DORA: Implications for Contract Management

What is DORA?

DORA is the EU Digital Operational Resilience Act and it has been adopted in response to the growing risk of cyber attacks on financial systems. It applies to banks, insurance companies, investment firms, payment institutions, and others in the European financial sector. Among other implications, it has raised the bar significantly for how financial institutions draft, negotiate, monitor, and govern contracts with ICT service providers.

Mandatory Contractual Clauses

Under DORA, certain clauses are no longer optional. Contracts with ICT service providers must include:

• A clear and complete description of all functions and services provided

• The locations of function and service provision as well as data processing and storage

• Provisions on data protection

• Provisions on data access, recovery, and return

• Service level agreements (SLAs)

• Incident response obligations

• Cooperation obligations

• Termination rights

• The conditions for the participation to digital operational resilience training

If the ICT services support critical or important functions, the contract must also include:

• Subcontracting conditions

• Full SLAs with precise quantitative and qualitative performance targets

• Notification and reporting obligations

• Service security obligations

• Test support obligations

• Unrestricted access, inspection, and audit rights

• Exit strategies ensuring service continuity

Implications for legal and contract management teams

In order to ensure compliance, legal counsels and contract managers must:

1. Revise templates to include mandatory DORA clauses

2. Conduct gap analysis for all existing ICT contracts

3. Renegotiate legacy contracts, especially with major cloud vendors

4. Establish a central register of all ICT contracts

5. Enhance monitoring and reporting mechanisms

6. Train and align with the other internal teams (risk management, IT procurement)

Solutions and tools

At Albaplena, we support financial companies and institutions in:

• Assessing their DORA compliance status with AI-powered tools for bulk analysis of existing contracts

• Enhancing their contracts and templates as prescribed by the Act

• Designing and implementing contract processes and systems (CLM) to ensure compliant contract archiving (repository), monitoring, reporting, and performance

• Training legal, contract management, and procurement teams on DORA contract requirements

To find out more about how we can support you, do not hesitate to contact us.