As the clock ticks down to January 17, 2025, financial institutions and their information communication technology (ICT) service providers are in a race against time to ensure compliance with the European Union's Digital Operational Resilience Act (DORA). 

This landmark legislation is set to improve the IT security landscape for financial entities, aiming to bolster the sector's resilience against digital risks. It applies to a wide range of financial entities, including banks, payment institutions, investment firms, and insurance companies, and has consequences for their ICT service providers.

With just over a month to go, time is running out for organisations to take remedial action that may be necessary to bring their compliance programmes in line with DORA requirements.

Preparing for DORA: The Role of Addenda

Article 30 of DORA is particularly important, as it imposes specific obligations on contracts between financial entities and their ICT service providers. These requirements include provisions on data location, service levels, incident management, and termination rights, among others.

To meet these new regulatory standards, organisations should be well underway in considering their existing contractual arrangements and, where required, preparing DORA addenda to their contracts. These addenda need to ensure that all necessary provisions are incorporated, safeguarding compliance and mitigating risks. However, the high-level nature of some of DORA's requirements means that organisations may interpret these provisions in ways that suit their interests, potentially leading to push-back on clauses that are either too high-level or too detailed, leading to protracted negotiations and rocky transition to new terms.

Therefore, balancing compliance with flexibility is key. Given the potential for varied interpretations, it is useful to incorporate a degree of optionality into your DORA addenda. This approach allows for flexibility depending on the type of supplier and the nature of the services provided (those that support critical or important functions vs other types of ICT services).

We have been at the forefront of advising both financial entities and ICT suppliers on DORA compliance. If you need help with the final push towards achieving DORA compliance, please do reach out to a member of our team.