DORA Compliance: A Deep Dive Into Contracting Readiness
- 15 min read
- Agnishekhar Chakraborty
intro
The European Commission’s Digital Operational Resilience Act, or DORA, is a direct response to the growing digital influence and subsequent vulnerability in the finance sector. It is, in fact, the first piece of legislation that specifically addresses the digital threat to operational resilience in finance enterprises.
What is DORA Compliance?
The European Commission’s Digital Operational Resilience Act, or DORA, is a direct response to the growing digital influence and subsequent vulnerability in the finance sector. It is, in fact, the first piece of legislation that specifically addresses the digital threat to operational resilience in finance enterprises.
Understanding DORA Compliance
The primary objective of DORA is to proactively strengthen the financial sector’s resilience to ICT-related incidents. It prescribes a holistic set of rules and requirements for financial service providers, focusing on five key pillars:
- Operational resilience and ICT risk management
- ICT-related incident reporting
- Digital operational resilience testing
- ICT third-party risk
- Information sharing
Who Does DORA Apply to?
Besides the finance institutions under the jurisdiction of the European Union, critical third-party ICT providers that provide ICT-related services to financial institutions, such as cloud platforms, data analytics, and audit services are also subject to this new regulation.
For financial institutions, this means establishing a comprehensive risk management framework across their ICT suppliers and subcontractors that covers:
- Identification
- Evaluation
- Mitigation
- Monitoring
Contracts: Ensuring a DORA Compliant Supply Chain
For financial services organizations in the EU, there are already several regulatory precedents that satisfy some of the contractual requirements under DORA. These include the European Banking Authority’s (EBA) outsourcing guidelines and the NIS2 Directive (the EU-wide directive that provides legal measures to boost the overall level of cybersecurity) that came into effect in 2023.
Firms that have initiated or completed their contract remediation efforts to comply with these regimes have already made some headway towards complying with the contractual requirements under DORA, but the job is far from done.
This is especially true for:
- Contracts that are of a non-outsourcing nature: Unlike EBA, which only covers outsourcing contracts (i.e., spanning services that a financial entity would normally undertake itself), DORA includes the broader definition of ICT services, which includes digital and data services provided through ICT systems on an ongoing basis.
- Certain specific requirements that are unique to DORA: For instance, when an ICT incident occurs, service providers are required to deliver the necessary recovery support “at no additional cost or at a cost that is determined ex-ante”.
Getting your contracts ready for DORA
Given that financial institutions depend heavily on third party providers for their ICT-enabled digital operations, their procurement and vendor management teams are centrally positioned to address their enterprise DORA requirements, through carefully crafted contracts and reviews.
Much like its precedents, DORA does not provide the exact clause language that organizations can simply copy into their contracts. Instead, it defines the key elements that the contracts must cover.
Here’s a checklist to ensure DORA-compliant ICT contracts:
- Aspects that would normally be covered in a well-crafted ICT contract:
a. Clear and complete description of the services and the location from which they are provided.
b. Service level descriptions.
c. Detailed data protection provisions.
d. Appropriate termination rights and minimum notice periods.
e. Provisions requiring full cooperation with authorities.
- Aspects that are not usually included in a standard ICT supplier contract/template:
a. When an ICT incident occurs, the ICT service provider (supplier) must assist the financial entity, either free of cost or at a cost that was mutually agreed to in advance (ex ante).*
*Note: It does not define when in advance, leaving room for interpretation and a certain degree of elasticity of the term.
b. The supplier must participate in the firm’s ICT security awareness programs and digital operational resilience training.
c. For critical and important functions, i.e., functions whose disruption would materially impair the financial entity, the supplier must extend complete and comprehensive participation and support for threat-based penetration testing, implementing contingency plans, and establishing adequate measures to ensure an appropriate level of security.
i. For subcontracting relevant to ICT-enabled critical and important functions, suppliers must ensure assessment of risks that may impact the provision of ICT services.
d. A comprehensive exit plan, which is to be tested and reviewed periodically, must be defined to ensure no disruption to business activities and continuity of services provided to the financial entity.
Related Webinar: Dora Compliance through CLM
Using Sirion’s AI-native CLM to Ensure DORA Compliance
Unlike GDPR, DORA does not specify the penalties associated with non-compliance, leaving it up to the Member States to define them as they see fit. However, given that the objective of DORA is to create a sound and resilient digital operational environment, non-compliance could lead to severe business disruption and irreparable financial implications far greater than any penalty set forth by competent authorities.
This makes it imperative for financial entities to take the necessary steps to protect themselves from the risks of non-compliance. And contracts are the best place to start. Here’s how Sirion’s AI-native CLM platform can help you achieve this:
- Set up your AI playbook for DORA compliance: Quickly set up your own playbook for DORA compliance by defining the risks and requirements specific to DORA in plain language.
- Identify and classify your ICT services vendors: Simply ask Sirion’s AI to identify your ICT services contracts, i.e., your DORA-applicable contracts, and classify them based on:
- Contracts for ICT services to support critical and important functions.
- All other ICT contracts.
- Gap analysis on legacy contracts: Use Sirion’s Single Extraction Agent (SEATM) to extract all DORA-relevant clauses and fields from across all the ICT-related documents stored in your contract repository and simultaneously identify compliance gaps.
- Review your new DORA-applicable contracts: Review all your incoming ICT contracts drafted on third-party paper with Sirion AI Review to surface missing, non-compliant, and partially compliant clauses as well as risks related to DORA compliance based on your enterprise AI playbook.
- Initiate amendment(s): Make amendments within the existing contract draft or generate a separate amendment draft with the necessary clauses and provisions for DORA.
- Track compliance of your DORA-applicable contracts: Once your contracts have been amended for DORA, send them out for signature to your counterparties, track their progress in the signature stage, and monitor their compliance as well as related obligations and service levels throughout their lifecycle via Sirion’s customizable dashboard.
- DORA ICT incident management & tracking: Get insight into actions and incidents registered against an ICT service provider and leverage smart workflows for action/incident resolution tracking.
It’s Necessary but Not Necessarily Difficult
Yes, obtaining DORA compliance on all your ICT contracts is necessary. Yes, it can be tricky to sift through multiple contracts, across numerous ICT vendors of varying categories, to identify and remediate non-compliance. But with Sirion’s AI-native CLM platform, it doesn’t have to be.
See how Sirion’s AI contract analysis can help you manage your contract portfolio, reduce manual efforts, and ensure compliance across your entire organization. Contact us to schedule a demo and get a head start in building digitally resilient financial operations today.