Search
Contact
Symbolbild zu DORA: Wolkenkratzer
05.06.2024 | KPMG Law Insights

Ready for DORA? These contract amendments are necessary

As digitalization progresses, the risk of cyberattacks in the financial sector is also increasing. To protect market participants, the EU passed the Digital Operational Resilience Act (DORA) in December 2022. It is intended to reduce ICT risks (ICT = information and communication technologies). Financial companies and other service providers must have implemented the Regulation on Digital Operational Resilience in the Financial Sector, as DORA is known in German, by January 17, 2025. DORA is intended to strengthen the operational resilience and security of the financial sector and harmonize the regulations for IT systems in the financial sector at EU level. The regulation is intended to create a uniform framework for the effective management of cyber security and ICT risks in the financial sector.

The new rules have been in force since January 16, 2023. As the preparations for financial companies are very time-consuming, the implementation period is correspondingly long.

DORA affects financial companies and third-party ICT providers

Financial companies and third-party service providers of information and communication technologies (ICT third-party service providers) must comply with the Digital Operational Resilience Act. The term “financial undertaking” includes not only traditional financial service providers such as credit institutions, payment service providers or investment firms, but also, for example, data provision services or rating agencies. The term “ICT third-party service provider” includes providers of digital (data) services. These are primarily cloud computing services, software providers, data analysis services and data centers.

Companies should adapt outsourcing contracts

To implement DORA, financial companies should not only take technical measures, but also review their contracts. This is because ICT risks arise not only from the use of in-house technologies, but also from third-party service providers. Chapter V of DORA therefore also contains requirements for outsourcing agreements between financial companies and third-party ICT service providers.

Existing clauses must be adapted

First of all, companies should review and adapt existing clauses in outsourcing contracts with third-party ICT providers. Art. 30 DORA sets out essential contractual provisions for these contracts. In future, these must be included in all agreements on the use of ICT services. Art. 30 para. 3 DORA standardizes further requirements for the contractual provisions for ICT services to support critical or important functions.

The requirements for outsourcing agreements pursuant to sec. Art. 30 DORA largely corresponds to the requirements of AT 9 of MaRisk and those of the BaFin circulars BAIT, KAIT, ZAIT and VAIT. In any case, there could be an increased need for adjustment for contracts relating to “other external IT procurement”. This is because ICT services according to DORA include almost all telecommunications services except analog telephone services.

DORA requires additional contractual provisions

In addition to the adaptation of existing clauses, DORA also requires new contractual provisions. For example, according to Art. 30 para. 2 i) DORA contractual agreements in the future also include conditions for the participation of ICT third-party service providers in ICT security awareness programs or digital operational resilience training.

Additional clauses in outsourcing agreements are also provided for the use of ICT services to support critical or important functions: Contractual agreements pursuant to Art. 30 para. 3 d) DORA should oblige the ICT third-party service provider to participate in certain tests of the financial company.

Further requirements for contracts arise from Art. 26, 28 and 29 DORA. This concerns, for example, participation in bundled tests of ICT systems, termination rights and transitional regulations as well as the handling of subcontracting.

Outsourcing contracts to become more detailed

DORA also requires that outsourcing agreements become more detailed, especially with regard to a possible review. Reporting obligations may have to be adapted here and provisions on the exchange of information or regulations on the bearing of costs in the case of obligations to cooperate on the part of ICT third-party service providers may have to be included.

It remains to be seen how the supervisory authority will position itself on DORA. This could result in the need for further adjustments to outsourcing contracts with third-party ICT service providers. Companies should therefore analyze existing and impending outsourcing agreements now and, if necessary, adapt them to the provisions of DORA in order to avoid taking any risks.

How financial companies should act now

Companies must have adapted their contracts by January 17, 2025, as DORA will apply from that date. Experience has shown that customization takes a lot of time. Financial companies should therefore begin implementation as early as possible. On the one hand, they should review existing contracts with ICT third-party service providers with regard to the requirements of DORA and adapt them if necessary. When concluding new contracts, you should already take the requirements of DORA into account.

The Digital Operational Resilience Act does involve a lot of effort. However, the measures are in the companies’ own interests, as they reduce the risk of cyber attacks.

Explore #more

27.05.2025 | KPMG Law Insights

Cell Phone Inspections at US Border and Beyond: What to Expect

Key facts: U.S. immigration officials monitor public social media data and travelers should be prepared to share details about their personal social media accounts. All…

23.05.2025 | KPMG Law Insights

Business Travel and Assignment in the USA: What you need to know about US immigration

The recent changes in US immigration rules are causing uncertainty worldwide. In particular, since the new US government took office, processes regarding entry into the…

14.05.2025 | KPMG Law Insights

BGH on customer installations: Decision orders application in line with the directive

In a ruling dated May 13, 2025, the BGH classified the supply infrastructure in the specific case of a residential complex in Zwickau as a…

13.05.2025 | In the media

KPMG Law expert in Spiegel article on energy policy

Dirk-Henning Meier, Senior Manager in the energy law department at KPMG Law, is quoted in a recent article on energy policy in Der Spiegel.…

13.05.2025 | Career, In the media

azur Karriere Magazin – All AI or what?

Artificial intelligence has long since arrived in law firms and legal departments. But dealing with it is a skill that needs to be learned. Many…

13.05.2025 | KPMG Law Insights

Initial experience with the Single-Use Plastics Fund Act: what manufacturers should bear in mind

Beverage cups, foil and plastic cigarette filters litter streets, parks and sidewalks. The cleaning costs are borne by the local authorities. The Disposable Plastics Fund…

07.05.2025 | KPMG Law Insights

Termination of fixed-term rental agreements in the case of pre-leasing

In the case of a pre-leasing, the tenancy only begins at a later date, usually the handover date. In such cases, the contracting parties usually…

06.05.2025 | In the media

Wirtschaftswoche honors KPMG Law

KPMG Law was named “TOP Law Firm 2025” in the field of M&A by WirtschaftsWoche. Ian Maywald, Partner at KPMG Law in Munich, was…

06.05.2025 | KPMG Law Insights

Social insurance obligation for teachers – transitional rule creates clarity

Teachers and lecturers are often hired on a self-employed basis. This practice makes the German pension insurance fund sit up and take notice. It is…

02.05.2025 | In the media

KPMG Law Statement in FINANCE Magazine: How CFOs can save up to 80 percent in the legal department

The cost pressure in companies is increasing – also in legal departments. Two strategies have now become established to save 50 to 80 percent of…

Contact

Dr. Matthias Magnus Henke

Partner

Tersteegenstraße 19-23
40474 Düsseldorf

Tel.: +49 211 4155597362
mhenke@kpmg-law.com

Dr. Frank Püttgen

Partner

Luise-Straus-Ernst-Straße 2
50679 Köln

Tel.: +49 221 2716891414
fpuettgen@kpmg-law.com

Dr. Christopher Peinemann, LL.M.

Senior Manager

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49 69 951195-875
cpeinemann@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll