The Importance of Software Escrow to Lawyers for Clients’ Regulatory Compliance and Digital Resilience


In an age dominated by digital transformation and consumption of cloud technologies, digital resilience has never been more critical for organisations across all industries to safeguard critical assets and ensure availability of critical services including those delivered by 3rd parties.

The convergence of new regulations for financial institutions, like the Prudential Regulation Authority (PRA) SS2/21 and PS7/21 and The Digital Operational Resilience Act (DORA), as well as updated standards, such as ISO/IEC 27001:2022 more broadly, are pushing companies to rethink their continuity of service plans and stressed exit strategies. One pivotal solution that can ensure both continuity and compliance is Software Escrow or SaaS Escrow.

These developments present an opportunity for solicitors both internal and external to increase their knowledge and value. In turn advising on the most up-to-date regulations and best practices that are essential for companies to mitigate risks, fulfil their compliance obligations and maintain their adherence to regulatory standards.

In this blog post, we provide an overview of the current regulatory pressures as well as highlighting the importance of software escrow and SaaS escrow in addressing the challenges posed with appropriately managing and securing digital operations.

Understanding the Regulatory Landscape

PRA’s Outsourcing and Third-Party Risk Management (PRA SS2/21)
Most companies regulated by the Prudential Regulation Authority (PRA) including: banks, financial institutions, credit unions and insurance firms are adopting SaaS hosted applications for many critical applications within their companies. The PRA SS2/21 and PS7/21 polices are aimed at ensuring these regulated companies have robust continuity measures in place for services designated under outsourcing and third-party risk management. The new policies came into effect on the 31st March 2022.

The Digital Operational Resilience Act (DORA)
The European Union’s aim of the Digital Operational Resilience Act (DORA) is to improve the cybersecurity and operational resiliency of the financial services sector. As an integral part of the ICT risk management framework, DORA requires financial companies such as banks, insurance companies and investment firms to adopt a robust and comprehensive digital operational resilience testing program covering ICT tools, systems and processes.

Before DORA, financial institutions did not manage all components of operational resilience, however, with DORA, they must also follow strict rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents.

DORA entered into force on 16th January 2023, 20 days after its initial publication in the Official Journal of the European Union on 27 December 2022. Financial entities in the European Union (EU) and their critical ICT providers must be ready to comply with DORA by 17th January 2025. Further information can be found here.

ISO/IEC 27001:2022
ISO/IEC 27001 provides a systematic and comprehensive approach to managing sensitive company information and ensuring its confidentiality, integrity, and availability. The standard is designed to help organisations of all sizes and types establish, implement, maintain, and continually improve their ISMS.

In October 2022, ISO/IEC 27001:2022 was published. One notable change in ISO/IEC 27001:2022 is the inclusion of software escrow in Annex A Control 8.30 and now includes the following guidelines to cover this area:

1: “Ensure that the source code of the software is protected by escrow agreements. For example, it may address what will happen if the external supplier ceases to operate.”

2: “Maintaining evidence that adequate testing has been conducted to address identified vulnerabilities.”

More information is available here.

Regulatory Agencies in the US
Regulatory agencies in the United States have also tightened their belts when it comes to third-party risk management and outsourcing. The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve Board (FED Board), released revised guidelines in June this year for third-party risk management. Notably consideration to establish software escrow agreements when a banking organisation purchases software so access is available to source code and applications under certain circumstances such as insolvency of the third-party. Click here for more information.

The Importance of Software Escrow and SaaS Escrow

By having a software escrow or SaaS escrow agreement in place, organisations can ensure their commitment to continuity planning and vendor resilience, meeting the requirements of regulators when addressed properly. Some benefits of software escrow and SaaS escrow agreements include:

  • Ensuring Continuity of Service: Following a key supplier failure or other default events, software escrow and SaaS escrow agreements can be tailored to include specific provisions for access to existing production or DR systems, timely release and access to source code and/or data to maintain software products, or a service led approach where the escrow vendor redeploying and managing a replica system on behalf of the beneficiary. This enables organisations to sustain their operations for critical services during unforeseen events.

  • Compliance and Transparency: Software escrow and SaaS escrow agreements are governed by clear terms and conditions, fostering transparency between software providers, escrow vendors and licensees.

  • Mitigating Vendor Risks: Reduced dependency on single vendors and proactively manage vendor-related risks, ensuring uninterrupted services.

  • Fostering Innovation: Resilience is not just about withstanding disruptions but also fostering innovation. With software escrow ensuring access to software assets, organisations can innovate and adapt their digital solutions when necessary, driving growth and competitiveness.

  • A Win-Win Solution: In embracing these regulatory compliances with software escrow or SaaS escrow, we create a win-win situation. Organisations enhance their resilience to potential risks, while software providers demonstrate their commitment to responsible business practices and customers needs to protect their interests.

The Way Forward

In a world where digital services are the backbone of modern business, regulatory compliance and resilience are non-negotiable. The convergence of regulations like PRA SS2/21, DORA and standards like ISO/IEC 27001:2022 calls for a holistic approach to continuity and risk management. Software escrow and SaaS escrow is an invaluable solution that not only helps meet these demands but also ensures the long-term viability for organisations.

By educating your clients about software escrow or SaaS escrow, they will be able to thrive in a regulated and ever-evolving landscape, demonstrating their commitment to risk mitigation and business continuity.



About Escrow London

Escrow London is a global software and SaaS escrow company with offices in London, UK, Atlanta, USA and Sydney, Australia.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

To find out more about Escrow London and our Software Escrow and SaaS Escrow solutions, visit our YouTube channel.