ICT

ICT contracts under DORA: Between minimum standards and power shifts. The regulation not only sets high requirements for digital resilience, but also changes the dynamics of contract negotiations. Financial companies must now enforce strict requirements—but which services actually fall under DORA, and how can exit strategies, audit rights, and risk management be regulated in a contractually watertight manner?

DORA implementation: BaFin specifies requirements for simplified ICT risk management framework: BaFin provides financial companies with an overview of documentation, security measures, and processes for the simplified ICT framework, but emphasizes that the content must be tailored to each individual case in accordance with the principle of proportionality.

The current draft of the lacking regulatory technical standards (RTS) for DORA still contains some ambiguities, particularly regarding the classification of financial entities as ICT third-party service providers. EIOPA has now issued interpretation notes to reduce these ambiguities. There has also been movement on the subject of RTS for subcontracting. An overview.

From January 2025, DORA will introduce uniform requirements for ICT security, but exceptions for smaller financial institutions will provide a degree of relief. Nevertheless, differences between EU member states will remain due to national implementation leeway.

DORA places new demands on the digital resilience of financial companies, while the distinction between financial and ICT services raises questions in detail. Clear principles for interpreting the regulations are urgently needed to create legal certainty for the industry.

The DORA significantly restricts the contractual freedom of financial companies and ICT third-party service providers by imposing a number of mandatory requirements on the drafting of contracts. This could put medium-sized financial companies in particular in a stronger negotiating position, while even large ICT providers will be obliged to implement the new requirements.

DORA obliges financial institutions to manage the ICT third-party risk through appropriate contract design. To this end, DORA specifies minimum content that is intended to strengthen the position of the financial institution and increase security. But what consequences does this have for future and existing contracts?

DORA imposes a number of new obligations on financial companies. This can be particularly burdensome for small companies. But who actually falls within the scope of the regulation and are the rules the same for everyone affected?