Time is running out to comply with the European Union’s (EU’s) Digital Operational Resilience Act (DORA). The legislation came into force in January 2023, with the January 17, 2025, deadline for compliance approaching rapidly. The pressure is on, including to ensure financial-services entities (firms) have the right contractual provisions in place with information and communications technology (ICT) service providers (suppliers).
DORA aims to strengthen firms’ operational resilience and security against all types of ICT disruptions. It applies to a wide range of EU-based firms, including credit institutions, payment institutions, investment firms and insurers, as well as to their suppliers. It can also apply to non-EU-based firms that have business links with or operations in the EU.
DORA embeds a more robust approach to delivering digital capabilities to firms within the EU. It introduces a harmonised framework to mitigate the increasing risks posed by the rapid digitalisation of firms and their growing dependence on suppliers and infrastructure. Most firms have set up programmes to understand what DORA means for them, including in relation to third-party risk management (TPRM).
As part of TPRM, DORA stipulates that all ICT contracts must contain specific baseline contract terms. There are also more onerous additional requirements for contracts supporting critical or important functions (CIFs). CIFs are those functions that, when disrupted, would have material impacts on firms’ operational continuity and/or performance or the wider financial system’s stability.
Failure to comply with DORA can have significant repercussions, including fines and other penalties, as well as reputational damages. However, achieving contractual compliance by the deadline is a significant challenge; many firms are still doing the groundwork. This includes the need to:
Happily, this work does not have to be completed before contractual-compliance activities can begin. Given the looming deadline, many firms are doing this work in parallel with commencing their contractual-compliance and remediation programmes.
PwC’s (PricewaterhouseCoopers LLP’s) experience with clients has highlighted common challenges firms face in preparing for contractual compliance. Many are struggling to map ICT services that support CIFs and non-CIFs and to identify and locate all ICT contracts requiring remediation. It can also be tricky to assess the extent of DORA compliance within existing contracts. In other cases, firms are receiving pushback from suppliers against DORA’s far-reaching requirements. Some suppliers dispute whether their services are within its scope and if they support CIFs or non-CIFs.
It is also important for firms to consider how to mitigate the risks arising from not achieving full contractual compliance by January’s deadline.
The devil of DORA is in the details. The contractual requirements are a combination of those set out in DORA and additional regulatory technical standards (RTSs). All contracts between firms and suppliers must include various requirements, such as:
More onerous additional contractual requirements apply to contracts involving ICT services and systems that support the firm’s CIFs. These aim to ensure firms have robust control of such services and systems. Examples include details on whether and when subcontracting is permitted; detailed service levels; appropriate notice periods and reporting obligations; business-contingency provisions; penetration testing; audit, access and inspection rights; and exit arrangements.
DORA also addresses regulators’ determination to ensure greater transparency and control in relation to subcontracting, particularly regarding CIFs. To support this objective, the European supervisory authorities (ESAs)—the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)—drafted the Subcontracting RTS, which sets out the approach to assessing applicability, required due diligence and contractual conditions for subcontracting.
The requirements of the Subcontracting RTS are challenging because suppliers often subcontract many aspects of their services—and subcontractors may then further subcontract elements of such work. Additionally, many suppliers may not be able to give individual customers control over to whom they subcontract or any changes in subcontracting, as services are provided on a one-to-many basis.
Even so, given the risks that arise from failures by subcontractors, firms must have visibility and ensure they maintain control over the subcontracting chain for services supporting CIFs. Whilst the ESAs have recognised the complexities arising from this, they reiterated the need for firms to identify the overall subcontracting chain, clarifying that they should “particularly focus their monitoring on those subcontractors that effectively underpin the provision of the service”.
To assess applicability, firms must consider factors such as size, overall risk profile and the nature, scale and elements of increased or reduced complexity of services, activities and operations. These considerations are extensive and vary according to the nature of the ICT services concerned, the number of subcontractors and their locations (including their parent company’s location). They will also depend on the data-processing circumstances, impacts if the subcontracted services were transferred and whether the suppliers or subcontractors are authorised, registered or subject to supervision or oversight by an EU regulator or the oversight framework.
Due diligence represents an additional burden, with firms expected to undertake significant checks before allowing a supplier to subcontract any part of its services. These include:
In addition to the general contractual requirements under DORA, the Subcontracting RTS requires firms to include additional provisions to control subcontracting, including:
DORA builds on the existing outsourcing guidelines and the ICT security risk-management guidelines issued by the ESAs (existing requirements). Firms that have already successfully complied with some or all of these requirements will have less to do to achieve contractual compliance.
The complexity and diversity of the regulatory landscape and ICT-services provision in the financial sector mean there is no single right approach to contractual compliance and remediation. PwC’s experience is that firms are adopting one of three approaches to remediation.
Some firms are taking a blanket approach, applying standard amendment templates for CIF and non-CIF contracts; this is common among those not subject to the existing requirements. Some are taking a tailored approach, applying a customised template that incorporates only those DORA contractual requirements not already covered by the existing requirements in the ICT contract; this is typically used by entities that are fully compliant with the relevant existing requirements. Others are taking a hybrid approach, with minimal customisation of standard amendment templates, e.g. to reflect definitions and key specifics of the ICT services involved.
In previous regulatory-remediation efforts (such as EBA outsourcing), firms often preferred a blanket approach. But with an increasingly complex regulatory landscape, the pushback from suppliers due to similar provisions (such as audits) having already been negotiated and the tight timeframe for achieving compliance, many firms subject to existing requirements favour the tailored approach.
Regardless of the approach adopted, a DORA contractual-compliance and remediation programme will include the following steps:
Author: Jennifer Chambers
Have you ever been caught off guard by a contract renewal… that nobody remembered?
Contracts are fundamental to human civilization, enabling structured collaboration, accountability, and progress. Their development over millennia reflects the evolving complexity of societies, economies, and...
Top 10 reasons procurement wants a CLM—and why every function should demand it (with AI’s Game-Changing Role)