What is DORA?
The Digital Operational Resilience Act (DORA) is a groundbreaking legislative framework introduced by the EU to ensure digital resilience in the financial sector. A significant portion of DORA addresses the relationship between financial institutions and their suppliers, particularly concerning contractual obligations and contract management.
DORA Guidelines – 7 key compliance requirements
We have summarized some of the key requirements below that financial institutions or their IT service providers should be aware of. Over the coming period, we will develop a series of articles delving into these points and providing recommendations on how to handle them, both as a supplier and as a financial institution.
If DORA is not relevant to you but you are a supplier or recipient of IT services, continue reading, as the described requirements and our recommendations often reflect general best practices when entering into IT contracts.
1: Determining the applicability of DORA:
Financial Institutions: If you are a financial institution operating within the EU, DORA applies to you. Suppliers: If you provide ICT services to financial institutions in the EU, you may be subject to DORA, especially if your services are considered “critical.”
2: Contractual requirements:
Clear definitions: Contracts must clearly define the services provided, including any sub-services and their criticality. Performance metrics: Define clear performance and uptime metrics to ensure compliance with DORA’s resilience requirements. Data protection: Contracts must have robust data protection clauses complying with GDPR and other relevant EU data protection regulations. Incident reporting: Suppliers must promptly report any significant ICT-related incidents to the financial institution.
3: Supervision and audit:
Regular audits: Financial institutions should have the right to audit their suppliers to ensure compliance with DORA requirements. Continuous monitoring: Contracts should allow financial institutions to continuously monitor the supplier’s service performance and resilience.
4: Subcontractors: Transparency:
Suppliers must disclose if part of the service is provided by subcontractors and to whom. Responsibility: The primary supplier remains responsible for the service, even if parts of it are provided by a subcontractor.
5: Termination and transition: Exit strategy:
Contracts should outline a clear exit strategy ensuring financial institutions can transition to another supplier if necessary without compromising resilience. Data retrieval: Upon termination, financial institutions should be able to retrieve all their data in a usable format.
6: Continuous improvement:
Adaptation to changes: As DORA evolves, contracts should include provisions for periodic reviews to ensure they remain in compliance with the latest requirements.
7: Fines and obligations:
Clear consequences: Contracts should clearly specify fines for non-compliance or violation of terms, especially those related to DORA requirements