Understanding the EU’s Response to Cybersecurity Threats
On 27 December 2022, the European Parliament and the Council introduced Regulation (EU) 2022/2554, commonly known as the Digital Operational Resilience Act, or DORA. Its primary objective is to enhance the IT security of financial entities such as banks, insurance companies, and investment firms. Contract compliance, as part of ‘ICT Third-Party Risk Management’ is one of the five pillars of DORA.
The Five Pillars of DORA
DORA harmonizes and consolidates key elements of existing digital resilience frameworks and standards within the EU, while also introducing new requirements. It focuses on five main areas: Information and communication technology (ICT) risk management, handling of ICT-related incidents, testing digital operational resilience, ICT Third-Party risk management and exchange of information.
ICT Third-Party Risk Management: The Contracting Challenge
Under the pillar ‘ICT Third-Party Risk Management’, financial entities inter alia bear the responsibility of ensuring that their contractual arrangements with ICT third-party service providers align with the requirements set out in DORA. A key provision governing these requirements is Art. 30 DORA. Click here to read Art. 30 DORA in full.
Further requirements are stipulated across DORA and the accompanying Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).
Ultimately, financial entities need to identify, collect, review and potentially amend all relevant agreements. The deadline for completing these actions is 17 January 2025.
- Firstly, this leads to the task of identifying and collecting all relevant ICT contracts for review. Given the scale of their operations, financial institutions often manage a substantial volume of ICT-related contracts – often more than a thousand contracts per institution.
- The second step, a detailed legal review of each contract against the DORA requirements, starts by categorizing each agreement into either critical or non-critical, followed by an in-depth legal assessment of whether it fulfills the corresponding specific requirements under DORA.
- Finally, all ICT contracts that need to be updated must be amended – which is only possible with the consent of the respective counterparty and may lead to contract negotiations, especially if the counterparty is not familiar with DORA.
The DORA contracting challenge is daunting in its sheer volume and due to the effort required to review and re-negotiate complex contracts within a short time.
Deloitte Legal’s tech-enabled approach
Our three-step approach will help your organization master the various challenges of DORA contract compliance.
During a Preparation Phase our focus is on identifying the in-scope contracts, defining the desired target state and establishing some legal cornerstones, such as the criteria for deciding whether a contract is critical or non-critical. We will also run an initial assessment of your contract landscape.
In the following Gap Analysis we will perform a technology-enabled legal review of your relevant contracts to assess their degree of DORA-compliance, or discuss other approaches such as the blanket amendment of all in-scope agreements via standardized or individualized DORA annexes. Optionally, our legal analysis can be extended to cover other important topics such as GDPR compliance.
The goal of the Implementation phase is to update all relevant agreements so that they comply with the DORA requirements. Our team of lawyers and legal engineers can support you with the full scope of such amendments, including the mass-production of standardized or individualized DORA annexes, answering questions from the contractual counterparties, negotiating the desired contractual amendments, coordinating signatures and feeding the signed versions back into your contract repository. We will draw up a negotiation and Q&A playbook with you to provide full transparency on how we communicate with your counterparties on your behalf, and to give you full control over when and how we will escalate topics into your organization.
Our team is empowered by cutting-edge technology in each phase of the project.
Partner with us to navigate the complexities of DORA compliance and fortify your operational resilience.
Your Contact
Dr. Till Contzen
Till is a Partner at Deloitte Legal and Service Line Lead Digital Law, focusing on IT/IP law. Since becoming a lawyer in early 2012, Till has focused on all information technology-related legal matters. He has advised numerous clients in the modernization and outsourcing of IT services and the digitization of business processes. Additionally, he routinely advises clients in the development, implementation and distribution of complex IT solutions such as the ERP and CRM systems as well as migration into cloud environments and procurement in the area of ‚Everything-as-a-Service‘ (XaaS). Due to his in-depth understanding of technologies, Till is highly skilled in translating complex technical topics into legal language. Not only has he advised clients in the legal challenges of a project, he has also assisted his clients in navigating the numerous organizational, economical and procedural challenges which they face in the lifecycle of a project.
Klaus Gresbrand
Klaus Gresbrand is a Partner at Deloitte Legal Germany and joined the firm 2012. Prior to joining us, he worked for an international law firm. Klaus specializes in corporate law including corporate restructuring. In addition to his membership in the Japan Desk, Klaus joins the international Service Line Corporate/M&A. His professional experience includes corporate restructurings such as national and cross-border mergers, legal due diligence and M&A projects as well as general corporate legal advice. He also advises clients on legal technology topics including contract lifecycle management and document Assembly. Klaus is admitted to the bar in Germany (Rechtsanwalt). He studied law at the University of Osnabrück. He also studied at Chuo University and University of Tokyo, Japan, as an exchange/research student. He speaks German, English and Japanese.
Dr. Hannes Bracht
Dr. Hannes Bracht is partner at Deloitte Legal in Germany in the Banking and Finance Team since January 2017. He focuses on financial services and regulatory law, especially on questions regarding CRD IV, CRR, MiFID II, MiFIR, AIFMD and PSD II. Hannes also advises on savings bank law and on directors’ and officers’ liability. Before joining Deloitte Legal, Hannes worked for a leading German law firm specialised in banking and regulatory law. Hannes is a lecturer at the university of Münster and a bar-certified lawyer for banking and capital market law.
Frank Fischer, LL.M. (Univ. London)
Frank Fischer has been working as a lawyer in the area of Legal Financial Services for more than 15 years and, as a partner, heads Deloitte Legal's insurance practice in Germany. He advises insurers and reinsurers, insurance intermediaries, IORPs, banks, financial services providers and asset managers in all areas of regulatory law and the interfaces with corporate law and other areas. He regularly assists his clients in transactions, in transformation projects and in proceedings before BaFin. Prior to joining Deloitte Legal, Frank was, inter alia, a lawyer in another Big4 law firm and Assistant General Counsel of a leading asset manager for institutional investors. He has extensive experience in solving cross-jurisdictional problems in corporate groups as well as advising board members on liability, structural and organizational issues (corporate governance & compliance). Frank speaks German and English.