Ready for DORA? These contract amendments are necessary

As digitalization progresses, the risk of cyberattacks in the financial sector is also increasing. To protect market participants, the EU passed the Digital Operational Resilience Act (DORA) in December 2022. It is intended to reduce ICT risks (ICT = information and communication technologies). Financial companies and other service providers must have implemented the Regulation on Digital Operational Resilience in the Financial Sector, as DORA is known in German, by January 17, 2025. DORA is intended to strengthen the operational resilience and security of the financial sector and harmonize the regulations for IT systems in the financial sector at EU level. The regulation is intended to create a uniform framework for the effective management of cyber security and ICT risks in the financial sector.

The new rules have been in force since January 16, 2023. As the preparations for financial companies are very time-consuming, the implementation period is correspondingly long.

DORA affects financial companies and third-party ICT providers

Financial companies and third-party service providers of information and communication technologies (ICT third-party service providers) must comply with the Digital Operational Resilience Act. The term “financial undertaking” includes not only traditional financial service providers such as credit institutions, payment service providers or investment firms, but also, for example, data provision services or rating agencies. The term “ICT third-party service provider” includes providers of digital (data) services. These are primarily cloud computing services, software providers, data analysis services and data centers.

Companies should adapt outsourcing contracts

To implement DORA, financial companies should not only take technical measures, but also review their contracts. This is because ICT risks arise not only from the use of in-house technologies, but also from third-party service providers. Chapter V of DORA therefore also contains requirements for outsourcing agreements between financial companies and third-party ICT service providers.

Existing clauses must be adapted

First of all, companies should review and adapt existing clauses in outsourcing contracts with third-party ICT providers. Art. 30 DORA sets out essential contractual provisions for these contracts. In future, these must be included in all agreements on the use of ICT services. Art. 30 para. 3 DORA standardizes further requirements for the contractual provisions for ICT services to support critical or important functions.

The requirements for outsourcing agreements pursuant to sec. Art. 30 DORA largely corresponds to the requirements of AT 9 of MaRisk and those of the BaFin circulars BAIT, KAIT, ZAIT and VAIT. In any case, there could be an increased need for adjustment for contracts relating to “other external IT procurement”. This is because ICT services according to DORA include almost all telecommunications services except analog telephone services.

DORA requires additional contractual provisions

In addition to the adaptation of existing clauses, DORA also requires new contractual provisions. For example, according to Art. 30 para. 2 i) DORA contractual agreements in the future also include conditions for the participation of ICT third-party service providers in ICT security awareness programs or digital operational resilience training.

Additional clauses in outsourcing agreements are also provided for the use of ICT services to support critical or important functions: Contractual agreements pursuant to Art. 30 para. 3 d) DORA should oblige the ICT third-party service provider to participate in certain tests of the financial company.

Further requirements for contracts arise from Art. 26, 28 and 29 DORA. This concerns, for example, participation in bundled tests of ICT systems, termination rights and transitional regulations as well as the handling of subcontracting.

Outsourcing contracts to become more detailed

DORA also requires that outsourcing agreements become more detailed, especially with regard to a possible review. Reporting obligations may have to be adapted here and provisions on the exchange of information or regulations on the bearing of costs in the case of obligations to cooperate on the part of ICT third-party service providers may have to be included.

It remains to be seen how the supervisory authority will position itself on DORA. This could result in the need for further adjustments to outsourcing contracts with third-party ICT service providers. Companies should therefore analyze existing and impending outsourcing agreements now and, if necessary, adapt them to the provisions of DORA in order to avoid taking any risks.

How financial companies should act now

Companies must have adapted their contracts by January 17, 2025, as DORA will apply from that date. Experience has shown that customization takes a lot of time. Financial companies should therefore begin implementation as early as possible. On the one hand, they should review existing contracts with ICT third-party service providers with regard to the requirements of DORA and adapt them if necessary. When concluding new contracts, you should already take the requirements of DORA into account.

The Digital Operational Resilience Act does involve a lot of effort. However, the measures are in the companies’ own interests, as they reduce the risk of cyber attacks.