Contract adjustments due to DORA: What financial companies need to consider now

With the introduction of the Digital Operational Resilience Act (DORA), financial organisations are obliged to comprehensively improve their digital and operational resilience. While many companies are already implementing technical measures, one crucial aspect often takes a back seat: the contractual adaptation to the new regulatory requirements. DORA not only affects financial organisations, but also their external ICT service providers who provide critical IT services. These companies must ensure that their contracts with third-party providers fulfil the new requirements.

Which companies are affected?

The DORA Regulation covers a broad spectrum of players in the financial sector. In addition to banks and insurance companies, payment service providers, investment firms, crypto service providers and rating agencies are also obliged to strengthen their ICT resilience. Companies that procure ICT services from third-party providers, such as cloud services or cyber security solutions, are particularly affected. As external providers can pose a potential security risk, DORA attaches particular importance to clear and secure contractual structures.

DORA and NIS-2: A complementary regulation

DORA can be seen as a supplement to the Directive on the Security of Network and Information Systems (NIS-2). While NIS-2 focuses on the general cyber security of critical infrastructures and covers a wide range of sectors, DORA specifically addresses the IT security requirements of the financial sector. Financial organisations should therefore ensure that their contractual arrangements take into account both DORA and NIS-2 requirements to ensure holistic digital resilience.

Key contractual components in accordance with DORA

Precisely worded contractual clauses between financial organisations and their IT service providers are a key element of the DORA requirements. The regulation stipulates that companies must adapt existing contracts and ensure that new agreements are compliant from the outset.

The following points are particularly relevant here:

Responsibilities and liability
Contracts must clearly define the responsibilities of the IT service provider. In the event of cyberattacks or IT failures in particular, it must be regulated who is liable for damages and what measures are taken to minimise risk.
Reporting obligations and incident management
DORA requires IT service providers to report serious incidents immediately to the financial organisation and, if necessary, to the competent authorities. Contracts must clearly regulate this in order to avoid legal uncertainties.
Review and audit rights
Financial organisations must reserve the right to audit IT service providers on a regular basis. This includes on-site inspections and external security audits.
Subcontractors and chain contracts
Many IT service providers work with subcontractors. DORA demands that the responsibilities and obligations of these subcontractors are also clearly regulated. In particular, a critical dependency must not arise without the financial company being aware of this and giving its consent.
Termination and exit strategies
If a contract ends or is cancelled, companies must ensure that the switch to another provider runs smoothly and that there are no security gaps. Data migration, deletion concepts and transition periods must be defined.

Challenges in contract implementation

Adapting existing contracts to DORA is no trivial matter. Many companies are faced with the challenge of reviewing and adapting hundreds or even thousands of contracts. In addition, coordination with IT service providers often requires lengthy negotiations. To make this process easier, companies can utilise modern document generators. These tools help to quickly and efficiently adapt contract templates to new regulatory requirements, significantly reducing the amount of manual processing required. Existing contracts can be automatically analysed and converted into standardised, DORA-compliant templates. It is advisable to develop standardised contract templates that comply with DORA requirements and facilitate future adaptations.

What financial companies should do now

Implementing the DORA requirements requires a structured and strategic approach. Financial organisations should therefore develop a systematic roadmap that takes into account all relevant processes, contracts and responsibilities.

A clear roadmap helps to minimise legal risks, ensure compliance and build long-term resilience:

Comprehensive inventory of all relevant contracts:
Companies should analyse all existing contracts with ICT service providers to determine which agreements need to be revised or renegotiated. Structured contract management helps to identify gaps or outdated clauses.
Development of standardised contractual clauses:
Uniform templates and standard contracts ensure that new agreements comply with the DORA requirements from the outset. In particular, these should contain provisions on safety standards, liability, inspection obligations and reporting processes.
Actively negotiate with IT service providers:
Close cooperation with external providers is necessary in order to efficiently implement the new requirements. Clear expectations regarding security measures, test procedures and emergency plans should be communicated.
Targeted training of internal teams:
Employees from the IT, legal and compliance departments must be familiarised with the new requirements. Regular training courses and workshops help to put regulatory provisions into practice and clearly define responsibilities.
Regular review of new and existing contracts:
A one-off adjustment is not enough. Companies should continuously check whether existing contracts are still compliant and make adjustments where necessary. A dynamic monitoring process helps to ensure long-term compliance.

How can companies adapt their contracts efficiently and thus minimise risks?

The requirements of DORA go far beyond technical protective measures. Clear and precise contract design is crucial in order to minimise legal and operational risks. However, implementing these adjustments requires considerable resources and can be a time-consuming challenge for many companies.

By using legal tech and external experts, contract reviews and amendments can be organised efficiently and regulatory requirements can be implemented more quickly. Companies that act early not only avoid regulatory sanctions, but also secure a stronger position in contract negotiations with IT service providers.

We support companies in the efficient customisation of contracts. We can review your existing contracts, develop drafting proposals or negotiate contracts on your behalf – whatever you need. We can also assist you with the implementation of legal tech solutions so that you can optimally fulfil the DORA requirements. A solid contractual basis creates transparency, reduces risks and ensures that financial companies can also strengthen their digital resilience in the long term.