January 2025 marks the deadline for financial firms in the EU to comply with DORA requirements. Are you ready?
The EU’s Digital Operational Resilience Act (DORA)
By January 2025, enterprises in the finance sector must strengthen their operational resilience in information and communication technology (ICT). This includes addressing the risks introduced by third-party providers that deliver digital services in your sourcing ecosystem. In just a few short weeks, the Digital Operational Resilience Act (DORA) will be law.
As we’ve been covering for more than a year, DORA is a standardized framework with broad-reaching regulations that apply across EU member states, including requirements for internal ICT risk management policies, incident reporting, third-party risk management, digital resilience testing and more. And for ICT services supporting critical functions, DORA specifies additional requirements, such as key provisions in contractual agreements with third-party service providers and stricter IT security.
What are the key contractual provisions for third parties in DORA? Financial services firms are increasingly outsourcing and integrating external partners into their ecosystems; DORA lays out contractual provisions precisely for managing this kind of risk.
Specific DORA Requirements for Contractual Agreements
A great deal of work goes into managing the lifecycle of sourcing contracts; DORA adds another layer of complexity. Specific requirements that enterprises need to include in their contractual agreements with third-party ICT services providers are listed in Article 30, titled “Key Contractual Provisions,” in DORA’s Chapter V “Managing of ICT Third-party Risk.” The list includes 16 topics, including specific stipulations for services supporting critical functions (figure 1).
Figure 1: Overview of Requirements for Contractual Arrangements on the Use of ICT Services
Financial entities need to approach DORA compliance in a structured way and assess the degree to which they are meeting or not meeting requirements in existing contracts. ISG leverages a three-step approach to support clients.
Please fill out this form to continue.
Three-Step-Approach for Financial Entities to Achieve DORA Compliance for Outsourcing Contracts
- Assess and evaluate your services and provider portfolio.
DORA Article 28.3 requires identification and documentation of all ICT services, as well as the definition of what it calls “critical and important functions.” This means mapping ICT services and suppliers to business functions. This is also required to meet the requirements specified in the draft Implementing Technical Standards (ITS) on the Register of Information.
Figure 2: Required Classifications to Determine DORA Compliance
There is not yet an official regulatory template or guideline for assessing the criticality of business functions. This means financial entities must define their own approach based on the definition of “critical and important function” provided in DORA article 3.22. The same applies to the process of identifying ICT services, which, according to DORA, are “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services” (DORA article 3.21). Although the EU provides a list of types of ICT services in the draft ITS, it provides limited information about how to correctly classify services. As a starting point, financial entities may reference their implementations for similar existing regulations, i.e., the EBA guidelines on outsourcing arrangements. It is important to note that risk classification from previous regulations, i.e. the German MaRisk, cannot simply be translated to the DORA classification.
-
Assess outsourcing contracts based on ICT and criticality classification.
Once financial entities have classified their outsourced services, they can start to assess current compliance with DORA stipulations and identify required adaptations. This could involve potentially hundreds of contractual agreements with ICT third-party service providers, which requires significant planning and resources and typically results in a risk-based approach to focus on critical outsourcing arrangements first and dealing with the rest later. - Decide and make necessary changes.
The last step toward DORA compliance for contractual agreements with ICT third-party service providers is the implementation of the necessary contract changes to fill identified gaps. While legal departments typically take care of terms and conditions, ISG recommends ensuring that the relevant specified service definitions like deliverables and obligations are also integrated into contractual documents. Ultimately, the objective must be to a) enable effective controls of contract fulfillment, and b) ensure that contractual arrangements are adequately integrated into the operational resilience framework as intended by DORA. This may include processes, roles and responsibilities, risk and performance metrics, strategic supplier segmentation and portfolio guidelines, down to supplier and service management processes and practices. Only then can digital operational resilience truly be achieved.
What Financial Services Firms Should Do Now
ISG helps enterprises take the necessary steps toward DORA compliance. Our experienced advisors use proven methodologies and tools to:
- Assess services and contracts to distinguish which services are “ICT services” according to DORA
- Assess criticality to determine “critical or important” functions according to DORA
- Assess contract compliance to DORA requirements
- Support contract change with standardized contract document templates, contract change preparation and execution, and negotiation support
- Manage projects and programs, including risk management and management reporting, to enable stakeholders and project team members to stay focused on the right tasks
- Support operating model change and governance to fulfil and execute DORA’s requirements
Leveraging DORA Compliance Projects for Long-term Benefits
Because becoming compliant with DORA requires a significant investment of time and effort, financial entities should think about how to generate additional value from the work. The goal should be an actionable risk framework rather than only a set of standard contract clauses. After all, IT operational resilience is the ultimate objective.
ISG recommends financial entities evaluate the following options for creating sustained value:
- Cost-optimize your contracts: The extensive analysis and adaption of contracts provides deep insights on a broad range of providers and their services, which can be used to optimize individual contract costs via benchmarking, for example. The evaluation process is an opportunity to holistically review sourced services and identify cost-optimization opportunities by leveraging synergies and consolidating suitable services into more efficient contract frameworks.
- Manage and modernize your technology: The in-depth analysis of all ICT services also provides an opportunity to compare them to best-in-class technologies and evaluate whether the existing services and technologies enable you to remain competitive in the market.
- Implement a third-party risk management framework and methodology: Handling DORA-related risks in alignment with overall third-party and IT operational risk management supports bigger goals related to risk-related segmentation and assessment, risk profiling and risk management processes.
- Optimize service management processes: Integrating DORA requirements into service management frameworks and processes (e.g. ITIL and IT4IT) will ensure they are streamlined and that they support operational risks and resilience management requirements. For example, DORA introduces specific requirements for incident reporting and BCM/SCM for ICT services providers. A holistic review and optimization of existing processes can significantly reduce effort when executing and managing these processes. This also applies to integrating and managing external parties.
- Review your sourcing strategy: After identifying and classifying all ICT services and providers, financial entities should holistically review their provider and service portfolio to bring sourcing decisions in line with DORA and other regulatory requirements and objectives.
- Standardize your sourcing execution: Standardizing processes and procedures, contract documents and templates, as well as provider selection criteria and methodologies will make your sourcing initiatives more efficient and ensure regulatory compliance across all providers and services.
- Refine your target operating model: Define roles and responsibilities across the organization so teams know how to collaborate in achieving ICT operational resilience.
With the DORA compliance deadline approaching, it's crucial to act swiftly and methodically. ISG can help you prioritize your ICT contracts, develop comprehensive governance frameworks and ensure clear communication across your organization. For more detailed guidance on DORA compliance, get in touch with us