What does DORA mean for your contracting policy?

Published on 07 August 2024
Chris Bridges
Partner / COO
Dial Chris Bridges's mobile Chris Bridges's LinkedIn Profile

In a previous article, Maeve wrote about what DORA means for UK financial services businesses and suppliers to EU financial services businesses at a high level.

Maeve’s article goes into more detail about what DORA is and who is in scope, but a TLDR version as a reminder for this article:

  • DORA is an EU regulation that applies to financial services businesses with operations in the EU, and IT service providers providing services to them; and

  • it introduces stricter outsourcing requirements re: IT service providers, and extends those requirements to a far wider category of financial services businesses.

As contract lawyers, we at Tacit Legal are unsurprisingly most interested in what it means for our clients’ contracts and contracting policies.

Commission Delegated Regulation (EU) 2024/1773 (the “Contracting Policy Delegated Regulation”) sets this out relatively neatly (at least for EU regulation!).

Pre-contract risk assessment

Anyone working in or around IT, legal or procurement in a regulated business will be familiar with risk assessments for infosec, data and operational risk.

However, relatively few will be familiar with contractual supply chain risk being assessed in a similar standardised, structured or formalised way.

Under the Contracting Policy Delegated Regulation, an in-scope business policy on the use of IT services supporting critical or important functions must require a pre-signature risk assessment.

That risk assessment must cover the usual infosec, data and operational risk. But of interest to contract lawyers, it must also consider:

  • legal risks;

  • reputational risks;

  • risks linked to the availability of data (which overlaps with overlaps with infosec);

  • risks linked to the location where the data is processed and stored; and

  • risks linked to the location of the vendor.

But don’t we already risk assess these things when reviewing supplier contracts?

Absolutely. However:

  • the contracting policy must specifically require contracts to include each of the contractual provisions required by Article 30 of DORA;

  • regardless of the good practice of ensuring compliance with policies can be monitored, DORA has very strict reporting and record keeping requirements*; and

  • a formal risk assessment implies a need for a higher degree of consistency in how you score risk.

* Here at Tacit, we were hoping the record keeping and reporting requirements would be less than DORA originally implied. However, the latest report on the proposed technical standards for registers of information is more detailed, specific and complicated than any regulation we have seen before.

Contracting policies will therefore need to ensure that:

  • data on contractual risk is collected and kept in a way that enables reporting;

  •  there is at least some degree of risk scoring; and

  •  there is at least some degree of consistency to the way exceptions are granted.

What does this mean for contract reviews?

We are big believers in implementing contract risk policies generally, as they:

  • make it much easier to empower the business to self-serve;

  • enable quick decisions by focusing the mind and having clear and specific escalation paths; and

  • done well, allow you to have oversight of more contracts with less resource.

However, as we have previously written about, we acknowledge that they are difficult to implement, particularly in smaller in-house teams.

So what might that look like when it comes to DORA? At a minimum we think it means:

  • a clear list of the issues that you will review each contract for;

  • the format and means in which you will record data about those issues;

  • those issues relative importance to one another; and

  • who within your organisation may sign off on an exception to each of those issues.

Ideally you’d also:

  • have different policies for critical and non-critical IT services (rather than applying a higher standard to all); and

  • provide clear guidance on (a) when an issue is particularly important, or less important; and (b) legal and operational mitigations that could be put in place to mitigate each issue, if it can’t be negotiated away, which can be referenced in any exceptions granted.

How can we help?

We’ve tried and tested the above approach, and we’ve built our own technology platform to:

  • make the policy effortless to manage, enforce and report on for the in-house team;

  • make the output easy to digest, particularly for non-lawyer stakeholders and decision makers; and

  • make it simple for the person carrying out the review to quickly and consistently apply that policy.

Even better – our managed contract review service provides:

  • all of the knowledge and know-how required to implement a DORA contract risk policy; and

  • on-shore qualified lawyers to carry out the reviews, at a fraction of the cost of instructing a traditional firm to do so.