Navigating the DORA contract compliance challenge
Reviewing and updating IT-related supplier contracts to match the numerous requirements formulated by DORA poses a tough challenge to financial entities, especially given the 17 January 2025 deadline. An efficient, systematic and digitally enabled review process is key to ensuring a DORA-compliant contract landscape.
UPDATE: January 2025
DORA came into effect on January 17, 2025, and applies to the affected financial entities. The German Bundestag addressed specific national circumstances and open questions regarding DORA's scope through the Finanzmarktdigitalisierungsgesetz (FinmadiG), adopted on December 18, 2024. In Germany, DORA now applies from January 17, 2025, also encompassing the development banks of the federal states and KfW. For other institutions under the German Banking Act (KWG) that are not credit institutions under CRR (for instance, leasing and factoring institutions), most of DORA's requirements will only apply from January 1, 2027. However, an exemption applies to the reporting obligations under DORA, which are already applicable to these institutions.
Simultaneously with DORA's implementation, the Federal Financial Supervisory Authority (BaFin) has repealed national regulatory IT requirements. This is fully the case for the requirements of KAIT, VAIT, and ZAIT since January 17, 2025. The BAIT has been repealed as far as it affects companies that must operate ICT risk management according to DORA. For all other companies previously subjected to BAIT, these stay in force until the full transition to DORA for these institutions from January 1, 2027.
It is strongly recommended that the affected institutions prioritize the implementation of DORA, if not dealt with so far. Should implementation projects based on BAIT, KAIT, VAIT, or ZAIT currently exist within the affected institutions, these should be transferred (potentially in coordination with BaFin) to DORA implementation projects.
UPDATE: July 2024
On 8 July 2024, BaFin published for the first time a Supervisory Notice with implementation guidance on DORA as a (non-binding) guideline for affected financial institutions.
With regard to the contractual implementation of DORA, the following points are of central importance:
- With the implementation of DORA, BaFin intends to repeal the regulatory requirements for IT (BAIT/VAIT/KAIT/ZAIT). In future, only DORA will apply to ICT services, hence the specific requirements may differ from the previous IT requirements.
- BaFin's implementation guidance provides an (non-exhaustive) overview of the key contractual provisions that must be agreed on with Third-Party ICT Service Providers in order to comply with DORA (BaFin - Aktuelles - Mindestvertragsinhalte DORA). In principle, these shall also apply to capital management companies
- (Kapitalverwaltungsgesellschaften) as well as payment and emoney institutions (Zahlungs- und E-Geld-Institute).
- BaFin expects a re-drafting or re-negotiation of the legal documentation with ICT Third-Party Service Providers and notes the implementation deadline of 17 January 2025 (without further transition periods). In addition, a documented implementation schedule is expected. Waiting for the standard contractual clauses, which have not yet been published, is not sufficient.
As a result, BaFin has now also explicitly stated that the financial institutions concerned must begin the contractual implementation of DORA immediately.
Understanding the EU’s Response to Cybersecurity Threats
On 27 December 2022, the European Parliament and the Council introduced Regulation (EU) 2022/2554, commonly known as the Digital Operational Resilience Act, or DORA. Its primary objective is to enhance the IT security of financial entities such as banks, insurance companies, and investment firms. Contract compliance, as part of ‘ICT Third-Party Risk Management’ is one of the five pillars of DORA.
The Five Pillars of DORA
DORA harmonizes and consolidates key elements of existing digital resilience frameworks and standards within the EU, while also introducing new requirements. It focuses on five main areas: Information and communication technology (ICT) risk management, handling of ICT-related incidents, testing digital operational resilience, ICT Third-Party risk management and exchange of information.
ICT Third-Party Risk Management: The Contracting Challenge
Under the pillar ‘ICT Third-Party Risk Management’, financial entities inter alia bear the responsibility of ensuring that their contractual arrangements with ICT third-party service providers align with the requirements set out in DORA. A key provision governing these requirements is Art. 30 DORA. Click here to read Art. 30 DORA in full.
Further requirements are stipulated across DORA and the accompanying Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).
Ultimately, financial entities need to identify, collect, review and potentially amend all relevant agreements. The deadline for completing these actions is 17 January 2025.
- Firstly, this leads to the task of identifying and collecting all relevant ICT contracts for review. Given the scale of their operations, financial institutions often manage a substantial volume of ICT-related contracts – often more than a thousand contracts per institution.
- The second step, a detailed legal review of each contract against the DORA requirements, starts by categorizing each agreement into either critical or non-critical, followed by an in-depth legal assessment of whether it fulfills the corresponding specific requirements under DORA.
- Finally, all ICT contracts that need to be updated must be amended – which is only possible with the consent of the respective counterparty and may lead to contract negotiations, especially if the counterparty is not familiar with DORA.
The DORA contracting challenge is daunting in its sheer volume and due to the effort required to review and re-negotiate complex contracts within a short time.
Deloitte Legal’s tech-enabled approach
Our three-step approach will help your organization master the various challenges of DORA contract compliance.
During a Preparation Phase our focus is on identifying the in-scope contracts, defining the desired target state and establishing some legal cornerstones, such as the criteria for deciding whether a contract is critical or non-critical. We will also run an initial assessment of your contract landscape.
In the following Gap Analysis we will perform a technology-enabled legal review of your relevant contracts to assess their degree of DORA-compliance, or discuss other approaches such as the blanket amendment of all in-scope agreements via standardized or individualized DORA annexes. Optionally, our legal analysis can be extended to cover other important topics such as GDPR compliance.
The goal of the Implementation phase is to update all relevant agreements so that they comply with the DORA requirements. Our team of lawyers and legal engineers can support you with the full scope of such amendments, including the mass-production of standardized or individualized DORA annexes, answering questions from the contractual counterparties, negotiating the desired contractual amendments, coordinating signatures and feeding the signed versions back into your contract repository. We will draw up a negotiation and Q&A playbook with you to provide full transparency on how we communicate with your counterparties on your behalf, and to give you full control over when and how we will escalate topics into your organization.
Our team is empowered by cutting-edge technology in each phase of the project.
