The EU DORA regulation requires companies in the financial sector to take a wide range of aspects into account when it comes to contractual agreements with third-party ICT providers. These include the regulatory obligations of financial companies and the binding cooperation of service providers with the competent authorities. In addition, the regulatory framework in Article 8 of the “Draft RTS to specify the policy on ICT services supporting critical or important functions” provides for additional minimum contractual clauses: For example, terms on security requirements, incident reporting, the processing and storage of data, the verifiability of robust emergency and recovery plans and termination and transitional arrangements.
For financial companies, this means reviewing their entire contract portfolio with third-party ICT providers for DORA compliance and amending inadequate documents by concluding new supplementary agreements.
High workload and tight resources
As resources in operations are often tight and already tied up, financial companies face the challenge of completing these activities in time for the implementation deadline on January 17, 2025.
However, the contract portfolio analysis does not only concern “significant outsourcing”, as previously known from the EBA guidelines on outsourcing, but all IT services that a financial company procures. In practice, this can mean several hundred contracts that need to be meticulously reviewed. In many cases, the wording of individual clauses also depends on the details, which makes the review and revision process very time-consuming.
For example, DORA provides for realistic, comprehensive and professional penetration tests that cover all relevant functions. Security checks on isolated test systems are not sufficient to meet the requirements of the regulation. If the existing contracts take into account “simple” but not penetration tests against productive systems, the agreements must be adapted accordingly.
Artificial intelligence as a game changer
Fabasoft DORA provides assistance at this point with an AI-supported compliance analysis of the contract portfolio. The software independently identifies deviations from the DORA regulations and prepares the results in a neat format. The marked and extracted content from the respective contract files saves users from having to search through their documents manually.
If there is a need for action on contracts, the tool automatically generates the necessary supplementary agreements based on the clause library. The required approval and signing processes, including an integrated digital signature, then start as an option. The external partners are directly integrated into the workflows to avoid media disruptions.
The AI- assisted procedure eliminates the need to manually search through and compare documents and enables the entire archive to be checked quickly - even for extensive contracts. In addition to significantly reducing the workload, the software also minimizes risks and ensures reliable adherence to compliance requirements.
Find out more about the features of Fabasoft DORA here.
