The management of ICT service providers is a key pillar of the Digital Operational Resilience Act. The EU regulation obliges financial companies to document all IT services procured completely and transparently in the form of an information register. This must contain detailed information on suppliers and IT services, including all contracts and a wide range of evidence and checks such as due diligence, risk assessments and exit strategies. With the implementation deadline of January 17, 2025 approaching, it is important for the more than 22,000 companies affected to take the necessary measures in good time.
In the FCH online seminar "Digital Contract Management and DORA", Marcus Michel, CEO of FCH AG, and Robin Schmeisser, Managing Director of Fabasoft Contracts GmbH, spoke about the latest news on DORA and how the regulation can be implemented with the help of smart tools. Stefan Kressig, an expert in IT law at SV Informatik GmbH, then reported on how the company is tackling the increasing regulatory requirements in practice with digital contract management.
Key role of digitalization
In order to meet the new documentation and reporting requirements of DORA quickly and efficiently, the entire outsourcing process needs to be seamlessly digitalized, including the reporting required from a regulatory perspective. It is therefore essential to start digitalization right from the initial sourcing of suppliers and the associated contract management. Smart software that specializes in DORA, such as Fabasoft DORA, saves valuable resources, increases transparency, minimizes risks and ensures that information is always available for ad hoc requests. This eliminates the need for multiple tasks such as manually setting up and maintaining lists, calendar entries and evaluations.
Standardized procedure along the outsourcing cycle
Initial classification of ICT service providers:
Defined templates and checklists as well as automated summaries simplify the preliminary decision regarding possible outsourcing. Following a positive assessment, standardized review processes involve all stakeholders in the workflows and ensure full compliance with regulatory requirements. For example, when a new ICT service provider is created in the system, the software automatically initiates the collection of the necessary documents, including risk assessments, essentiality assessments, exit strategies, certificates and service descriptions. Set deadlines trigger reminders and, if necessary, escalation workflows that remind users in good time of upcoming activities (e.g. recurring checks or renewal of certificates).
Contract creation:
In addition, digital processes and standardized templates support the legally compliant creation of contracts. DORA-specific information such as the evaluation of the outsourcing, the description of the outsourcing object or the documentation of the assets are transferred directly from the file to the contract. The required clauses are applied and managed reliably and in a controlled manner using the clause library. Smart tools also actively integrate suppliers into the workflows for seamless collaboration. The partner receives access to the required files and can share documents, edit questionnaires or digitally sign contracts themselves.
Reporting:
All these process steps are audit-proof thanks to electronic workflow signatures and can be traced directly in the system. Monitoring reports provide an overview of open activities and ensure the completeness of evidence and documentation. This means that those responsible always know the status of their outsourcing and can prove that all activities have been carried out at any time, especially in audit situations. Audit reports such as the information register can be easily generated for recurring or event-driven reporting in accordance with the technical implementation standards (ITS). This also ensures ad hoc information capability in the event of spontaneous requests from the authorities.
Practical insight: Digital contract management at SV Informatik
SV Informatik GmbH is itself affected by extensive regulation, including in the areas of IT (DSA, NIS2), finance (Solvency II, DORA) and sustainability (LkSG). Due to the rapidly growing and changing legal requirements, the increasing complexity of contract management and the shortage of specialists, the subsidiary of SV SparkassenVersicherung decided to digitize its business processes relating to contract management. In the webinar, Stefan Kressig explains the company's requirements for a digital tool and how those responsible implemented them using a "do-it-yourself" approach with the help of Fabasoft Contracts.
You can find the full recording of the webinar here.
(only available in German)
