Search
Contact
Symbolbild zu DORA: Wolkenkratzer
05.06.2024 | KPMG Law Insights

Ready for DORA? These contract amendments are necessary

As digitalization progresses, the risk of cyberattacks in the financial sector is also increasing. To protect market participants, the EU passed the Digital Operational Resilience Act (DORA) in December 2022. It is intended to reduce ICT risks (ICT = information and communication technologies). Financial companies and other service providers must have implemented the Regulation on Digital Operational Resilience in the Financial Sector, as DORA is known in German, by January 17, 2025. DORA is intended to strengthen the operational resilience and security of the financial sector and harmonize the regulations for IT systems in the financial sector at EU level. The regulation is intended to create a uniform framework for the effective management of cyber security and ICT risks in the financial sector.

The new rules have been in force since January 16, 2023. As the preparations for financial companies are very time-consuming, the implementation period is correspondingly long.

DORA affects financial companies and third-party ICT providers

Financial companies and third-party service providers of information and communication technologies (ICT third-party service providers) must comply with the Digital Operational Resilience Act. The term “financial undertaking” includes not only traditional financial service providers such as credit institutions, payment service providers or investment firms, but also, for example, data provision services or rating agencies. The term “ICT third-party service provider” includes providers of digital (data) services. These are primarily cloud computing services, software providers, data analysis services and data centers.

Companies should adapt outsourcing contracts

To implement DORA, financial companies should not only take technical measures, but also review their contracts. This is because ICT risks arise not only from the use of in-house technologies, but also from third-party service providers. Chapter V of DORA therefore also contains requirements for outsourcing agreements between financial companies and third-party ICT service providers.

Existing clauses must be adapted

First of all, companies should review and adapt existing clauses in outsourcing contracts with third-party ICT providers. Art. 30 DORA sets out essential contractual provisions for these contracts. In future, these must be included in all agreements on the use of ICT services. Art. 30 para. 3 DORA standardizes further requirements for the contractual provisions for ICT services to support critical or important functions.

The requirements for outsourcing agreements pursuant to sec. Art. 30 DORA largely corresponds to the requirements of AT 9 of MaRisk and those of the BaFin circulars BAIT, KAIT, ZAIT and VAIT. In any case, there could be an increased need for adjustment for contracts relating to “other external IT procurement”. This is because ICT services according to DORA include almost all telecommunications services except analog telephone services.

DORA requires additional contractual provisions

In addition to the adaptation of existing clauses, DORA also requires new contractual provisions. For example, according to Art. 30 para. 2 i) DORA contractual agreements in the future also include conditions for the participation of ICT third-party service providers in ICT security awareness programs or digital operational resilience training.

Additional clauses in outsourcing agreements are also provided for the use of ICT services to support critical or important functions: Contractual agreements pursuant to Art. 30 para. 3 d) DORA should oblige the ICT third-party service provider to participate in certain tests of the financial company.

Further requirements for contracts arise from Art. 26, 28 and 29 DORA. This concerns, for example, participation in bundled tests of ICT systems, termination rights and transitional regulations as well as the handling of subcontracting.

Outsourcing contracts to become more detailed

DORA also requires that outsourcing agreements become more detailed, especially with regard to a possible review. Reporting obligations may have to be adapted here and provisions on the exchange of information or regulations on the bearing of costs in the case of obligations to cooperate on the part of ICT third-party service providers may have to be included.

It remains to be seen how the supervisory authority will position itself on DORA. This could result in the need for further adjustments to outsourcing contracts with third-party ICT service providers. Companies should therefore analyze existing and impending outsourcing agreements now and, if necessary, adapt them to the provisions of DORA in order to avoid taking any risks.

How financial companies should act now

Companies must have adapted their contracts by January 17, 2025, as DORA will apply from that date. Experience has shown that customization takes a lot of time. Financial companies should therefore begin implementation as early as possible. On the one hand, they should review existing contracts with ICT third-party service providers with regard to the requirements of DORA and adapt them if necessary. When concluding new contracts, you should already take the requirements of DORA into account.

The Digital Operational Resilience Act does involve a lot of effort. However, the measures are in the companies’ own interests, as they reduce the risk of cyber attacks.

Explore #more

09.07.2025 | KPMG Law Insights

Restructuring with staff reductions: preparation is key

The downsizing or closure of a part of a company often also necessitates staff reductions. Depending on the number of employees affected, the works council…

08.07.2025 | Deal Notifications

KPMG Law advises Finish Finnfoam Group on the acquisition of the Phonotherm business of insolvent BOSIG Baukunststoffe GmbH

KPMG Law advised Finnfoam Group (Salo/Finland) on the acquisition of the business unit “Phonotherm” from BOSIG Baukunststoffe GmbH via the newly founded Warmotech GmbH as…

07.07.2025 | Deal Notifications

KPMG Law advises HEMRO International AG on the acquisition of Xenia Espresso GmbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) provided legal advice to HEMRO Group, a global manufacturer of coffee grinders and grinding technologies headquartered in Zurich, Switzerland,…

04.07.2025 | KPMG Law Insights

BGH clarifies the limits of the definition of customer installations

On July 3, 2025, the BGH published the reasons for its ruling of May 13, 2025 (case no. EnVR 83/20) and provided the eagerly awaited…

02.07.2025 | In the media

Guest article by Moritz Püstow on the special fund for infrastructure

The German government wants to invest 500 billion euros in infrastructure and climate neutrality. This creates new business opportunities for the construction industry – but…

01.07.2025 | Deal Notifications

KPMG Law advised Bosch on the multinational carve-out of the entire product business of Bosch Building Technologies to investor Triton

KPMG Law advises Robert Bosch on the carve-out of the building technologies division’s product business for security and communications technology (Bosch Building Technologies) in more…

27.06.2025 | KPMG Law Insights

Hospital restructuring: three steps out of the crisis

Many clinics see their existence threatened in the short or medium term. Other healthcare facilities are also experiencing economic difficulties. Inadequate remuneration structures, staff shortages,…

27.06.2025 | In the media

KPMG Law nominated at the PMN Awards

We are delighted to have been nominated directly in two categories at the PMN Awards 2025. Our “Extended Workbench” project was nominated in the…

25.06.2025 | KPMG Law Insights

Business Travel and Assignment in the USA: What you need to know about US immigration

The recent changes in US immigration rules are causing uncertainty worldwide. In particular, since the new US government took office, processes regarding entry into the…

11.06.2025 | KPMG Law Insights

Omnibus IV brings some simplifications, especially in product law

The EU Commission proposed the fourth omnibus package on May 21, 2025. Omnibus IV contains simplifications in relation to numerous product law requirements and…

Contact

Dr. Matthias Magnus Henke

Partner

Tersteegenstraße 19-23
40474 Düsseldorf

Tel.: +49 211 4155597362
mhenke@kpmg-law.com

Dr. Frank Püttgen

Partner

Luise-Straus-Ernst-Straße 2
50679 Köln

Tel.: +49 221 2716891414
fpuettgen@kpmg-law.com

Dr. Christopher Peinemann, LL.M.

Senior Manager

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49 69 951195-875
cpeinemann@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll