laws or regulations; (ii) the Customer can reasonably demonstrate that there are circumstances which are capable of adversely altering the performance of the DORA Services which are unavoidable; (iii) the Customer can reasonably demonstrate that there are material weaknesses pertaining to Actimize' overall ICT risk management, and in particular in the way Actimize ensures the availability, authenticity, integrity and confidentiality of Content; (iv) the Competent Authority can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the DORA Terms that expressly refer to Actimize or its DORA Services; or (v)  the Customer provides written evidence (including promptly providing a copy of the regulatory notification) where the Regulator specifically identifies Actimize (“Regulatory Notification”) that such Regulatory Notification is due to a breach by Actimize of the DORA Terms.

8.2 If the Customer exercises its right to terminate under Section 8.1 above (other than as a result of an incurable breach by Actimize of the  DORA Terms), the Customer shall: (a) pay a termination fee to Actimize, which will be calculated as the outstanding unpaid Fees due to Actimize for the remainder of the then-current Subscription Term under the Order and  Fees that are due under the applicable Statement of Work tied to such Order; and (b) not be entitled to any credits, set-offs or refunds. Notwithstanding the foregoing, upon such termination, Customer waives any current or future right to initiate any claim against Actimize in connection with the Agreement. 

9. Customer Training Programmes. Subject to the agreement of applicable terms, Customer may require Actimize personnel to participate in the Customer’s security awareness programmes and operational resilience training prior to being involved in the provision of the DORA Services. Actimize may charge a fee to the Customer for such participation in accordance with Actimize' then-current rates including reasonable expenses. Actimize’s performance of Services (including timelines and service level commitments, if any) for the duration of such training shall be excused.

PART B

1. Reporting and Material Developments.

1.1 The Agreement sets out Actimize' reporting obligations and notice periods for such reporting, including what reports need to be provided in relation to any failure to meet the Agreed Service Levels. 

1.2 Actimize shall notify the Customer as soon as reasonably practicable of any development or change in circumstances that might have a material adverse impact on Actimize' ability to provide the DORA Service in accordance with the Agreed Service Levels or applicable law or regulatory requirements. No separate notification is required if Actimize has reported a failure to meet the Agreed Service Levels in accordance with the Agreement. 

2. Business Continuity and Security.

2.1 Actimize shall implement, maintain and test appropriate business continuity plans at regular intervals. The Corporate Security Terms and Cloud Security Policy describe the business continuity requirements that Actimize implements consistent with DORA.

2.2 Actimize shall maintain ICT security measures, tools and policies that provide an appropriate level of security for the provision of Cloud Services. The Corporate Security Terms and Cloud Security Policy describe the measures Actimize has in place consistent with the DORA regulatory framework.

3.Threat-led Penetration Testing.

3.1 Except as required by a Regulator, Actimize will participate and reasonably cooperate in Required TLPT, which shall occur only once in any rolling three (3) year period.

3.2   The Customer shall: (a) provide no less than ninety (90) days' prior written notice to Actimize of its intention to conduct a Required TLPT; (b) jointly identify the portions of the DORA Services that form part of the relevant underlying information, communication, technology systems, processes and technologies supporting the Customer’s Critical or Important Functions; (c) enter (or require an external tester to enter) into a contractual arrangement with Actimize as Actimize deems appropriate, including any potential adverse impact on the quality or security of Actimize services and customers and on the confidentiality of data relating to Actimize' services; (d) procure that effective risk management controls are applied in respect of the TLPT in order to mitigate the risks of any potential impact on data, damage to assets, and disruption to Critical or Important Functions, services or operations relating to Actimize' services and customers; (e) comply with Actimize policies and procedures relating to information security and operational resilience so far as the Required TLPT may impact the Cloud Services, including those policies and procedures described in the Cloud Security Policy; and (f) comply and ensure that any external tester complies with all applicable laws and regulations relating to the Required TLPT.

3.3 The Customer shall be responsible for all fees, costs and expenses reasonably incurred by Actimize in connection with its performance of the Required TLPT.

4. Subcontracting.

4.1 The Customer acknowledges that Actimize engages certain Subcontractors to provide aspects of the DORA Services. The subcontracted aspects of the DORA Services may support Critical or Important Functions of the Customer or parts thereof. Details of such Subcontractors are located at Actimize Affiliate and Subcontractor List.

4.2 Actimize will remain responsible for all acts and omissions of the Subcontractor in respect of the sub-contracted services and shall monitor the Subcontractor to ensure that Actimize’ contractual obligations to the Customer are continuously met.

4.3 Actimize shall have an executed agreement with each Subcontractor containing: (a) monitoring and reporting obligations of the Subcontractor towards Actimize; (b) appropriate measures to ensure the continuity of the subcontracted services; (c) service levels that enable Actimize to meet the Agreed Service Levels (where applicable); (d) appropriate ICT security standards with reference to international standards like ISO27001 and ISO27002, SOC2 and NIST (as appropriate); and (e) appropriate rights of access, inspection and audit as are granted to the Customer and relevant Regulators by Actimize under Section 5 (Audit).

4.4 Actimize shall assess risks associated with the location of the Subcontractor and its parent company, and the location from which the relevant aspect of the DORA Services are provided.

4.5  Actimize shall notify the Customer of: (a) any new subcontracting; or (b) any material changes to any existing subcontracting arrangements, which might affect the ability of Actimize to meet its responsibilities under the Agreement. 

4.6 As required by applicable law or regulations, Customer may terminate the Agreement where Customer, acting reasonably, deems that the new or modified subcontracting arrangement by Actimize materially increases the risk assessment of the Customer of Cloud Services under the Agreement and Actimize cannot cure such material increase in risk within a reasonable timeframe. 

4.7 The parties shall take into consideration whether a Subcontractor has been designated as a critical ICT third party service provider under DORA in overseeing the Subcontractors compliance with DORA including, without limitation, this Section 4 and Section 5 (Audit). 

5. Audit.

5.1 Actimize grants the Customer, a third party appointed by the Customer and the Regulators (each a "Requester") the right to access, inspect and audit: (a) Actimize' performance of the DORA Services; and (b) Actimize' compliance with the Agreement generally, (the “Audit Right”), in accordance with this Section 5. 

5.2 Actimize shall fully cooperate with a Requester in its exercise of the Audit Right to perform on-site inspections and audits and shall not allow the Requester to take copies of relevant documentation off-site if such documentation is critical to Actimize operations.

5.3 Except in an emergency, crisis situation or as required by a Regulator, the Customer must at all times provide Actimize no less than sixty (60) days written notice prior to the date of the scheduled  audit (which shall be during normal business hours) by the Customer or its third party auditor. The notice for audit must at a minimum include a detailed information request list and where applicable, the identity of the third party auditor appointed by the Customer to exercise the Audit Right.

5.4 Where the Customer wishes to appoint a reputable industry standard third party auditor to exercise the Audit Right: (a) the Customer shall ensure such third party is not a competitor of Actimize; (b) the Customer shall verify that the third party and its personnel exercising the Audit Right have the necessary skills, knowledge and experience to exercise the Audit Right; and (c) the third party shall be required to enter into confidentiality arrangements with Actimize on terms satisfactory to Actimize (acting reasonably).

5.5 The Customer and any third party appointed by the Customer will exercise the Audit Right in a risk-based and proportional manner, taking into account the legal requirements, the context and the nature of the DORA Service.

5.6 Prior to exercising any Audit Right, the Customer shall first consider the following elements to satisfy the level of assurance asserted under the Audit Right: (a) independent audit reports provided  on behalf of Actimize; (b) audit reports of Actimize internal audit function; (c) Actimize' standard third-party certifications such as its ISO27001 certification; and (d) other information that Actimize makes available to the Customer.

5.7 The Customer and any third party appointed by the Customer shall ensure that its exercise of the Audit Right does not hinder Actimize' ability to provide the DORA Service or carry out its normal business.

5.8 If the exercise of the Audit Right by the Customer or any third party appointed by the Customer could, in Actimize' reasonable opinion, affect the rights of another Customer of Actimize (for example, an impact on service provision, service levels, availability of data or Actimize' confidentiality obligations), Actimize and Customer shall agree alternative assurance levels.

5.9 The Audit may be exercised the Customer (including via any third party appointed by the Customer) no more than once during any twelve (12) month period, unless a more frequent exercise of the Audit Right is required by a Regulator. The duration of an audit shall not exceed two (2) business days, unless a longer period is required by a Regulator.

5.10 The Customer shall reimburse Actimize for all fees, costs and expenses reasonably incurred by Actimize in connection with the audit.

5.11 All information disclosed in connection with this Section 5 shall be considered Actimize’s Confidential Information.

6. Obligations on Expiration or Termination.

6.1 Customer may require the Cloud Services to continue for a transitional period of up to three (3) months following the effective date of the termination or expiry of the Order (“Transition Period”). During the Transition Period, the Customer shall pay in full for the Cloud Services at the then-current rate for such Cloud Services. The terms of the Agreement will continue to apply during the Transition Period. 

6.2 At least thirty (30) days (or if not feasible, as soon as reasonably practicable) prior to the effective date of the termination of the Order, the Customer shall specify the duration of the Cloud Services it requires Actimize to perform during the Transition Period.

6.3 If requested by the Customer, Actimize may agree to provide additional support and assistance to the Customer during the Transition Period to support an efficient and orderly transition of the Cloud Services to the Customer or a replacement supplier (provided such replacement supplier is not a competitor of Actimize). Any such support and assistance (including the applicable fees) will be agreed between the parties in a separately executed Order or SOW.  

6.4 Actimize shall permit the Customer to download the Content in a readily accessible format during the Transition Period (at the sole cost and expense of the Customer).