The Digital Operational Resilience Act (DORA) contains far-reaching digital governance obligations for financial companies. This includes, among other things, the obligation for effective ICT third-party risk management.
Behind this unwieldy term is the requirement for financial companies to effectively manage their DORA-relevant contracts with IT providers. This should be ensured with a contract management solution that is aligned with the requirements of DORA. LEDOX365 fulfills this requirement as a contract management solution (CLM) for companies that rely on Microsoft 365. With LEDOX365, the various elements of such ICT third-party risk management can be fulfilled. With transparency across all relevant contract risks and secure data storage in the customer’s own private Azure cloud, companies can not only comply with legal requirements, but also take their contract management to a new level.
The Digital Operational Resilience Act (DORA)
The deadline for DORA compliance is approaching. The obligations under DORA must be fulfilled by 17 January 2025. But what exactly is DORA, who does it apply to and what do companies have to do?
The Digital Operational Resilience Act (DORA) sets out uniform requirements for the security of IT systems in financial companies. The background to this is that, on the one hand, there is a need for financial companies to have secure and resilient IT systems. On the other hand, the previous regulations were inconsistent, very complex and designed differently in different EU member states. This is the reason why they are standardized with DORA. The regulation applies to financial entities, which according to Art. 2 DORA includes banks, trading venues, insurance companies and intermediaries, rating agencies, depositories, investment firms and ICT third-party service providers. The scope of application is quite broad, and any company involved in financial services should therefore carefully examine a possible application.
Another new feature in the regulation is that management bodies of financial entities are assigned overall responsibility for compliance, meaning that they also have a significant (personal) liability risk in the event of non-compliance.
The elements of the DORA obligations
In general, DORA and the extensive implementing regulations set out various obligations. Firstly, a large area concerns ICT risk management (Art. 5-16 DORA), according to which financial entities must have an effective internal governance for ICT risk management.
A second area concerns the handling of ICT-related incidents (Art. 17-23 DORA) and contains provisions on procedures and processes in the event of such incidents, including notification and reporting to the competent authorities. The third major topic, digital operational resilience testing (Art. 24-27 DORA), is about how companies must proactively test their systems, tools and processes for weaknesses or gaps in order to prepare for ICT-related incidents.
The ICT third-party risk
Finally, Art. 28-30 DORA deals with the management of ICT third-party risk. This article will focus on these obligations. The reason for regulating (contractual) relationships with third parties is the fact that IT services are regularly provided by third parties. (Financial) companies are often unable to operate and administer all systems themselves but use service providers to support their business activities. However, according to DORA, financial companies themselves remain fully responsible for complying with and fulfilling all ICT-related and relevant obligations. They must therefore manage this risk and the underlying contractual relationships in accordance with the DORA provisions.
This includes the following obligations:
- Contractual agreements must be appropriately documented (Art. 28 para. 3)
- Reporting to the competent authority at least yearly on the number of new agreements (Art. 28 para. 3) on: (i) the use of ICT services, (ii) the categories of ICT third-party service providers, (iii) the type of contractual arrangement, and (iv) the ICT services and functions.
- Prompt information to the competent authority of any planned contractual arrangement on the use of ICT services supporting critical or important functions (Art. 28 para. 3)
- Before concluding a contractual agreement on ICT services, financial entities shall (Art. 28 para. 4): (i) assess whether critical or important function is involved, (ii) assess if supervisory conditions for contracting are met, (iii) identify and assess all relevant risks, (iv) undertake due diligence and ensure suitable election and assessment process of ICT third-party service provider, and (v) identify and assess conflicts of interest.
- Contractual agreements may be terminated (Art. 28 para. 7)
- Full contract must be documented in a downloadable, durable and accessible format (Art. 30 para. 1)
- Contractual arrangements must contain certain contractual elements (Art. 30 para. 2-3)
Financial companies can only fulfill these obligations with effective IT systems and solutions. The obligations must not only be fulfilled once on the cut-off date of 17 January 2025, but on an ongoing basis from this date on. There are therefore two recommendations for action: firstly, to check and ensure that all existing contracts meet the requirements of DORA by 17 January 2025 (“DORA Contracting”) and secondly, to introduce and/or maintain a suitable IT management system to ensure continuous compliance with the requirements on third-party risk from 17 January 2025 on (“DORA ICT Third-Party Risk Management”).
Fulfilling obligations with the LEDOX365 contract management solution
The LEDOX365 contract management solution offers a comprehensive solution to carry out DORA ICT third-party risk management securely and effectively from 17 January 2025 on. With LEDOX365, DORA-relevant contracts with ICT service providers can be labeled accordingly and the DORA-responsible person receives an automatic reminder once a year together with a draft report for the competent authority. When labeled as a DORA-relevant agreement, automatic check routines must be run before the contract is signed. The LEDOX365 AI Assistant helps to check whether key contractual conditions are included. The documentation requirements for contracts are met with LEDOX365, and auditors can also be granted limited review rights for individual contract categories (such as DORA-relevant contracts).
These functions are seamlessly embedded in the contract lifecycle management with LEDOX365. LEDOX365 makes it possible to digitally manage and simplify the lifecycle of all contracts, from creation, negotiation, approval and digital signature through the active term with reminders and notifications to termination and retention. As a private cloud application, all data remains in the customer’s secure Microsoft 365 environment. Storing all contract-relevant documents in the contract file, such as emails, drafts and materials, ensures that all matter-relevant information is stored in one place and can be accessed by any authorized person.
For more information on fulfilling DORA obligations with LEDOX365 and our contract management solution, please contact us.