How can Contract Management support the DORA regulation?

DORA (Digital Operations Resilience Act) is the regulation on digital operational resilience. DORA aims to reinforce the stability of the European financial system. Despite ongoing discussions on the application of certain provisions, it is clear that the DORA regulation will have a significant impact. Whether on the risk management practices of financial entities, or on their relationships with suppliers. Our experts take a closer look.

dora rules
How can Contract Management support the DORA regulation?

Contents

DORA: regulatory requirements force us to understand ecosystems in all their complexity

Against a backdrop of financial institutions' growing dependence on suppliers in the information and communication technology (ICT) sector and vulnerability to cyber-attacks, the DORA Digital Operational Resilience Regulation aims to reinforce the stability of the European financial system.

Taking as its starting point the strong interdependence between European Union (EU) member states and the heterogeneity of national ICT regulations, DORA promotes a holistic approach to operational resilience and sets uniform requirements around the five pillars illustrated below.

dora rules

What can we expect from January 17, 2025, when the DORA regulation comes into force?

Significant impact on financial entities' risk management practices and supplier relationships

Despite ongoing discussions on the application of certain provisions, it is already clear that the DORA regulation will have a significant impact on the risk management practices of financial entities and their relationships with suppliers.

From the introduction of stricter safety standards to more stringent reporting, auditing and monitoring requirements, DORA further complicates the relationship between principals and suppliers, making the former accountable in the event of a third-party failure and/or non-compliance impacting their operations or those of their customers.

This responsibility makes it necessary to closely monitor suppliers and proactively manage the associated risks, and leads to increased sophistication in supplier relationship management processes and associated costs (e.g. continuous monitoring).

The measures provided for in the DORA regulation may not be sufficient to ensure proper control of operational risks.

In order to facilitate this process, the DORA regulation provides for the implementation of mutualized systems, managed at European level. Although these systems are important tools for financial institutions, they may not be sufficient to ensure effective control of operational risks, given the diversity and interdependence of supplier portfolios.

Indeed, while the DORA monitoring framework provides for investigations, inspections and recommendations (including the publication of a list of strategic suppliers), it is not intended to set ceilings or strict limits on exposure to third-party risks. Implementation of the DORA principles is therefore the responsibility of the financial entities themselves, who are accountable for the proper management of their supplier portfolios.

Consequently, securing ICT supplier relations requires a proactive approach that takes account of operational risk issues right from the selection and contractualization stage.

Contract management a vector for operational resilience

Frequently underused, the Contract Management is a recognized lever for the overall performance in general and, more specifically, in controlling operational risk management. It enables us to structure, frame and operate customer-supplier relations in a context of increasing regulatory requirements and low tolerance of service performance risks.

In addition to monitoring the drafting and signing of legal instruments, good contract management requires the adoption of an ex-ante contractualization strategy to define the company's risk management stance, the criteria for choosing suppliers and the preferred contractual arrangements.

In particular, this framework supports "Know your supplier" approaches and naturally facilitates the assessment of current and potential suppliers in terms of operational resilience.

What is the initial feedback from the most advanced companies?

Setting up a Contract Management

As part of the implementation of directives on Outsourced Core Services, some leading financial institutions have set up a Contract management function to better control the operational and contractual risks generated by the outsourcing of strategic activities.

The maturity now acquired by this function enables these players to effectively absorb the new obligations imposed by the DORA regulation, by relying on the contractual processes and tools already in place. More specifically, the contractual maturity and compliance diagnostics and the review of key contracts carried out beforehand have enabled them to define mitigation and monitoring strategies, and to optimize the management of their supplier portfolio.

Adoption of Contract Lifecycle Management (CLM) tools

Other companies have opted for Contract Lifecycle Management (Contract Lifecycle Management) tools to automate, improve and secure their contractual processes. An emerging segment of the market, these technological tools enable close monitoring of contractual obligations (e.g. milestones, tracking of modifications) and improved governance of contract portfolios.

CLM solutions are frequently coupled with existing procurement or Source to Pay (S2P) solutions.

Good control of contractual risks and the associated supplier relationship management practices enable the most advanced companies to identify the impact of regulatory changes on their contract portfolio, and to define and implement a compliance path more easily.

What are the obstacles to be anticipated in complying with the DORA regulation?

Achieving this trajectory depends on the support of the suppliers concerned, making the contractual negotiation phases a decisive factor in achieving compliance.

While IT service providers based in the EU are also affected by the DORA regulation (with the exception of micro-businesses) and must comply with these principles, difficulties are to be expected when negotiating with non-European suppliers. More specifically, the increased contractual professionalism of suppliers and efforts to standardize services and legal instruments are leading to complex negotiations.

Against this backdrop, some industry players are already in the process of training the teams concerned (e.g. lawyers, buyers) and reviewing their negotiation strategies to take into account the minimum guarantees set out in the DORA regulation upstream of the choice of supplier.

In the absence of agreement from non-EU ICTs, and depending on the criticality of the relationship (e.g., data sensitivity, vulnerabilities), financial entities are encouraged to change service providers or internalize the scope concerned, depending on the complexity of the service or solution provided.

Against this backdrop, a number of companies are opting for support in (re)defining their outsourcing strategy, in order to better control risks and manage their in-house skills.

How can iQo help you on your journey?

With recognized expertise in the regulatory and operational aspects of the Contract Management and on digital resiliencewe can guide you through the entire lifecycle of your contracts, using them as a catalyst for your company's overall performance.

By defining contractual performance factors and their interactions with operational risks, we ensure that resilience is taken into account natively in the contractual governance of your services.

Contact us to find out more!

Contract Management

Discover our expertise in Contract and Claim Management issues
teresa dorner

Teresa DORNER

iQo Consulting Director
her LinkedIn profile

fernanda freitas

Fernanda FREITAS

iQo Manager
his LinkedIn profile