Navigating the DORA contract compliance challenge

Reviewing and updating IT-related supplier contracts to match the numerous requirements formulated by DORA poses a tough challenge to financial entities, especially given the 17 January 2025 deadline. An efficient, systematic and digitally enabled review process is key to ensuring a DORA-compliant contract landscape.

On 8 July 2024, BaFin published for the first time a Supervisory Notice with implementation guidance on DORA as a (non-binding) guideline for affected financial institutions.

With regard to the contractual implementation of DORA, the following points are of central importance:

  • With the implementation of DORA, BaFin intends to repeal the regulatory requirements for IT (BAIT/VAIT/KAIT/ZAIT). In future, only DORA will apply to ICT services, hence the specific requirements may differ from the previous IT requirements.
  • BaFin's implementation guidance provides an (non-exhaustive) overview of the key contractual provisions that must be agreed on with Third-Party ICT Service Providers in order to comply with DORA (BaFin - Aktuelles - Mindestvertragsinhalte DORA). In principle, these shall also apply to capital management companies (Kapitalverwaltungsgesellschaften) as well as payment and e-money institutions (Zahlungs- und E-Geld-Institute).
  • BaFin expects a re-drafting or re-negotiation of the legal documentation with ICT Third-Party Service Providers and notes the implementation deadline of 17 January 2025 (without further transition periods). In addition, a documented implementation schedule is expected. Waiting for the standard contractual clauses, which have not yet been published, is not sufficient.

As a result, BaFin has now also explicitly stated that the financial institutions concerned must begin the contractual implementation of DORA immediately.

Understanding the EU’s Response to Cybersecurity Threats

On 27 December 2022, the European Parliament and the Council introduced Regulation (EU) 2022/2554, commonly known as the Digital Operational Resilience Act, or DORA. Its primary objective is to enhance the IT security of financial entities such as banks, insurance companies, and investment firms. Contract compliance, as part of ‘ICT Third-Party Risk Management’ is one of the five pillars of DORA.

The Five Pillars of DORA

DORA harmonizes and consolidates key elements of existing digital resilience frameworks and standards within the EU, while also introducing new requirements. It focuses on five main areas: Information and communication technology (ICT) risk management, handling of ICT-related incidents, testing digital operational resilience, ICT Third-Party risk management and exchange of information. 

DORA: The Efficient Contract Compliance

Financial entities must assess and manage risks related to their information and ICT systems. 
Financial entities must promptly notify competent authorities when significant disruptions occur. 
Regular Testing ensures the resilience of digital systems and encourages both basic and advanced testing to assess preparedness for operational disruptions. 
DORA extends its reach to third-party service providers, prompting financial entities to review, and where needed amend, their contractual relationships with ICT service providers.
Collaboration and information exchange enhance overall resilience. 

ICT Third-Party Risk Management: The Contracting Challenge

Under the pillar ‘ICT Third-Party Risk Management’, financial entities inter alia bear the responsibility of ensuring that their contractual arrangements with ICT third-party service providers align with the requirements set out in DORA. A key provision governing these requirements is Art. 30 DORA. Click here to read Art. 30 DORA in full.

Further requirements are stipulated across DORA and the accompanying Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

Ultimately, financial entities need to identify, collect, review and potentially amend all relevant agreements. The deadline for completing these actions is 17 January 2025.

  1. Firstly, this leads to the task of identifying and collecting all relevant ICT contracts for review. Given the scale of their operations, financial institutions often manage a substantial volume of ICT-related contracts – often more than a thousand contracts per institution.
  2. The second step, a detailed legal review of each contract against the DORA requirements, starts by categorizing each agreement into either critical or non-critical, followed by an in-depth legal assessment of whether it fulfills the corresponding specific requirements under DORA.
  3. Finally, all ICT contracts that need to be updated must be amended – which is only possible with the consent of the respective counterparty and may lead to contract negotiations, especially if the counterparty is not familiar with DORA.

The DORA contracting challenge is daunting in its sheer volume and due to the effort required to review and re-negotiate complex contracts within a short time.

Deloitte Legal’s tech-enabled approach

Our three-step approach will help your organization master the various challenges of DORA contract compliance.

During a Preparation Phase our focus is on identifying the in-scope contracts, defining the desired target state and establishing some legal cornerstones, such as the criteria for deciding whether a contract is critical or non-critical. We will also run an initial assessment of your contract landscape.

In the following Gap Analysis we will perform a technology-enabled legal review of your relevant contracts to assess their degree of DORA-compliance, or discuss other approaches such as the blanket amendment of all in-scope agreements via standardized or individualized DORA annexes. Optionally, our legal analysis can be extended to cover other important topics such as GDPR compliance.

The goal of the Implementation phase is to update all relevant agreements so that they comply with the DORA requirements. Our team of lawyers and legal engineers can support you with the full scope of such amendments, including the mass-production of standardized or individualized DORA annexes, answering questions from the contractual counterparties, negotiating the desired contractual amendments, coordinating signatures and feeding the signed versions back into your contract repository. We will draw up a negotiation and Q&A playbook with you to provide full transparency on how we communicate with your counterparties on your behalf, and to give you full control over when and how we will escalate topics into your organization.

Our team is empowered by cutting-edge technology in each phase of the project. 

Partner with us to navigate the complexities of DORA compliance and fortify your operational resilience.

Your Contact

Dr. Till Contzen

Dr. Till Contzen

Partner | Lead Digital Law
+49 69 719188439

Till is a Partner at Deloitte Legal and Service Line Lead Digital Law, focusing on IT/IP law. Since becoming a lawyer in early 2012, Till has focused on all information technology-related legal matters. He has advised numerous clients in the modernization and outsourcing of IT services and the digitization of business processes. Additionally, he routinely advises clients in the development, implementation and distribution of complex IT solutions such as the ERP and CRM systems as well as migration into cloud environments and procurement in the area of ‚Everything-as-a-Service‘ (XaaS). Due to his in-depth understanding of technologies, Till is highly skilled in translating complex technical topics into legal language. Not only has he advised clients in the legal challenges of a project, he has also assisted his clients in navigating the numerous organizational, economical and procedural challenges which they face in the lifecycle of a project.

Klaus Gresbrand

Klaus Gresbrand

Partner
+49 211 8772 2501

Klaus Gresbrand is a Partner at Deloitte Legal Germany and joined the firm 2012. Prior to joining us, he worked for an international law firm. Klaus specializes in corporate law including corporate restructuring. In addition to his membership in the Japan Desk, Klaus joins the international Service Line Corporate/M&A. His professional experience includes corporate restructurings such as national and cross-border mergers, legal due diligence and M&A projects as well as general corporate legal advice. He also advises clients on legal technology topics including contract lifecycle management and document Assembly. Klaus is admitted to the bar in Germany (Rechtsanwalt). He studied law at the University of Osnabrück. He also studied at Chuo University and University of Tokyo, Japan, as an exchange/research student. He speaks German, English and Japanese.

Dr. Hannes Bracht

Dr. Hannes Bracht

Partner
+49 69 719188432

Dr. Hannes Bracht is partner at Deloitte Legal in Germany in the Banking and Finance Team since January 2017. He focuses on financial services and regulatory law, especially on questions regarding CRD IV, CRR, MiFID II, MiFIR, AIFMD and PSD II. Hannes also advises on savings bank law and on directors’ and officers’ liability. Before joining Deloitte Legal, Hannes worked for a leading German law firm specialised in banking and regulatory law. Hannes is a lecturer at the university of Münster and a bar-certified lawyer for banking and capital market law.

Your Contact

Frank Fischer, LL.M. (Univ. London)

Frank Fischer, LL.M. (Univ. London)

Partner
+49 89 29036 5680

Frank Fischer has been working as a lawyer in the area of Legal Financial Services for more than 15 years and, as a partner, heads Deloitte Legal's insurance practice in Germany. He advises insurers and reinsurers, insurance intermediaries, IORPs, banks, financial services providers and asset managers in all areas of regulatory law and the interfaces with corporate law and other areas. He regularly assists his clients in transactions, in transformation projects and in proceedings before BaFin. Prior to joining Deloitte Legal, Frank was, inter alia, a lawyer in another Big4 law firm and Assistant General Counsel of a leading asset manager for institutional investors. He has extensive experience in solving cross-jurisdictional problems in corporate groups as well as advising board members on liability, structural and organizational issues (corporate governance & compliance). Frank speaks German and English.

Matthias Meinert

Matthias Meinert

Partner
+49 89 29 03 689 01

Matthias is an experienced Financial Services Lawyer with a focus on investment law. He advises clients on the structuring, formation and distribution of investment funds as well as on regulatory compliance questions. This includes providing legal advice on the eligibility of investments by German regulated investors such as insurance companies and pension schemes. His client base encompasses asset managers, fund advisers, investment management companies and institutional investors. Matthias also has experience guiding investment managers entering the German market. He assists with setting up German affiliates and respective license application procedures with BaFin / Deutsche Bundesbank as well as the establishment of German branches of EU investment firms and fund management companies. He also acts as a legal advisor within the digital assets and blockchain space. In particular Matthias advises cryptocurrency funds, sponsors and issuers in all aspects of the fundraising lifecycle, including structuring, regulatory compliance and marketing. Prior to joining Deloitte Legal, Matthias was a Financial Services Lawyer at a leading US law firm. He also brings extensive experience as an in-house lawyer from his tenure at the investment management company, PIMCO, and at a German fund management company (Kapitalverwaltungsgesellschaft). He started his career in the financial services tax practice group of an international audit company. Moreover, Matthias is qualified as a certified Compliance Officer (Univ.).

Recommended for you
Share Share event on social