The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation set to significantly impact financial services organizations' contractual relationships with "ICT third-party technology providers," encompassing most IT service providers within the financial sector.

Enacted in 2023, DORA aims to ensure that financial institutions can withstand, respond to, and recover from ICT-related threats and disruptions. This comprehensive regulation will take effect on January 17, 2025.

That means that as of the time of this writing, organizations have six months to become compliant.

In this post, we’ll explore DORA’s requirements, its impact on the contracts and operations of financial services organizations, and how you can leverage contract intelligence to seamlessly integrate DORA's requirements into your compliance program.

‍

Who does DORA apply to?

DORA applies to a wide range of financial entities, including but not limited to:

• Credit institutions
• Payment institutions
• Account information service providers
• Electronic money institutions
• Investment firms
• Crypto-asset service providers and issuers of asset-referenced tokens
• Trading venues
• Managers of alternative investment funds
• Insurance and reinsurance undertakings
• Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
• Credit rating agencies
• ICT third-party service providers

‍

What does DORA aim to accomplish?

Financial services regulators are increasingly concerned about third-party risk and the potential adverse impacts of vendor incidents on financial services organizations and their customers. DORA represents the EU's effort to ensure operational resilience in this space.

According to the European Insurance and Occupational Pensions Authority, DORA “aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”

‍

Key Components of DORA

DORA’s requirements can be broken down into five key components:

• ICT Risk Management: Financial services organizations are required to implement robust ICT risk management frameworks, which include regular risk assessments, preventive measures, and incident response and recovery plans.
• Incident Reporting: DORA mandates timely reporting of significant ICT-related incidents to maintain transparency and enable regulatory bodies to monitor and manage risks effectively.
• Digital Operational Resilience Testing: Financial entities must regularly test their ICT systems to ensure they can withstand operational disruptions. This involves scenario-based testing and participation in sector-wide exercises.
• Information Sharing: DORA encourages financial entities to share information to enhance collective resilience, including threat intelligence and best practices.
• ICT Third-Party Risk Management: Organizations must ensure that third-party ICT service providers comply with DORA’s requirements through thorough due diligence, regular monitoring, and specific contractual clauses to manage third-party risks.

‍

DORA’s Impact on Contracts

DORA will directly affect how financial services organizations draft and manage their contracts. 

Here are some key issues financial services organizations should consider in their contractual relationships with service providers:

• Mandatory Contract Clauses: Contracts with ICT service providers will need to include specific mandatory provisions to comply with DORA’s requirements. This includes provisions for risk management, incident reporting, and regular testing.
• Termination Clauses: Given the critical nature of ICT services, contracts should include termination clauses that can be invoked if a service provider fails to meet DORA’s standards. This ensures that organizations can quickly switch to alternative providers if necessary.
• Liability and Indemnity: Organizations must carefully define liability and indemnity clauses to cover potential losses arising from ICT disruptions. This includes specifying the extent of liability for data breaches, system failures, and other ICT-related incidents.

• Due Diligence and Audits: Organizations will have to perform rigorous due diligence before entering into agreements with third-party providers. Contracts should include rights to conduct audits and assessments of the provider’s ICT security measures.
• Incident Management: Contracts will need to specify the roles and responsibilities of each party in the event of an ICT-related incident. This includes clear procedures for incident reporting and resolution.

‍

Preparing for DORA

Building a DORA compliance program necessitates a deep dive into your vendor contracts. Organizations can lay the groundwork for contract compliance by:

• Knowing what’s in your contracts: Conduct a thorough review of all existing contracts with ICT service providers to identify gaps and areas that need updating to comply with DORA.
• Amending and updating your contracts: Identify contracts that need to be amended and update them to include mandatory language and protective non-mandatory language.
• Updating your clause library and templates: Review your clause library and your contract templates to make sure they incorporate DORA provisions as appropriate to ensure that all future contracts are compliant from the outset.

Engaging stakeholders will be crucial. As you work to establish a foundation for DORA compliance, make sure to:

• Collaborate with providers: Engage in open dialogues with ICT service providers to ensure they understand and are prepared to meet DORA’s requirements.
• Engage legal and compliance teams: Work closely with legal and compliance teams to understand the full implications of DORA and ensure all contract documents are in alignment.
• Train your staff: Train staff involved in contract management on DORA’s requirements and the importance of including specific clauses to manage ICT risks effectively.

‍

Contract Intelligence for DORA Compliance: A Playbook

Evisort’s Contract Lifecycle Management (CLM) and Contract Intelligence platform can streamline and accelerate your DORA compliance program ahead of the effective date. 

Here’s how.

Step 1: Identify and organize your vendor contracts

As part of your ICT risk management framework, DORA requires organizations to distinguish between ICT contractual arrangements that cover services supporting “critical or important” functions, and those that do not.

So as a starting point, you’ll need a clear inventory of your existing vendor agreements so that you can begin to evaluate the nature of your vendor relationships.

Evisort’s centralized contract repository can automatically organize all of your organization’s contracts in a folder-based structure that maps to your current document storage system folders – or you can simply set up a search query to surface all of your vendor agreements in real time. 

‍

Evisort’s best-in-class AI and OCR can ingest and process up to 450,000 contracts per day. Upon ingestion, Evisort will automatically identify and label key clauses, fields, and contract types – fully automating the resource-intensive process of identifying all of your vendor agreements. 

‍

After loading your contracts into Evisort, you’ll be ready to evaluate the nature of your current contractual arrangements.

‍

Step 2: Identify “critical or important” ICT providers

Now that you’ve organized your vendor contracts, you will need to identify which relationships support “critical or important” functions. 

Under the Act, a “critical or important” function is defined as:

“A function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.”

Your determination of which contracts fall within this definition will impact how you treat those vendor relationships. Contractual arrangements that support “critical or important” functions require a greater level of oversight and enhanced protections, including mandatory contractual provisions.

Once you’ve evaluated and categorized your contracts, Evisort can help you track the status of each relationship going forward. Simply set up a new field to track and report on the DORA risk category for all new and existing contracts. 

‍

Step 3: Incorporate DORA’s mandatory clauses into your clause library

Now that you’ve organized and categorized your contracts, you’ll want to update your contracting playbook to include DORA’s mandatory contract provisions.

Article 30 of DORA lists key contract provisions that must be included in your agreements with ICT providers. Mandatory provisions include, among others:

• Clear and complete descriptions of services to be provided;
• Provisions on availability, authenticity, integrity and confidentiality in relation to data protection; and
• Provisions obligating the ICT provider to provide assistance to your organization for incidents relating to the ICT service.

And recall that contractual arrangements for ICT services that support critical or important functions will require more contractual protections than contracts that only support non-critical, non-important functions.

With Evisort’s Clause Library, you can designate preferred, fallback, and walkaway language for any clause type. Once your preferred language is in the Clause Library, you can easily insert it into new contracts or incorporate it as a redline.

‍

Step 4: Update and amend your contracts

Once you’ve incorporated DORA’s mandatory provisions into your team’s contracting playbook, you’ll need to update and amend your existing contracts to bring them into compliance.

But first, you’ll need to know what’s currently in your vendor agreements.

With Evisort, you can build custom AI models that track any terms of interest in all or a subset of your agreements. For DORA compliance, that means you’ll have the ability to track, among other things:

• Which providers furnish ICT services; 
• Which providers support “critical or important functions”; and
• Which contracts do and don’t already contain specific DORA provisions. 

‍

Equipped with a clear understanding of which contracts might require your attention, you can move forward with amending and updating your contracts to come into compliance with DORA.

For this step, you will need to be able to track which contracts you’ve amended and which contracts need further review. Evisort can help with this as well, organizing contracts in hierarchies so you’ll never have to dig to find out which contracts have (or need) amended DORA contract language.

‍

Conclusion

DORA is a significant step towards maintaining operational resilience in the financial sector in the midst of emerging risks and new technology. 

By understanding and incorporating DORA’s requirements into your organization’s contracts, you can protect your organization against ICT-related disruptions, ensure compliance with DORA, and avoid significant fines and reputational harm. 

And with contract AI tools like Evisort, you can prepare for DORA’s extensive requirements with confidence and efficiency – with full visibility into your organization’s contractual relationships with ICT providers.

Want to learn more about how Evisort can help? Try Evisort on your own contracts to see how you can save time, reduce risk, and streamline your compliance program.

‍
While Evisort research may include references to related legal issues, we do not provide legal advice or services. This blog is intended for informational purposes and should not be construed or used as a comprehensive guide for action. We encourage you to consult with your legal counsel in considering and applying any practices described in this post.