IT contracts

The new cybersecurity legislation requires companies and governments to review IT contracts and revise them where necessary, with a particular focus on the security clauses.

By way of illustration: the duty of care under the NIS2 and the Cbw also includes the obligation to secure the supply chain. This is to ensure that cybersecurity risks at suppliers and service providers are managed as much as possible.

In concrete terms, this means that the Cbw requires sound contractual agreements to be made with IT suppliers. This entails, among other things, that criteria regarding cybersecurity practices must also be established during the selection process of (IT) suppliers. Certain clauses must be included in the contracts themselves, such as:

• the cybersecurity requirements that IT suppliers must meet (incl. skills, training, and verification of employees);
• notifying (significant) incidents without delay;
• the right to inspection or the right to receive audit reports;
• an obligation to address vulnerabilities;
• requirements for outsourcing/subcontractors;
• obligations of IT suppliers upon contract termination (such as collecting and deleting acquired information about the customer)

IT suppliers themselves must also ensure that their contracts are, where necessary, in line with the requirements arising from the NIS2/Cbw, DORA, CRA, or other cybersecurity legislation.

Our specialists are happy to help you draw up sound contractual agreements (whether you are a customer or an IT supplier!).