Search
Contact
Symbolbild zu DORA: Wolkenkratzer
05.06.2024 | KPMG Law Insights

Ready for DORA? These contract amendments are necessary

As digitalization progresses, the risk of cyberattacks in the financial sector is also increasing. To protect market participants, the EU passed the Digital Operational Resilience Act (DORA) in December 2022. It is intended to reduce ICT risks (ICT = information and communication technologies). Financial companies and other service providers must have implemented the Regulation on Digital Operational Resilience in the Financial Sector, as DORA is known in German, by January 17, 2025. DORA is intended to strengthen the operational resilience and security of the financial sector and harmonize the regulations for IT systems in the financial sector at EU level. The regulation is intended to create a uniform framework for the effective management of cyber security and ICT risks in the financial sector.

The new rules have been in force since January 16, 2023. As the preparations for financial companies are very time-consuming, the implementation period is correspondingly long.

DORA affects financial companies and third-party ICT providers

Financial companies and third-party service providers of information and communication technologies (ICT third-party service providers) must comply with the Digital Operational Resilience Act. The term “financial undertaking” includes not only traditional financial service providers such as credit institutions, payment service providers or investment firms, but also, for example, data provision services or rating agencies. The term “ICT third-party service provider” includes providers of digital (data) services. These are primarily cloud computing services, software providers, data analysis services and data centers.

Companies should adapt outsourcing contracts

To implement DORA, financial companies should not only take technical measures, but also review their contracts. This is because ICT risks arise not only from the use of in-house technologies, but also from third-party service providers. Chapter V of DORA therefore also contains requirements for outsourcing agreements between financial companies and third-party ICT service providers.

Existing clauses must be adapted

First of all, companies should review and adapt existing clauses in outsourcing contracts with third-party ICT providers. Art. 30 DORA sets out essential contractual provisions for these contracts. In future, these must be included in all agreements on the use of ICT services. Art. 30 para. 3 DORA standardizes further requirements for the contractual provisions for ICT services to support critical or important functions.

The requirements for outsourcing agreements pursuant to sec. Art. 30 DORA largely corresponds to the requirements of AT 9 of MaRisk and those of the BaFin circulars BAIT, KAIT, ZAIT and VAIT. In any case, there could be an increased need for adjustment for contracts relating to “other external IT procurement”. This is because ICT services according to DORA include almost all telecommunications services except analog telephone services.

DORA requires additional contractual provisions

In addition to the adaptation of existing clauses, DORA also requires new contractual provisions. For example, according to Art. 30 para. 2 i) DORA contractual agreements in the future also include conditions for the participation of ICT third-party service providers in ICT security awareness programs or digital operational resilience training.

Additional clauses in outsourcing agreements are also provided for the use of ICT services to support critical or important functions: Contractual agreements pursuant to Art. 30 para. 3 d) DORA should oblige the ICT third-party service provider to participate in certain tests of the financial company.

Further requirements for contracts arise from Art. 26, 28 and 29 DORA. This concerns, for example, participation in bundled tests of ICT systems, termination rights and transitional regulations as well as the handling of subcontracting.

Outsourcing contracts to become more detailed

DORA also requires that outsourcing agreements become more detailed, especially with regard to a possible review. Reporting obligations may have to be adapted here and provisions on the exchange of information or regulations on the bearing of costs in the case of obligations to cooperate on the part of ICT third-party service providers may have to be included.

It remains to be seen how the supervisory authority will position itself on DORA. This could result in the need for further adjustments to outsourcing contracts with third-party ICT service providers. Companies should therefore analyze existing and impending outsourcing agreements now and, if necessary, adapt them to the provisions of DORA in order to avoid taking any risks.

How financial companies should act now

Companies must have adapted their contracts by January 17, 2025, as DORA will apply from that date. Experience has shown that customization takes a lot of time. Financial companies should therefore begin implementation as early as possible. On the one hand, they should review existing contracts with ICT third-party service providers with regard to the requirements of DORA and adapt them if necessary. When concluding new contracts, you should already take the requirements of DORA into account.

The Digital Operational Resilience Act does involve a lot of effort. However, the measures are in the companies’ own interests, as they reduce the risk of cyber attacks.

Explore #more

04.09.2025 | In the media

Guest article in Unternehmensjurist: Strategically transforming legal departments: A market overview

What are in-house teams at large companies concerned about when it comes to digital transformation? Which topics will be decisive in the coming years? The…

04.09.2025 | In the media

Guest article in the Unternehmensjurist: Successful change management in the HR department

The HR department plays a crucial role in the digital transformation. It is not only affected by change, but also shapes it. Between transformation, co-determination…

03.09.2025 | In the media

Guest article in the insurance industry: Embedded Insurance – More than just a new sales channel

The insurance industry is facing a paradigm shift. Traditional sales models are increasingly being supplemented by innovative approaches aimed at facilitating access to insurance policies…

03.09.2025 | KPMG Law Insights

Supply Chain Act: reporting obligation no longer applies, sanctions reduced

In the coalition agreement, the coalition partners agreed to abolish the Supply Chain Due Diligence Act (LkSG) as part of the implementation of the…

29.08.2025 | In the media

Statement by Ulrich Keunecke on the special infrastructure fund in Politico

KPMG Law financial expert Ulrich Keunecke explains how the infrastructure special fund can be leveraged with capital from private investors. You can find the article…

25.08.2025 | Deal Notifications

KPMG Law is advising APELOS on the refinancing and acquisition of a practice group with around 50 practice locations.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised APELOS Therapie GmbH, a leading therapy practice group in Germany, on the refinancing…

15.08.2025 | In the media

KPMG Law Statement in Die-Stiftung.de on the topic of foundation registers – The long road to digital order

The entry into force of the foundation law reform on July 1, 2023 marks a turning point in the German foundation system. The list of…

14.08.2025 | KPMG Law Insights

Electromobility in logistics – legal challenges

In order to reduce its CO2 emissions, the logistics industry is increasingly turning to electromobility. This is not only due to ESG regulations such as…

07.08.2025 | KPMG Law Insights

NIS2: How energy suppliers must protect themselves against cyber attacks

In July 2025, the Military Counterintelligence Service reported a significant increase in spying attempts and disruptive measures by the Russian secret service, according to media…

06.08.2025 | KPMG Law Insights

Tax havens: When business relationships trigger criminal proceedings

A German tech company had been paying license fees to a contractual partner in Panama for years without ever having any problems. However, few people

Contact

Dr. Matthias Magnus Henke

Partner

Tersteegenstraße 19-23
40474 Düsseldorf

Tel.: +49 211 4155597362
mhenke@kpmg-law.com

Dr. Frank Püttgen

Partner

Luise-Straus-Ernst-Straße 2
50679 Köln

Tel.: +49 221 2716891414
fpuettgen@kpmg-law.com

Dr. Christopher Peinemann, LL.M.

Senior Manager

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49 69 951195-875
cpeinemann@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll