IT Procurement Standards Set by DORA: Guidelines for IT Acquisitions
Under the Digital Operational Resilience Act (DORA), financial institutions are required to include specific contractual provisions when engaging external IT service providers (ICT third-party providers). These provisions aim to ensure operational resilience and manage ICT risks effectively.
DORA sets forth a comprehensive contractual framework that includes key elements such as ICT risk management, incident reporting, operational resilience testing, audit and assurance rights, exit strategies and contingency plans, data protection, ongoing monitoring and due diligence, and the maintenance of a register of ICT services and third-party providers.
Financial institutions must require third-party providers to maintain robust ICT risk management practices and participate in regular digital operational resilience testing. Providers are also expected to agree to timely notification of any ICT-related incidents and secure rights for financial institutions to perform audits or require external audits of the third-party ICT services.
Contracts should incorporate clear exit mechanisms and contingency plans to ensure continuity and prevent disruptions if the provider relationship ends or fails. Additionally, provisions ensuring compliance with data protection requirements must be included.
Financial institutions must establish continuous oversight of third-party performance and compliance with contractual obligations, adapting contracts where necessary to reflect changes or emerging risks. For providers designated as critical under DORA, institutions must submit to enhanced supervisory oversight.
Josefine Spengler, a lawyer and specialist in IT law, explains these requirements in the podcast "Alles Legal - Fintech Law Compact". She recommends a realistic assessment of risks and internal safeguards through additional measures.
DORA affects various digital services such as cloud providers, developers, telecommunications services, and more. Existing contracts must now be reviewed and potentially adjusted to comply with DORA's requirements.
While the complexity of DORA's requirements may seem daunting, practical action can be taken. Josefine Spengler discusses a practical first inventory and prioritization in the podcast.
Dana Wondra, a consultant and project manager at GOLT Coaching and Senior Manager Marketing at Payment & Banking, also discusses DORA in the podcast. She has been working in public relations and marketing, particularly in Olympic campaigns, and is now a consultant and project manager at GOLT Coaching since June 2022. Since August 2023, she has strengthened the team of Payment & Banking as Senior Manager Marketing.
Financial institutions working with external IT service providers must prepare for new regulations under DORA to maintain control over third-party ICT risks and uphold the continuity and resilience of essential financial services as mandated by DORA. The supervisory authority does not expect perfect contracts but traceable, documented progress. Companies must keep an overview in the extensive catalog of affected services under DORA.
Financial institutions must ensure that their contracts with third-party providers include provisions for robust technology-related risk management, regular digital operational resilience testing, and secure audit rights to maintain the continuity and resilience of essential financial services. The implementation of these provisions, as mandated by the Digital Operational Resilience Act (DORA), should encompass key elements such as data protection, ongoing monitoring, due diligence, and the maintenance of a register of ICT services and providers.
