With the Digital Operational Resilience Act (DORA), for the first time at the European level, a regulation comes into force requiring European financial institutions to extend their business continuity and disaster recovery processes to their entire supply chain, including their critical service providers.

New mandatory minimum requirements for service contracts and an approval process by the European Service Authorities (ESAs) are forcing financial institutions to be “DORA-ready” by January 2025:

• All contractual agreements must meet certain (minimum) requirements (see also Art. 30 para. 2 DORA). For contracts with identified critical service providers, additional stringent requirements apply (see Art. 30, para. 3).
• DORA regulates which service providers will be considered critical in the future in Art. 31 No. 2.

From the aforementioned points, we arrive at a few possible uncertainties:

• Will the future standard contract clauses (which do not exist today) lead to the inability to conclude framework contracts, as there will be a need for a separate, dedicated contract for each managed service in the future?
• Will there be prohibitions on certain services or providers already at the initial registration stage? And if so, how will these be justified (e.g., concentration risk from hyperscalers), and what measures and alternatives will arise from this?

What will certainly continue to apply in implementing all these changes is the principle of proportionality. Nevertheless, the transition of all contracts remains as an immense undertaking that companies must be prepared for. And DORA strictly states in Article 69: “When renegotiating contractual arrangements to seek alignment with the requirements of this Regulation [Note: not yet given], financial entities and ICT third-party service providers should ensure the coverage of the key contractual provisions as provided for in this Regulation.”

This may sound like a farce. Nonetheless, financial institutions and their service providers are already required to be aware of their responsibility and accordingly create an implementation plan for the earliest possible implementation (Art. 3 para. 2 RTS-E TPPol).

Are you working for a financial institution or a (potential) critical service provider?

If so, do not hesitate and start adapting your contracts and preparing for the approval process.

If you have any questions, we are happy to assist.

Cover image credits – Mike Kononov on Unsplash