Accelerating DORA Compliance with Contract AI (Part 2)

This is part 2 of a two-part blog series exploring how contract AI can be leveraged to streamline compliance with the European Union's Digital Operational Resilience Act (DORA). Read Part 1  here.

The January 17, 2025 deadline for compliance with the European Union's Digital Operational Resilience Act (DORA) is so close, yet financial services firms are still facing pressing challenges in executing their plans to achieve compliance. The European Supervisory Authorities (ESAs) made clear in December that there is no transition or grace period – firms are expected to be compliant from day 1.

In addition to many other requirements, DORA requires financial services entities to include certain prescribed provisions in all contracts with information and communications technology (ICT) service providers (see A). It is also worth noting that there are more onerous requirements for contracts involving ICT services which support critical or important functions (see B).

Navigating the Ins and Outs of DORA's Contractual Requirements

A) Requirements for all contracts with ICT service providers

Below is a summary of some of the key specific provisions that DORA requires that financial services firms include in all contracts with ICT service providers:

Termination Rights: Financial services firms need to have the right to terminate in the event of:

• • Significant breaches by the ICT provider of applicable laws, regulations, or the contract itself.
  • Performance risks identified during ongoing monitoring, including material changes that could affect service delivery or the ICT provider’s ability to meet obligations.
  • Evidenced weaknesses in the ICT provider’s risk management, especially regarding data security.
  • Prevention of competent authority’s supervision of the financial entity due to the conditions of, or circumstances related to the provision of ICT services.

All termination rights should have related minimum notice periods for the termination of the contractual arrangements.

Description, Subcontracting and Location of Services:

• • A clear description of all functions and services provided by the ICT service provider (including Service Level description).
  • Terms for subcontracting, particularly for critical functions, including conditions and regulatory compliance expectations.
  • Detailed information on the locations where services and data processing occur, and the requirement for the ICT provider to notify the firm if these locations change.

Data Security and Continuity

• • The availability, authenticity, integrity, and confidentiality of all data, including personal and non-personal data.
  • Access to and recovery of data in the event of provider insolvency or contract termination.

Incident Response and Regulatory Cooperation:

• • The obligation to assist the firm at no additional cost or at pre-agreed costs when an ICT-related incident occurs.
  • Full cooperation with regulatory authorities and resolution authorities, as well as participation in the firm’s ICT security awareness programs and resilience training.

B) Additional Requirements for critical or important functions

In addition to the requirements outlined above, below is a summary of some of the more onerous requirements that apply for information and communications technology (ICT) third-party services supporting critical or important functions.

Enhanced Termination Rights: Expands the conditions under which financial services firms can terminate, ensuring that termination happens without:

• • Disruption to business operations.
  • Non-compliance with regulatory requirements.
  • Compromising service continuity and quality for clients.

More detailed SLAs with precise quantitative and qualitative performance targets to allow for effective monitoring and enable appropriate corrective action.

Reporting of developments materially impacting the service provider’s ability to effectively provide services within notice periods.

Testing of Business Continuity and ICT Security: ICT providers must implement and test contingency plans and ICT security measures to ensure uninterrupted service delivery.

Rights to Monitor and Audit:

• • Unrestricted access to inspect and audit the provider’s performance, and the ability to request copies of relevant documentation.
  • Onsite audits by the firm or a third-party, and the obligation for the ICT provider to cooperate during these inspections.
  • The ability to conduct pooled audits with other clients, ensuring compliance with contractual terms and regulatory requirements.

Choose Catylex for DORA Compliance

Not all contract data solutions are the same. Catylex can accelerate compliance with DORA by leveraging our AI to automatically identify these DORA-required provisions across your contracts and highlight the gaps in these provisions. This puts financial services firms in a position to know what contracts and provisions they need to amend so they can action accordingly.

Catylex also supports DORA compliance in the following ways:

• Catylex automatically analyzes all your contracts so you can determine which contracts relate to information and communications technology (ICT) with 3^rd party service providers. Catylex is scalable and can process and handle vast contract portfolios quickly and effortlessly.
  
  
• Catylex is a contract data repository which allows users to easily access, query and export data for audits, reporting, and internal reviews and to meet regulatory reporting requirements under DORA.

For more information on how Catylex can help you comply with DORA please contact us.