Experience report from an implementation project: Contractual DORA compliance in ICT third-party risk management
The DORA (Digital Operational Resilience Act) is a European Union regulation aimed at strengthening digital resilience in the financial sector, which came into force in January 2025. It affects financial institutions and their service providers by imposing requirements on ICT risk management, incident reporting, testing, and the handling of third-party providers.
As part of the implementation of Regulation (EU) 2022/2554 (DORA), a project team from our company was commissioned by a German financial institution to provide contractual protection in accordance with DORA requirements vis-à-vis third-party ICT service providers. The project goal was to fully integrate the regulatory requirements in accordance with Art. 28 (4) DORA into active contractual relationships, to communicate with third-party ICT service providers, and to document the results in management systems. This article is a field report on the implementation of DORA and presents the areas of action, measures taken, and challenges identified.
1. Initial situation and objectives
An analysis of existing contractual relationships was transferred to an initial information register. This formed an initial basis for the scope of consideration, which was updated over the course of the project. The associated analysis of IT-related contracts revealed that every active contract had to be adapted to comply with DORA, as they did not contain the minimum content required by DORA.
The focus was particularly on:
- Lack of provisions regarding audit and access rights
- Lack of regulations regarding the storage, processing, and transfer of data
- Insufficient information about subcontractors
- Unclear exit conditions and lack of exit plans
The aim of the project was to establish a process for reviewing DORA contracts, to draw up the minimum content for the respective contractual agreements, to support negotiations with third-party ICT (information and communication technology) service providers, to share expertise with IT contract management staff, and to enable them to implement the process operationally.
2. Procedure and methodology
a) Contract inventory and categorization
A contract inventory of all active ICT-related third-party relationships was created and categorized according to the following criteria:
- Criticality of the ICT service provider
- Type of ICT service according to DORA standards
- Data requirements for the information register
- Prioritization in establishing DORA contract compliance
b) Development of a standard contract
In cooperation with the company's legal department, a contract addendum (DORA addendum) was developed, which is applied differently depending on the business process, dependency, and subcontracting. It contains all the necessary provisions in accordance with Art. 28 (4) DORA, in particular:
- Regulations on inspection rights, on-site audits, and information obligations
- Requirements for disclosure of subcontractors and change obligations
- Mechanisms for emergency communication and resilience reporting
- Extraordinary termination clauses in the event of serious ICT incidents or compliance violations
c) Implementation
The prioritized contracts were processed in a structured manner, starting with third-party ICT service providers that support critical and important business processes with at least a significant dependency. In cases of deviations from the defined DORA addendum or lack of consent from the third-party ICT service provider, existing risk management processes were used and risks in the active contractual relationship were reported to IT risk management.
4. Adjustment screws & empirical values
Achieving contractual DORA compliance poses challenges for financial companies in terms of DORA expertise, roles and responsibilities, data quality, communication between relevant parties, and available personnel capacity during normal operations.
The effort involved can be reduced if compliance is achieved through technical and organizational measures:
- Validation of data quality in existing contract management systems
- Integration of contractual DORA requirements into defined and newly established review processes as part of risk assessment
- Clear roles and responsibilities in contract initiation, approval, management, and termination
- Targeted information for strategic and operational stakeholders (project reporting & operational coordination with line operations)
Conclusion
Implementing contract compliance in accordance with the Digital Operational Resilience Act (DORA) poses significant technical, organizational, personnel, and communication challenges for financial companies. Based on our experience, we recommend planning the establishment of contractual DORA compliance in order to relieve the burden on day-to-day business and gradually enable regular operations to continue the project results.
The systematic validation of existing contract data, the establishment of clearly defined roles and responsibilities throughout the contract lifecycle, and the integration of requirements into existing audit and risk management processes create a solid foundation for sustainable DORA compliance that can be transferred to regular operations. In addition, standardized reporting enables transparent control of project progress and the targeted involvement of relevant operational and strategic stakeholders.
Data quality in contract management systems is crucial to the success of the project in initially establishing contractual DORA compliance. In our experience analyzing existing contract data, up to 10% of contracts maintained as active are unexpectedly inactive and therefore do not require further DORA review. This circumstance leads to the need for a different approach to project reporting – data quality and project progress must therefore be reported separately, as the reduction in the contract portfolio does not necessarily represent progress in the implementation of contractual DORA compliance.
Care must be taken to ensure that the necessary data quality is generated in accordance with agreed specifications by the project planning department and that existing regular operating personnel are empowered to continue and maintain data quality.
It is clear that the implementation of contractual DORA compliance in all areas involves numerous detailed questions and non-obvious operational and strategic stumbling blocks – this is where a proven good practice approach to project planning pays off in achieving contractual DORA compliance.
As an experienced partner, we are happy to assist you in achieving contractual DORA compliance, whether you are a financial institution or a third-party ICT service provider.