DORA: Why it’s time to review all your ICT contracts

The Digital Operational Resilience Act (DORA) is due to come into force in January 2025 and will affect all financial entities operating across the European Member States. Discover what the act means for the financial sector and the tools which can ease the compliance process.

Published: 

August 29, 2024

The Digital Operational Resilience Act (DORA) is due to come into force in January 2025 and will affect all financial entities operating across the European Member States.

The act establishes regulations on ICT security and management to ensure business continuity across the financial sector. As a result, many businesses will need to review their third-party ICT contracts to ensure their providers comply with the DORA’s requirements. Without a digital contracting tool in place, reviewing all third-party contracts will be a time-consuming and error-prone task, potentially leading to significant fines.

With the right digital contracting tool, the contract review process can be straightforward and hassle-free.

Read on to discover the right tool to use and to understand more about the DORA.

What is the DORA regulation?

The DORA is a European Union (EU) regulation requiring financial entities and their third-party ICT providers to have robust ICT systems and processes that ensure business continuity.

The standard covers a range of areas that the financial sector must comply with by the January 2025 start date. Areas such as ICT risk management, to digital operational resilient testing. Explore more about each area of the act in the DORA’s articles.

Why is the DORA needed?

The EU recognises the threat caused by significant IT operational disruptions, from high-profile outages to extended unavailable networks.

Currently, EU Member States issue their own ICT risk management standards. The EU saw that multiple standards across Member States made it difficult for the financial sector to follow. In response, the European Council took decisive action by creating the DORA.

The DORA aims to harmonious the various standards, so that only one standard applies across all Member States.

When will the DORA come into force and who will it effect?

The DORA was first introduced on the 13th of January 2023 and is due to come into force on the 17th of January 2025.

The act applies to 20 different types of financial entities and ICT third-party service providers including:

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers
  • Insurance providers
  • View the full list in Article 2(1) of DORA

The act is predominantly an EU act, applying to financial entries based in the European Member States. However, the DORA will also apply to parent companies based outside the EU that procure ICT services on a group-wide basis, plus third-party service providers that supply financial sector entities with ICT systems and services. It is likely that similar mandates for the United Kingdom and North America will follow.

What does the DORA mean for your contracts?

The financial sector must integrate ICT third-party risk management seamlessly into their overall ICT risk management framework.

Businesses covered by the DORA must assess risks, especially when working with ICT third-party providers that can't be replaced or when they have several contracts with similar or connected providers. Additionally, both the financial entity and the ICT third-party provider should have a clear, written agreement detailing their rights and obligations. This documentation, including service-level agreements, should be easily accessible and comply with the act.

To ensure third parties meet the DORA’s requirements, financial entities will need to check every provider’s contract. This is crucial as both the entity and the third-party provider have the responsibility for complying with the DORA. Even when using ICT services via contractual agreements, the entity remains fully responsible for compliance with the act’s regulatory and financial obligations.

Using an AI contract review tool to your advantage

It goes without saying that manually reviewing all third-party contracts is a time-consuming process, with high chances of error. The DORA does not leave room for error, as failure to comply can incur considerable financial repercussions.

Fines can be as large as 1% of average daily global turnover from the previous year, applied daily until compliance is achieved.

Using an AI contract review tool can make the process much simpler.

Summize’s AI contract review solution

Summize is AI-powered Contract Lifecycle Management (CLM), spanning all interactions with contracts in a business.

With Summize, financial entities can enable bulk contract review against clause rules defined in their Playbook, saving a great deal of time on manual contract review. Summize customers will also have access to DORA templates in their clause manager for ease and simplicity. Checking the DORA’s provisions such as SLAs, security obligations, reporting requirements and triggers for breach can be easily found in each third-party contract in a matter of seconds.

And if the search brings up provisions that don’t meet your Playbook’s or the DORA’s requirements? Summize flags the clauses for you and summarises in an easy to digest format, so you can make amendments or adjustments as necessary with your suppliers in time to meet the new standards.

At Summize, our clients are already reviewing their ICT contracts using Summize’s AI contract review solution (directly within Microsoft Word!). By automating the extraction of contract information such as service levels, subcontracting and audit rights, businesses have time to highlight any risks long before the DORA comes into effect.

The next steps for your business

Complying before the January 17th 2025 start date can be achieved when you have the right tools at your disposal.

With Summize, your CLM solution can be up and running within just four weeks, with a milestone-based approach to implementation across your use cases, prioritised according to contract management areas that matter to you the most.

To get started with a Contract Lifecycle Management solution, and to make complying with the DORA a much simpler task, start by booking a demo with Summize’s experts. Our team will listen to your contracting needs to identify your top priorities and show you how Summize makes CLM simple by embedding user experiences within the tools you already use daily.

Request your demo today and our team will be on hand to help.

About the author

Thomas Pratt

Legal Counsel Presales Consultant

Thomas is a Legal Counsel Presales Consultant with experience in both the legal and tech sectors. Having previously worked in private practice, Thomas has a deep understanding of complex legal frameworks. His expertise in Contract Lifecycle Management (CLM) stems from his previous involvement in negotiating contracts and CLM software use to manage agreements. Thomas works closely with Summize's Business Development teams, helping them connect prospects to Summize's tailored CLM solution.

LinkedIn icon