The EU’s Digital Operational Resilience Act (DORA)
January 17, 2025, is the deadline for entities in the financial sector to comply with the EU's Digital Operational Resilience Act (DORA). The legislation requires across member states to unify and standardize information and communication technology (ICT) risk management, especially for ICT services supporting critical functions.
This broad-reaching regulation requires categorization for internal ICT, risk management policies, incident reporting, third-party risk management, digital resilience testing and more. DORA includes specific additional requirements, such as key contractual provisions to be included in contractual agreements with third-party service providers and stricter IT security requirements.
Since the publication of DORA, many enterprises have struggled with the specific key contractual provisions stipulated in DORA Article 30.
Achieving DORA Compliance in Your Third-Party Contracts
Here are the top four ways to achieve DORA compliance for contractual arrangements with ICT third-party providers:
1. Spend the time needed to adequately prepare sourcing contracts.
According to DORA, financial entities must determine which of the ICT services they receive from third-party service providers support critical or important functions. While this information is required as part of the official Register of Information until January 2025, financial entities must determine this information much earlier to achieve DORA compliance. DORA provides a definition only for “ICT services” and “critical or important functions” and does not provide detailed information or guidelines about the process to determine it. Therefore, it’s easy for enterprises to underestimate the time and effort needed to execute the classification process for DORA, which can delay the start of the assessment process by weeks or months. ISG uses customized questionnaires and process templates to help clients classify their services and functions and accelerate the compliance process.
2. Assess current contractual arrangements for DORA compliance.
On a high level, the process to achieve DORA compliance can be described in two steps: 1) assess current DORA compliance and identify gaps, and 2) resolve gaps. Especially for larger financial entities, assessing potentially hundreds of contractual arrangements can be a challenging task. An assessment requires all contractual arrangement documents to be in an organized filing system. The use of standard processes and tools, such as compliance checklists and workflows, can help financial entities significantly reduce assessment efforts. ISG uses a standardized toolset to assess DORA compliance for outsourcing contracts; the toolset can easily be extended to include additional national or individual requirements based on the financial entity’s policies.
3. Aim for standard solutions instead of individual approaches.
Enterprises using a standardized contract framework will minimize the effort required to create and maintain contract documents. Even where such a fully-fledged framework does not exist, some organizations have developed standard attachments for specific topics, such as cybersecurity, data privacy, IT service management or governance. This will help make contract adjustments easier and faster and improve the enterprise´s ability to control compliance with contractual stipulations. Be sure to create a compliant and standardized template for subcontracting terms and obligations that outline DORA requirements for subcontracting. Similar standard templates can also be used for other cases, such as information security or sustainability requirements.
4. Do not reinvent the wheel.
DORA includes many requirements that are already part of existing EU or national legislation. For example, the definition of “critical or important functions” is almost identical to the definition in the EBA Guidelines on outsourcing arrangements. To avoid wasting time and effort on reinventing the same processes again, financial entities should thoroughly analyze and align their approach for DORA with the existing implementations for other legislation. Using existing processes and templates as starting points can also reduce efforts in the future because national financial authorities, such as the Federal Financial Supervisory Authority (BaFin) in Germany, have already expressed their intent to unify existing legislation and guidelines in accordance with DORA.
Leveraging DORA Compliance Projects for Long-term Benefits
When investing significant time and effort into becoming compliant with DORA contract requirements, financial entities should think about how to generate additional value from the effort. After all, IT operational resilience is the intended objective.
Financial entities should evaluate the following options:
- Review the sourcing strategy
- Standardize sourcing processes and procedures
- Optimize service management processes
- Refine the target operating model
- Implement a third-party risk management framework and methodology
With the DORA compliance deadline approaching, it's crucial to act swiftly and methodically. Prioritize your ICT contracts, develop comprehensive governance frameworks and ensure clear communication across your organization.
For more detailed guidance on DORA compliance, read our recent white paper How to Ensure DORA Compliance in Your Third-Party Contracts and get in touch with us!