DORA standards should spur contract remediation work, say experts

Rich Manley and Janusz Klich of Pinsent Masons said that the prospect of the EU’s Digital Operational Resilience Act (DORA) beginning to apply, from 17 January 2025, has already prompted banks, insurers, investment firms and other financial institutions – as well as their ICT service providers – to commence extensive contract remediation work.

For financial institutions, DORA effectively codifies aspects of existing regulatory guidelines – on outsourcing and on ICT risk management – and provides a single, harmonised EU rulebook for all financial entities pertaining to operational resilience and ICT-related risk.

For service providers, they can expect the DORA requirements on financial institutions to flow down into their contracts, while DORA also provides for direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance.

Manley said: “In EU financial services, DORA moves the dial in increasing compliance obligations pertaining to how financial institutions and service providers manage operational resilience and ICT risk. For businesses subject to the DORA regime, it necessitates changes to internal policies and procedures, and in turn, that relevant contracts are updated to reflect the new requirements. For the largest financial institutions offering different services in multiple jurisdictions, there can be several hundred contracts that need updating. This can be a complex exercise.”

While DORA itself sets out overarching requirements in-scope businesses will need to meet, much of the detail on what those businesses need to do to achieve compliance will be set out in regulatory technical standards (RTS). DORA mandates EU supervisory authorities in financial services to develop such standards, although it is ultimately the responsibility of the European Commission to adopt them. On 25 June 2024, the first set of adopted RTS under DORA were published in the Official Journal of the EU. They will take effect on 15 July 2024.

Manley and Klich said that confirmation of the first set of RTS – which cover matters such as requirements for ICT risk management; the classification of ICT-related incidents and cyber threats, to support with reporting obligations under DORA; and the contents of the policy firms must develop regarding their contracting with ICT third-party service providers over the use of ICT services supporting critical functions – provides a trigger point for businesses to accelerate their preparations.

Klich said: “Finalisation of some of the RTS is an important milestone that allows businesses to move forward with remediating their contracts. Businesses will naturally look for ways to complete that exercise cost-effectively and in a structured way.”

“For updating hundreds of contracts, institutions might have previously been minded to engage a number of different law firms to review and update the relevant contracts, but this can be expensive and lead to inconsistencies in how different contracts with different parties in different jurisdictions address similar issues – like how risk should be managed or other aspects pertaining to compliance be achieved. Some undertakings might engage standalone alternative legal service providers to mitigate costs, but a comprehensive legal advisory role would still need to be performed so as to set out key legal parameters and ensure quality of the legal output,” he said. A hybrid that harnesses the legal expertise and capacity of the law firm and matches it with managed legal services capabilities within the same organisation could be the best approach, he added.

By adopting a hybrid approach, organisations can access flexible legal resources and benefit from technology and process change. In the context of contract remediation projects, businesses stand to benefit from a standardised process across the full suite of contracts, where technology can be harnessed to support with document review and document production on a mass scale by a legal resource that can be scaled up and scaled down to manage changes in workload demands during the project. At the same time, any complex legal issues can be escalated to specialist legal practice groups.

Klich said: “By operating a standardised process and using technology, gap analysis, contract drafting and subsequent negotiations can be performed at scale more efficiently and enable the full suite of contracts to be updated in a consistent way to reflect legal and regulatory requirements.”

For financial institutions and service providers that operate globally, DORA is not the only operational resilience regime they might need to factor into a contract remediation project. In UK financial services, for example, financial institutions have to consider the supervisory statements issued by the Financial Conduct Authority, Prudential Regulation Authority, and/or the Bank of England, depending on the nature of their operations. Similar requirements were also published by Australian and Singaporean regulators.

Klich said: “It will not always make commercial sense for contracts in one jurisdiction to reflect higher regulatory standards applicable in another. However, it does make sense for the contracts to be developed with reference to a global template; that businesses can refer to  a global playbook that provides a neat summary of how their full suite of contracts address common issues; and that contractual terms be embedded into technology solutions – together this will enable businesses to perform compliant processes and operate and, as necessary, enforce contractual provisions more easily once the new agreements are in effect. This is what bringing specialist lawyers together with managed legal services capabilities can look like in practice.”

Manley added: “In this regard, managed legal services can help in-house legal teams to deliver burdensome contract remediation projects in a cost-effective and standardised way and sets them up to transform the way they operate going forward.”