Symbolbild zu DORA: Wolkenkratzer
05.06.2024 | KPMG Law Insights

Ready for DORA? These contract amendments are necessary

As digitalization progresses, the risk of cyberattacks in the financial sector is also increasing. To protect market participants, the EU passed the Digital Operational Resilience Act (DORA) in December 2022. It is intended to reduce ICT risks (ICT = information and communication technologies). Financial companies and other service providers must have implemented the Regulation on Digital Operational Resilience in the Financial Sector, as DORA is known in German, by January 17, 2025. DORA is intended to strengthen the operational resilience and security of the financial sector and harmonize the regulations for IT systems in the financial sector at EU level. The regulation is intended to create a uniform framework for the effective management of cyber security and ICT risks in the financial sector.

The new rules have been in force since January 16, 2023. As the preparations for financial companies are very time-consuming, the implementation period is correspondingly long.

DORA affects financial companies and third-party ICT providers

Financial companies and third-party service providers of information and communication technologies (ICT third-party service providers) must comply with the Digital Operational Resilience Act. The term “financial undertaking” includes not only traditional financial service providers such as credit institutions, payment service providers or investment firms, but also, for example, data provision services or rating agencies. The term “ICT third-party service provider” includes providers of digital (data) services. These are primarily cloud computing services, software providers, data analysis services and data centers.

Companies should adapt outsourcing contracts

To implement DORA, financial companies should not only take technical measures, but also review their contracts. This is because ICT risks arise not only from the use of in-house technologies, but also from third-party service providers. Chapter V of DORA therefore also contains requirements for outsourcing agreements between financial companies and third-party ICT service providers.

Existing clauses must be adapted

First of all, companies should review and adapt existing clauses in outsourcing contracts with third-party ICT providers. Art. 30 DORA sets out essential contractual provisions for these contracts. In future, these must be included in all agreements on the use of ICT services. Art. 30 para. 3 DORA standardizes further requirements for the contractual provisions for ICT services to support critical or important functions.

The requirements for outsourcing agreements pursuant to sec. Art. 30 DORA largely corresponds to the requirements of AT 9 of MaRisk and those of the BaFin circulars BAIT, KAIT, ZAIT and VAIT. In any case, there could be an increased need for adjustment for contracts relating to “other external IT procurement”. This is because ICT services according to DORA include almost all telecommunications services except analog telephone services.

DORA requires additional contractual provisions

In addition to the adaptation of existing clauses, DORA also requires new contractual provisions. For example, according to Art. 30 para. 2 i) DORA contractual agreements in the future also include conditions for the participation of ICT third-party service providers in ICT security awareness programs or digital operational resilience training.

Additional clauses in outsourcing agreements are also provided for the use of ICT services to support critical or important functions: Contractual agreements pursuant to Art. 30 para. 3 d) DORA should oblige the ICT third-party service provider to participate in certain tests of the financial company.

Further requirements for contracts arise from Art. 26, 28 and 29 DORA. This concerns, for example, participation in bundled tests of ICT systems, termination rights and transitional regulations as well as the handling of subcontracting.

Outsourcing contracts to become more detailed

DORA also requires that outsourcing agreements become more detailed, especially with regard to a possible review. Reporting obligations may have to be adapted here and provisions on the exchange of information or regulations on the bearing of costs in the case of obligations to cooperate on the part of ICT third-party service providers may have to be included.

It remains to be seen how the supervisory authority will position itself on DORA. This could result in the need for further adjustments to outsourcing contracts with third-party ICT service providers. Companies should therefore analyze existing and impending outsourcing agreements now and, if necessary, adapt them to the provisions of DORA in order to avoid taking any risks.

How financial companies should act now

Companies must have adapted their contracts by January 17, 2025, as DORA will apply from that date. Experience has shown that customization takes a lot of time. Financial companies should therefore begin implementation as early as possible. On the one hand, they should review existing contracts with ICT third-party service providers with regard to the requirements of DORA and adapt them if necessary. When concluding new contracts, you should already take the requirements of DORA into account.

The Digital Operational Resilience Act does involve a lot of effort. However, the measures are in the companies’ own interests, as they reduce the risk of cyber attacks.

Explore #more

12.07.2024 | Business Performance & Resilience, In the media

Guest article in the IPE Dach: Necessary contract adjustments for DORA implementation

Deadline January 17, 2025: Financial companies and other service providers should start implementing the rules of the “Digital Operational Resilience Act” today, because the preparations,…

08.07.2024 | In the media

Article in In-house Counsel with KPMG Law Statement: Have software modules delivered, assemble, fine-tune, done

The article from 05.07.2024 contains an article with a statement by KPMG Law expert Kai Kubsch. IT applications for the legal department programmed by…

05.07.2024 | In the media

Guest article in Deutscher AnwaltsSpiegel: Transformation in legal departments

The KPMG Legal Department Report, now in its tenth edition (see here), has established itself as the standard work for general counsel since 2005…

03.07.2024 | KPMG Law Insights

BImSchG amendment to speed up approval procedures

On 17.05.2024, the traffic light parliamentary groups agreed on the amendment to the Federal Immission Control Act (BImSchG). The law is intended to create faster…

01.07.2024 | In the media

Guest article in Business Punk: Startup insolvency – bargain for investors or incalculable risk?

The issue of June 25, 2024 contains a guest article by KPMG Law experts Stefan Kimmel and Gunars Urdze. The Covid-19 pandemic and the…

01.07.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

28.06.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: ESG and employment law

Sustainable corporate governance is increasingly becoming a legal obligation. The HR department is also affected. Because “sustainable” also includes social aspects. Accordingly, companies have numerous…

25.06.2024 | In the media

Guest article in the ESGZ: Is antitrust law becoming “greener”? – An update

The June issue of ESGZ contains a guest article by KPMG Law expert Jacqueline Unkelbach. Sustainability goals and criteria – in a broader sense…

19.06.2024 | In the media

Guest article in the Börsenzeitung: Tackling succession planning for family businesses early on

Experience shows that less is better than nothing – even individual measures can have a major impact. KPMG Law expert Mark Uwe Pawlytta knows which…

13.06.2024 | In the media

Commentary on the Whistleblower Protection Act (HinSchG) published with contributions from KPMG Law

After years of wrangling, the Bundestag and Bundesrat transposed the EU Whistleblowing Directive into national law in 2023: The Whistleblower Protection Act (HinSchG), which has…


Dr. Matthias Magnus Henke


Tersteegenstraße 19-23
40474 Düsseldorf

tel: +49 211 4155597362

Dr. Frank Püttgen


Barbarossaplatz 1a
50674 Köln

tel: +49 221 2716891414

Dr. Christopher Peinemann, LL.M.

Senior Manager

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49 69 951195-875

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.