Skip to main content

ICT Solutions – Master Terms and Conditions Annex B

Version Date: 9th April 2025

ANNEX B: DORA ADDENDUM

1.1 Subject to the provisions of clause 15 of the Master Terms & Conditions, this addendum (the “DORA Addendum”) forms an integral part of these Terms entered into by and between (i) the Customer (as defined in the body of these Terms), and (ii) ICT (as defined in the body of these Terms, and to be referred to as the “Service Provider” in this DORA Addendum), pursuant to which the Service Provider provides one or more ICT services (as defined in sub-clause 1.1 of this DORA Addendum) to the Customer.

This DORA Addendum defines the legal relationship between the Parties (as defined in the body of these Terms) limitedly in the context of the Service Provider’s provision of an ICT service (as defined in sub-clause 1.1 of this DORA Addendum) to the Customer, and sets out the additional terms, requirements and conditions on which the Service Provider will provide such ICT service(s) to the Customer.

The DORA Addendum contains, inter alia, the key contractual provisions set out in Article 30 of the Regulation (as defined in sub-clause 1.1 of this DORA Addendum).

This DORA Addendum entered into force on the date set forth above.

AGREED TERMS

1.         DEFINITIONS AND INTERPRETATION

  • In this DORA Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Applicable Law” means all laws and regulations applicable to the Customer and/or the provision of the Services, including but not limited to DORA, the relevant rules issued by the MFSA or any other Regulatory Body, and any other laws or regulations, regulatory policies, guidelines or industry codes which apply to the Customer and/or the provision of the Services;
“Business Day” means any day that is not a Saturday or a Sunday and not a public or bank holiday in Malta;
“Competent Authority” means the relevant competent authority responsible for supervising the Customer in accordance with Article 46 of the Regulation;
critical or important function” means a function, the disruption of which would materially impair the financial performance of the Customer, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of the Customer with the conditions and obligations of its authorisation, or with its other obligations under Applicable Law;
“digital operational resilience” means, unless the context otherwise requires, the Customer’s ability to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of the Services provided by the Service Provider, the full range of ICT-related capabilities needed to address the security of the network and information systems which the Customer uses, and which support the continued provision of financial services and their quality, including throughout disruptions;
“DORA” means (i) the Regulation, (ii) the Commission Delegated Regulations published, or to be published, in the EU’s Official Journal supplementing the Regulation, and (iii) Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector;
“ICT asset” means a software or hardware asset in the network and information systems used by the Customer;
“ICT risk” means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;
“ICT service” means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services;
“ICT third-party service provider” means an undertaking providing ICT services;
“ICT” means information and communications technology;
ICT-related incident” means a single event or a series of linked events unplanned by the Customer or the Service Provider (including any sub-contractor appointed by the Service Provider in accordance with this DORA Addendum) that compromises the security of network and information systems, and has, or have, an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the Service Provider to the Customer, or by the Customer to its clients. Where relevant (based on the nature of the services and activities provided by the Service Provider or by the Customer, and the Services), this shall also include operational or security payment-related incidents;
“information asset” means a collection of information, either tangible or intangible, that is worth protecting;
“Lead Overseer” means the European Supervisory Authority appointed in accordance with Article 31(1), point (b) of the Regulation;
“MFSA” means the Malta Financial Services Authority established pursuant to the Malta Financial Services Authority Act (Chapter 330, Laws of Malta), or its successor(s);
“network and information system” means a network and information system as defined in Article 6, point 1, of the NIS 2 Directive;
“NIS 2 Directive” means Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148;
“operational or security payment-related incident” means a single event or a series of linked events unplanned by the Customer, whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the Customer (where applicable);
“Regulation” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011;
“Regulatory Body” means a regulatory, statutory or other entity, committee and/or body which, whether under statute, rules, regulations, codes of practice or otherwise, is entitled by Applicable Law to supervise, regulate, investigate or influence the matters dealt with in this DORA Addendum, or any other affairs relating to the Customer, including, without limitation, the MFSA;
“security of network and information systems” means security of network and information systems as defined in Article 6, point 2, of the NIS 2 Directive;
“Services” means the services supplied by the Service Provider to the Customer pursuant to these Terms; and
“Transitional Assistance Services” means the Services to continue being provided by the Service Provider to the Customer in the event of the expiry or termination of these Terms pursuant to sub-clause 10.2 of this DORA Addendum, to facilitate the transfer of the Services to the Customer or to the replacement ICT third-party service provider(s), as the Customer may require or direct in the circumstances.

1.2 Unless the context requires otherwise, words and expressions defined in, or having a meaning provided by, these Terms or the Applicable Law shall have the same meanings in this DORA Addendum.

1.3 The rules of interpretation included in clause 5 of the body of these Terms also apply to this DORA Addendum.

1.4 With regard to the subject matter of this DORA Addendum, the provisions contained in the body of these Terms shall continue to apply save as amended or varied by this DORA Addendum, and in the event of any conflict or other inconsistency between the provisions of the body of these Terms and this DORA Addendum, then this DORA Addendum shall prevail to the extent of such conflict or other inconsistency.

2.         OBLIGATIONS AND RESPONSIBILITIES OF THE SERVICE PROVIDER

2.1 The Service Provider shall at all times provide the Services in accordance with the service levels, performance standards, and key performance indicators . Any changes or revisions to such service levels, performance standards, and key performance indicators shall be subject to the prior written approval of the Parties, which approval shall not be unreasonably withheld or delayed.

2.2 The Service Provider may act upon receipt of written or e-mailed instructions given or purported to have been given by one or more person or persons as the Customer shall from time to time have authorised to give the particular class of instructions.

2.3 The Service Provider shall provide the Services and associated functions to the Customer from Lead Business Centre, Triq l-Imprenditur, Central Business District, Bkara, Malta.

2.4 In providing the Services, the Service Provider may process data relating to the Customer from, and may store such data in, Lead Business Centre, Triq l-Imprenditur, Central Business District, Bkara, Malta.

2.5 The Service Provider shall notify the Customer reasonably in advance if it envisages changing the location wherefrom (i) the Services or associated functions are to be provided, or (ii) data relating to the Customer is to be processed or stored.

3.         SECURITY OF INFORMATION ASSETS AND ICT ASSETS

3.1 The Service Provider shall maintain and implement adequate safeguards (including appropriate technical and organisational measures) against the destruction, loss, corruption, alteration or manipulation of any Customer and Customer-related data or other information assets accessible by, or in the possession of, the Service Provider, whether in physical or logical form. The Service Provider shall maintain and implement protection, prevention, detection, safety and security systems, procedures and mechanisms designed to prevent damage to, and unauthorised access or usage of, any and all information assets and ICT assets used by, pertaining or otherwise relating to, the Customer.

3.2 The Service Provider shall ensure that it has in place and is operating, at all times, systems, protocols, processes and tools which meet the highest and up-to-date information and cyber security standards and industry practices (currently, ISO 9001:2015 and ISO 27001:2022). In the provision of the Services, the Service Provider shall as a minimum meet and safeguard the information and cyber security objectives, requirements and standards applicable to the Customer in terms of Applicable Law (including, without limitation, to ensure the resilience, continuity and availability of ICT systems, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit).

4.         ICT-RELATED INCIDENT MANAGEMENT

4.1 The Service Provider shall promptly inform the Customer of any matter which the Service Provider is reasonably aware is reasonably likely to give rise to an ICT-related incident.

4.2 Without prejudice to the rights and remedies of the Customer, upon the occurrence of an ICT-related incident, the Service Provider shall, within three (3) hours from the Service Provider’s discovery of the ICT-related incident, inform the Customer of any such ICT-related incident and shall provide the Customer with full information, evidence, cooperation and assistance required to deal with the ICT-related incident, in particular for the purpose of promptly investigating, responding to, resolving, recovering from, and, where applicable, reporting, the ICT-related incident.

4.3 The assistance provided by the Service Provider pursuant to this clause or sub-clause 9.5 of this DORA Addendum (other than any assistance provided in respect of an ICT-related incident caused as a direct result of the Service Provider’s gross negligence, fraud and/or wilful misconduct, or due to the Service Provider’s unjustifiable failure to perform, in whole or in part, its obligations under this DORA Addendum) shall be subject to fees based on the actual time spent by the Service Provider at the Service Provider’s then current hourly rates for specialist work of this nature and will reflect the importance and difficulty of the work and the seniority and professional experience of the leaders and staff concerned.

5.         DIGITAL OPERATIONAL RESILIENCE TESTING

5.1 Where:

    • a Service constitutes an ICT service which supports a critical or important function of the Customer; and
    • the Customer is obliged to conduct threat-led penetration testing in accordance with the relevant provisions of the Regulation,

the Service Provider shall participate and fully cooperate in the Customer’s threat-led penetration testing to be conducted by the Customer pursuant to Applicable Law.

5.2 Without prejudice to sub-clause 5.3, the Service Provider’s participation in, and assistance provided in respect of, the Customer’s threat-led penetration testing conducted pursuant to sub-clause 5.1 of this DORA Addendum shall be subject to fees based on the actual time spent by the Service Provider at the Service Provider’s then current hourly rates for specialist work of this nature and will reflect the importance and difficulty of the work and the seniority and professional experience of the leaders and staff concerned.

5.3 Where, in the course, or as a result, of conducting threat-led penetrating testing pursuant to sub-clause 5.1, the Customer detects an insufficiency, weakness or failure in the Service Provider’s digital operational resilience framework, and the Service Provider:

    • is in breach of any provision of these Terms relating to the availability, authenticity, integrity or confidentiality of Customer or Customer-related data or other information assets; or
    • fails to meet the standards required by the Applicable Law;

then, the Customer may require the Service Provider to make the necessary modifications to remedy any such insufficiency, weakness or failure without undue delay. The Service Provider shall bear the costs associated with the remediation of any such insufficiency, weakness or failure.

6.         TRAINING

Where reasonable and appropriate, and subject to the Service Provider’s prior written consent, the Service Provider’s staff involved in the provision of the Services shall on a best-efforts basis participate in the Customer’s ICT security awareness programmes and digital operational resilience training, relevant to the Services being provided under these Terms. The Service Provider reserves the right to charge on the basis of the time spent in said programmes and training at its then current hourly rates. For such purpose, the Customer shall provide the Service Provider with at least thirty (30) days’ written notice prior to any such scheduled session, which shall not exceed two (2) hours in duration, unless otherwise mutually agreed upon in writing by the Service Provider.

7.         REPRESENTATIONS AND WARRANTIES

Without prejudice to any representations and warranties provided by the Parties in the body of these Terms, the Service Provider further undertakes, warrants and represents in favour of the Customer that:

  • it will, upon request, and to the extent possible, provide all necessary information and/or documentation which the Customer may reasonably require for the purpose of the Customer complying with its obligations under Applicable Law;
  • the provision of the Services to the Customer does not create any conflict of interest or obligation that would impair the Service Provider’s ability to fulfil its obligations under these Terms in accordance with Applicable Law;
  • it will inform the Customer without delay whenever a risk arises, or it becomes aware of the existence of any business disruption, ICT-related incident, other reason or development, which may prevent, lead to the deterioration in the quality of, or otherwise have a material impact on, the appropriate and continued deployment of the Services or the agreed service levels.

Provided that the Service Provider shall only be required to provide such a notification to the Customer if the Service in question is an ICT service which supports a critical or important function of the Customer;

  • it will, particularly in respect of Services constituting an ICT service which supports a critical or important function of the Customer, maintain and implement adequate business contingency plans to deal with emergency situations or business disruptions, and shall test such plans on a periodic basis, taking into account the nature of the relevant Services;
  • it will, particularly in respect of Services constituting an ICT service which supports a critical or important function of the Customer, maintain and implement ICT security systems, protocols, tools, measures, controls, policies and procedures that provide an appropriate level of security for the Customer to provide its services to clients; and
  • it will, particularly in respect of Services constituting an ICT service which supports a critical or important function of the Customer, and where reasonable and appropriate, collaborate with the Customer in the testing and validation of the Customer’s exit plans.

8.         MONITORING PERFORMANCE AND ACCESS RIGHTS

8.1 The provisions of this clause shall apply solely to the extent that, and in respect of, Services which constitute an ICT service which supports a critical or important function of the Customer.

8.2 Subject to sub-clause 8.1, the Customer shall have the right to monitor the performance of the Service Provider against various criteria, including but not limited to for compliance with:

    • the quantitative and qualitative performance targets and other service levels agreed upon by the Parties from time to time; and
    • requirements regarding the availability, authenticity, integrity and confidentiality of data and other information assets.

Where, in the reasonable opinion of the Customer, the agreed service levels or other criteria set out above are not being met to the satisfaction of the Customer, the Customer shall instruct the Service Provider to adopt appropriate corrective measures without undue delay.

8.3 Subject to sub-clause 8.1, the Service Provider shall allow the Customer, its statutory auditors, the Competent Authority, the Lead Overseer and any other Regulatory Body (including persons appointed by each of them) access to, and the right to inspect and audit, the Service Provider’s premises, including the relevant devices, systems, networks, protocols, tools and data, or other ICT assets or information assets used in the provision of the Services, including the carrying out of on-site inspections at the business premises of the Service Provider.

8.4 Subject to sub-clause 8.1, the Service Provider shall cooperate with the Customer, its statutory auditors, the Competent Authority, the Lead Overseer and any other Regulatory Body (including persons appointed by each of them), during such inspections, visits and/or audits.

8.5 Subject to sub-clause 8.1, the Customer, its statutory auditors, the Competent Authority, the Lead Overseer and any other Regulatory Body (including persons appointed by each of them) shall have the right to request and obtain copies of relevant records (in written or electronic format) that they may reasonably require for such purpose.

8.6 Subject to sub-clause 8.1, the Customer, its statutory auditors and Regulatory Bodies shall provide the Service Provider with at least thirty (30) Business Days’ notice of its intention to conduct an inspection, visit or audit as referred to in this clause. This is without prejudice to the right of the Customer, its auditors and any Regulatory Body (including any person appointed by each of them) for immediate access owing to an emergency or crisis situation, or to cater for situations where advance notice regarding an audit would render the inspection, visit or audit objectives ineffective.

8.7 Subject to sub-clause 8.1, inspections, visits or audits shall be carried out by the Customer at such intervals as may be agreed upon by the Parties in writing depending on the nature of the Services. Such inspections, visits or audits shall cover the relevant systems, protocols, tools and/or key controls identified by the Customer, and the Service Provider’s security practices and procedures.

8.8 Subject to sub-clause 8.1, the Customer shall ensure that the conduct of each inspection, visit, audit or otherwise does not unreasonably disrupt the Service Provider or delay the provision of the Services by the Service Provider or affect its other clients’ rights, and that, where possible, individual inspections are adequately coordinated to minimise disruptions.

9.         SUB-CONTRACTING

9.1 As at the date set forth above, the Service Provider has, with the Customer’s consent, subcontracted the Services referred to in Schedule 1 of this DORA Addendum.

9.2 Prior to sub-contracting a Service to a third party, the Service Provider shall, without prejudice, and in addition, to sub-clause 9.1, notify the Customer in writing of:

    • the location(s) (specifically, the region(s) and country or countries) wherefrom the sub-contracted functions and ICT services shall be provided; and
    • the location(s) (specifically, the region(s) and country or countries) where the data is to be processed by the sub-contractor, including the storage location(s).

The Service Provider shall notify the Customer in advance if the sub-contractor envisages changing the location wherefrom (i) the Services or associated functions are to be provided, or (ii) data relating to the Customer is to be processed or stored.

9.3 Without prejudice, and in addition, to sub-clause 9.1, and sub-clause 9.2, the Service Provider may, with the Customer’s prior written consent, which shall not be unreasonably withheld or delayed, sub-contract ICT services supporting the Customer’s critical or important functions or material parts thereof to a third party.

9.4 Where the Service Provider sub-contracts an ICT service supporting the Customer’s critical or important functions or material parts thereof to a third party in accordance with sub-clause 9.3, the Service Provider shall:

a) ensure that the contractual arrangements with the sub-contractors providing ICT services supporting the Customer’s critical or important functions or material parts thereof:

      • enable the Service Provider to comply with its obligations under this DORA Addendum and Applicable Law; and
      • allow the Customer to comply with its own obligations under Applicable Law;

(b) monitor all sub-contracted ICT services supporting a critical or important function of the Customer (or material parts thereof) to ensure that the Service Provider’s contractual obligations with the Customer are met on a continuous basis;

(c) ensure the continuity of the ICT services supporting the Customer’s critical or important functions throughout the chain of sub-contractors in case of failure by a sub-contractor to meet its contractual obligations;

(d) assess all risks associated with the location of the current or potential sub-contractors (including of its or their parent company or companies) providing, or to provide, ICT services supporting the Customer’s critical or important functions (or material parts thereof), including the location wherefrom (i) the ICT services are, or shall be, provided by the sub-contractor, and (ii) data is, or shall be, processed and stored by the sub-contractor (as applicable);

(e) specify in its written contractual arrangements with each sub-contractor providing ICT services supporting the Customer’s critical or important functions or material parts thereof:

      • the monitoring and reporting obligations of the sub-contractor towards the Service Provider, and, where agreed, the Customer;
      • the requirements to implement and test business contingency plans as set out under Article 30(3)(c) of the Regulation, and the service levels to be met by each ICT sub-contractor in relation to these plans;
      • the ICT security standards and any additional security requirements, where relevant, that shall be met by each sub-contractor in line with Article 30(3)(c) of the Regulation;

(f) inform and seek the Customer’s prior approval or no objection, with at least thirty (30) calendar days’ notice provided to the Customer, prior to implementing material changes to sub-contracting arrangements affecting ICT services supporting the Customer’s critical or important functions or material parts thereof. The Service Provider shall not implement any material changes to sub-contracting arrangements unless and until the Customer provides its prior written approval or no objection to the implementation of the proposed changes. In the event that the planned sub-contracting or changes to sub-contracting arrangements exceed(s) the Customer’s ICT risk tolerance level, the Customer shall, before the end of the notice period noted above:

      • inform the Service Provider of its ICT risk assessment results; and
      • object to the changes and request modifications to the proposed sub-contracting changes prior to their implementation; and

(g) notify the Customer on a best-efforts basis of any significant risks, breaches, or incidents involving a sub-contractor that could impact the Customer’s critical or important functions or material parts thereof, and shall provide the Customer with such additional information, documentation and/or data which the Customer may reasonably require for such purpose.

9.5 The Service Provider shall, without prejudice to the generality of sub-clause 9.4 and sub-clause 9.6, ensure that each appointed sub-contractor involved in the provision of an ICT service supporting the Customer’s critical or important functions:

(a) within three (3) hours from the sub-contractor’s discovery of the ICT-related incident, informs the Service Provider of any such ICT-related incident, and shall promptly provide the Service Provider with full information, evidence, cooperation and assistance required to deal with the ICT-related incident, in particular for the purpose of promptly investigating, responding to, resolving, recovering from, and, where applicable, reporting, the ICT-related incident; and

(b) fully cooperates with the Customer’s incident response team, and shares with the Customer all information, documents and data which the Customer may reasonably require from time to time.

9.6 The Service Provider shall ensure that each appointed sub-contractor involved in the provision of an ICT service supporting the Customer’s critical or important functions provides the Customer, its statutory auditors, the Competent Authority, the Lead Overseer and any other Regulatory Body (including persons appointed by each of them) with the same rights of access, inspection and audit referred to in clause 8.

10.      TERMINATION

10.1 In addition to sub-clause 19.2 of the body of these Terms, the Customer may terminate these Terms in any of the following circumstances:

(a) with immediate effect, where the Service Provider is in significant breach of Applicable Law or any provision of this DORA Addendum, and the Service Provider fails to remedy that breach within a period of thirty (30) calendar days after being notified in writing to do so by the Customer;

(b) with immediate effect, where the Customer identifies circumstances that are deemed capable of altering the Service Provider’s performance of the Services, particularly where such circumstances are based on the Service Provider undertaking material changes that may affect the Service Provider’s situation or the Service Provider’s performance of its obligations under this DORA Addendum, and the Service Provider fails to take appropriate steps to address the Customer’s legitimate concern(s) within a period of thirty (30) calendar days after being notified in writing to do so by the Customer;

(c) with immediate effect, where the Customer identifies weaknesses pertaining to the Service Provider’s overall management of ICT risk, particularly in the way the Service Provider ensures the availability, authenticity, integrity and confidentiality of data (whether personal or otherwise sensitive data, or non-personal data) or other information assets pertaining, or otherwise relating to, the Customer, and the Service Provider fails to take appropriate steps to address the Customer’s legitimate concern(s) within a period of thirty (30) calendar days after being notified in writing to do so by the Customer;

(d) with immediate effect, where, in the reasonable opinion of the Competent Authority, the Competent Authority may no longer effectively supervise the Customer’s compliance with its obligations under Applicable Law as a result of the conditions of, or circumstances related to, this DORA Addendum, and the Service Provider fails to take appropriate steps to address the Competent Authority’s concern(s) within a period of thirty (30) calendar days after being notified in writing to do so by the Customer, and after having provided documentary evidence of the Competent Authority’s concern(s) to the Service Provider;

(e) with immediate effect, where the Service Provider implements a material change to sub-contracting arrangements regarding the provision of ICT services supporting the Customer’s critical or important functions despite the objection and request for modifications to the relevant change(s) having been registered by the Customer in accordance with sub-clause 9.4, paragraph (f), and the Service Provider fails to take appropriate steps to retract or suspend the effective implementation of such material change(s) within a period of thirty (30) calendar days after being notified in writing to do so by the Customer;

(f) with immediate effect, where the Service Provider implements a material change to sub-contracting arrangements supporting the Customer’s critical or important functions before the end of the notice period referred to in sub-clause 9.4, paragraph (f), without the prior written approval of the Customer, and the Service Provider fails to take appropriate steps to retract or suspend the effective implementation of such material change(s) within a period of thirty (30) calendar days after being notified in writing to do so by the Customer; or

(g) with immediate effect, where the Service Provider sub-contracts an ICT service supporting a critical or important function of the Customer which the Service Provider is not explicitly permitted to sub-contract in terms of sub-clause 9.3, and the Service Provider fails to take appropriate steps to retract or suspend the effective sub-contracting of such service(s) within a period of thirty (30) calendar days after being notified in writing to do so by the Customer.

10.2 In the event of the termination of these Terms on any of the grounds referred to in sub-clause 10.1 of this DORA Addendum, however to the extent that a Service constitutes an ICT service which supports a critical or important function of the Customer:

(a) the Service Provider shall provide the Customer with a transition plan, setting out the manner in which the Services shall be transitioned to the Customer and/or to another ICT third-party service provider designated by the Customer for such purpose (the “Transition Plan”). The Transition Plan shall describe the measures and activities to be undertaken by each of the Parties to ensure a smooth transition of the provision of the Services (including the secure transfer of any relevant data) to the Customer and/or to the future ICT third-party service provider(s), as applicable; and

(b) the Service Provider shall, with a view to:

      • ensuring that such a transition does not disrupt the Customer’s business activities, limit the Customer’s compliance with Applicable Law, or impact the Customer’s continuity or quality of services provided to its clients; and
      • allowing the Customer to effectively migrate the procurement of the Services to another ICT third-party service provider, or, alternatively, to change to in-house solutions, consistent with the complexity of the ICT service in question;

continue providing the Services for a reasonable time after termination which shall not exceed a period of three (3) months from the relevant termination date (the “Transitional Period”). The specific length of the Transitional Period shall be mutually agreed upon by the Parties in writing in the Transition Plan. The Customer will be liable for pro-rata service charges to the Service Provider for the Transitional Assistance Services provided by the Service Provider during the Transitional Period.

10.3 The Service Provider shall cooperate with the Customer and/or any replacement ICT third-party service provider(s) to the extent reasonably required to facilitate the smooth migration of the Services from the Service Provider to the Customer and/or any replacement ICT third-party service provider(s), as applicable.

10.4 Without prejudice to sub-clause 10.3, in the event of termination of these Terms on any of the grounds referred to in sub-clause 10.1, or the insolvency, resolution or discontinuation of the business operations of the Service Provider, the Service Provider shall continue ensuring access to, and recover and return, all data (whether personal or otherwise sensitive data, or non-personal data) or other information assets relating to the Customer (including customer data and Confidential Information), records, documentation, information, materials, hardware, and other property to or which is relevant to the provision of the Services in its possession or under its control, in a format acceptable to the Customer.