Ensuring DORA Compliance

The Digital Operational Resilience Act (DORA) take effect on January 17, 2025, prompting the European Supervisory Authorities to urge financial entities and third-party ICT providers to expedite their preparations. The ongoing contract remediation exercises are crucial for compliance, and financial entities are advised to take a pragmatic approach in negotiating changes with ICT providers. This involves critically analyzing DORA provisions from a supplier’s perspective to avoid imposing terms unlikely to be accepted.

A key issue in these negotiations is the requirement for termination rights under DORA. The regulation mandates that contracts must allow termination if ICT third-party risks threaten the performance of contractual functions. However, the broad and vague nature of these requirements often makes them unacceptable to ICT providers. Financial entities and ICT providers are encouraged to interpret these provisions into workable contractual mechanisms, ensuring contracts can be terminated in cases such as insolvency or material breach.

The regulatory technical standards (RTS) accompanying DORA also applies from January 17, 2025. Uncertainty around the finalization of the RTS on subcontracting has caused delays in contract remediation. The European Commission plans to adopt these standards in early 2025, but the delay has led to hesitancy among ICT providers to agree to the current draft. Financial entities may need to revise contracts again once the RTS is finalized.

In light of the upcoming DORA deadline, financial entities should not delay in engaging with ICT providers to ensure compliance. While the final subcontracting RTS remains pending, entities can work with the current draft to prepare for seamless integration once it is adopted by the European Commission.