RGPD

DORA Contract - Lawyer

The European regulation on digital operational resilience for the financial sector, also known as the "DORA Regulation" ( Digital Operational Resilience Act ) is a European directive aimed at ensuring the digital operational resilience of financial entities and ICT service providers

Contents
Schedule a discussion

Reading time:

9 min

The European regulation on digital operational resilience for the financial sector, also known as the "DORA Regulation" (Digital Operational Resilience Act), is a European directive aimed at ensuring the digital operational resilience of financial entities and ICT service providers.

Adopted by the European Union, this regulation imposes strict obligations on players in the financial sector to protect their critical activities and ensure service continuity in the event of a cyber threat or a major IT incident.

Being a Cybersecurity Lawyer is a plus!

Who must comply with DORA?

DORA applies to a wide range of players in the financial sector, including:

  • Banks, insurance companies, and asset managers.
  • ICT service providers offering critical solutions to financial institutions.
  • Financial market infrastructures such as clearing houses.

Compliance with DORA notably involves specific contractual clauses, which are essential to govern relationships with providers and ensure the implementation of appropriate security measures. These obligations concern both financial institutions and their providers, underscoring the importance of compliant contracts in meeting the legal framework set out by DORA.

Why are contracts essential under DORA?

Contracts occupy a central place in the regulation, as they make it possible to clearly identify the parties' responsibilities in the event of an incident, to formalise the security measures and risk management policies imposed by DORA, and to ensure transparency and the reporting of incidents to the competent authorities (DORA contract lawyer).

What is a DORA RTS?

The RTS (Regulatory Technical Standards) are technical standards defined by the European Commission to set out in detail the obligations provided for by DORA. These standards specify the requirements that contracts must include as major obligations, in particular:

  • Management of risks related to ICT providers (Chapter II of the regulation)

Financial entities must identify and assess the risks related to the technologies used, by adopting appropriate policies and procedures to minimise those risks.

  • Digital resilience testing (Chapter IV of the regulation)

Critical systems must be subjected to regular testing to ensure their ability to withstand cyber threats or disruptions.

  • Transparency of obligations (Chapter V of the regulation)

Contracts must clearly specify the parties' responsibilities, including in the event of failure.

  • Incident reporting (Chapter III of the regulation)

Include clauses specifying the deadlines and procedures for notifying incidents to the competent authorities, within the specified timeframes. Reports must include a detailed analysis of the incident, its impacts, and the corrective measures implemented.

To ensure compliance with the DORA Regulation, contracts between financial entities and their ICT providers must be carefully drafted and include specific clauses. A lawyer can play a key role in this process to protect companies' interests and meet the regulatory requirements.

Specific contractual clauses provided for by DORA:

To comply with DORA, contracts must include clauses covering:

DORA Regulation
Specific contractual clauses provided for by DORA
ClauseDetails
System resilienceObligation for providers to implement rigorous security policies.
Audits and controlsRight of financial entities to audit their providers to verify their compliance.
Service continuityProvide for contingency plans to ensure the continuity of critical activities.
Penalties for non-complianceFinancial penalties or termination (Article 50 et seq.).
Description of servicesDescribe all ICT services and functions, including subcontracting conditions.
Data locationDefine the places of processing or storage, with an obligation to give notice in the event of a change.
Data securityGuarantee confidentiality, integrity and availability, including of personal data.
Access to dataProvide for the recovery of data in the event of cessation of the provider's activity.
Service levels (SLA)Define performance commitments, with regular updates.
Assistance in the event of an incidentAssist the financial entity in the event of an ICT incident, at predefined costs.
Cooperation with authoritiesCooperate fully with regulators and the competent authorities.
Termination rightsSpecify the conditions of termination and the notice periods.
Provided for informational purposes only; does not constitute legal advice.

Practical example: An ICT provider supplying critical services to a bank must include in its contract clear commitments on system availability and on the management of cyber incidents. In the event of a breach, financial penalties may be applied.

Let's discuss your needs for 15 minutes!

To ensure that your contracts comply with the DORA Regulation, a structured and strategic process is essential. Begin with an initial audit of existing contracts in order to identify the gaps and missing clauses in relation to DORA's requirements.

This work includes verifying the obligations related to IT operational resilience and incident reporting. Next, proceed to update or draft new clauses.

Incorporate specific clauses, such as incident reporting clauses, defining notification deadlines and the content of reports; resilience testing clauses, requiring providers to carry out regular tests; and service continuity clauses, which set out the contingency plans and guarantees to maintain critical services in the event of failure.

In addition, make sure to clearly define the parties' responsibilities in order to avoid any legal ambiguity (DORA contract lawyer).

A prior identification of critical services is essential. Analyse your relationships with your ICT providers to assess the potential impact of their failures on your essential activities. Once the contracts have been revised, train your teams on the new contractual obligations to ensure effective application and raise your partners' awareness of their responsibilities.

The implementation of regular monitoring and contractual audits is also necessary to verify the ongoing compliance of contracts. Document your actions and organise your contracts clearly so as to be ready to face the regulatory audits that are essential under DORA. For this step, a lawyer can support you in preparing the documents proving your compliance, in managing exchanges with the competent authorities such as the ACPR and the AMF, and in establishing internal protocols to respond effectively to future audit requests.

Without being exhaustive, the mandatory clauses are:

These clauses apply to all contracts, regardless of the level of criticality of the ICT services. They provide a solid foundation for governing the contractual relationship:

  • Description of services: The contract must precisely describe all ICT services and functions provided, including the conditions and limits of any subcontracting.
  • Data location: The places where data will be processed or stored must be clearly defined, with an obligation to give notice in the event of a change.
  • Data security: The contract must guarantee the confidentiality, integrity and availability of data, including personal data.
  • Access to data: Provide for provisions to recover data in the event of cessation of the provider's activities (bankruptcy, termination, etc.).
  • Service levels (SLA): Define the provider's commitments in terms of performance, with regular updates.
  • Assistance in the event of an incident: Obligation for the provider to assist the financial entity in the event of ICT-related incidents, at no additional cost or at costs defined in advance.
  • Cooperation with authorities: The provider must cooperate fully with regulators and the competent authorities.
  • Termination rights: Specify the conditions of termination and the notice periods.
  • Security training: Participation by providers in training organised by the financial entity on digital resilience.

For contracts related to critical or important functions, additional obligations are necessary to ensure enhanced monitoring and increased risk management:

  • Detailed service levels: Precise quantitative and qualitative objectives to allow rigorous monitoring and corrective actions in the event of failure.
  • Notification of major incidents: The provider must promptly inform the financial entity of any event affecting its ability to provide the services.
  • Contingency plans: The provider must have contingency plans tested regularly to ensure service continuity.
  • Security testing (penetration testing): Mandatory participation in security tests organised by the financial entity.
  • Audit rights: The financial entity must be able to audit the provider's performance, with unlimited rights of access to critical documents and infrastructures.
  • Exit strategies: Provide for a transition period during which the provider continues to supply the services in order to facilitate migration to another provider or an in-house solution.

Although the DORA Regulation imposes strict obligations on financial entities and their ICT providers, certain exemptions apply depending on the nature or size of the organisations concerned. Understanding these exceptions is essential to know whether your company is directly affected by DORA (DORA contract lawyer).

The exemptions mainly concern:

  1. Small and medium-sized enterprises (SMEs) (recital 42 of the regulation) ICT service providers that do not meet certain size or turnover criteria may be exempt. However, if an SME provides critical services to financial institutions, it may be indirectly affected by the contractual requirements imposed by its clients.
  2. Certain specific entities (recital 40 of the regulation) Companies operating outside the European Union may not be directly subject to DORA, unless they provide services to entities located in the EU.

I want to be DORA compliant

Role of the competent authorities in supervising exemptions:

The competent authorities, such as the ACPR (Autorité de Contrôle Prudentiel et de Résolution) and the AMF (Autorité des Marchés Financiers), play a key role in the supervision and enforcement of DORA.

The ACPR mainly supervises banks and insurers, while the AMF focuses on financial markets and asset management companies. These authorities may grant specific derogations or assess whether an entity must comply with DORA's requirements (DORA contract lawyer).

Compliance with DORA's contractual requirements requires a methodical and proactive approach. Contracts with ICT providers and other critical partners must be aligned with the requirements of the DORA Regulation, failing which there is a risk of penalties or major operational disruptions.

Practical example: A company using an ICT provider to manage its critical infrastructures must ensure that the reporting and resilience testing obligations are clearly specified in the contract. In the event of an audit, these elements will be examined as a priority (DORA contract lawyer).

Compliance with DORA's contractual requirements is much more than a mere regulatory compliance exercise. It represents an opportunity for financial entities and their ICT providers to strengthen their IT operational resilience and ensure the continuity of their activities in the face of growing cyber threats.

Benefits of legal support for DORA compliance:

Working with a lawyer offers several key benefits:

  • Audit preparation: With a lawyer, you are better prepared for inspections by the competent authorities and any external audits.
  • Technical and legal expertise: A lawyer understands DORA's specific requirements and knows how to apply them to your context.
  • Tailoring of contracts: Your ICT contracts will be adapted to your needs, while complying with the standards imposed by DORA.
  • Proactive risk management: By incorporating robust contractual clauses, you minimise the potential impacts of ICT incidents on your company.

The issues related to DORA are complex and require specific expertise in European regulation and IT risk management. A DORA contract lawyer will be able to anticipate regulatory developments and provide you with strategic support over the long term.

➡️ Ensure the compliance of your contracts and protect your company against the risks related to DORA. Contact an expert lawyer for tailored support.

I want reliable legal documents!

To learn more

Who must comply with the DORA Regulation?

DORA applies to a wide range of financial players: banks, insurance companies, asset managers, market infrastructures such as clearing houses, as well as ICT service providers offering critical solutions to these institutions. Its scope is therefore broad and includes the IT subcontracting chain.

Why are contracts central to DORA?

Because they make it possible to identify the parties' responsibilities in the event of an incident, to formalise the security measures and risk management policies imposed by DORA, and to ensure transparency and the reporting of incidents to the authorities. Contractual compliance is one of the major undertakings of DORA.

What is an RTS in the context of DORA?

The RTS (Regulatory Technical Standards) are technical standards defined by the European Commission to set out DORA's obligations in detail. They specify, in particular, the requirements that contracts must incorporate regarding provider risk management, resilience testing, transparency of responsibilities and incident reporting.

Which contractual clauses does DORA impose?

Contracts with ICT providers must cover system resilience, security measures, obligations to ensure the continuity of critical services, incident reporting procedures, as well as the responsibilities of each party in the event of failure. These clauses must be drafted carefully to ensure compliance with DORA.

How should provider risk management be governed under DORA?

Under Chapter V, financial entities must identify and assess the risks related to their ICT providers, and structure their contracts to ensure compliance with security and resilience standards. This often involves renegotiating existing contracts to incorporate the requirements of DORA and its RTS.

Does DORA require incident reporting in contracts?

Yes. Contracts must specify the deadlines and procedures for notifying incidents to the competent authorities, in accordance with Chapter III. Reports must include an analysis of the incident, its impacts and the corrective measures. Incorporating these clauses ensures that the chain of providers allows for compliant and coordinated reporting.

Is it necessary to renegotiate existing contracts for DORA?

Often, yes. Many provider contracts predating DORA do not contain the required clauses on security, resilience, reporting and responsibilities. Bringing them into compliance requires a mapping of the agreements and a renegotiation. This is a substantial legal undertaking, central to the DORA compliance process.

Why use a lawyer to negotiate your DORA contract?

Because DORA compliance largely relies on precise contractual clauses, at the intersection of IT contract law and financial regulation. A lawyer helps to map the contracts, to incorporate the clauses imposed by DORA and its RTS, and to protect the company's interests while complying with the regulatory framework.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

8 min

GDPR Compliance: What Changed in 2025
GDPR compliance in 2025: Since it came into force in 2018, the GDPR has continued to evolve. How can you ensure compliance in 2025?

8 min

Personal Data Breaches: What Legal Obligations Apply to Companies
Personal data breaches are today one of the most serious threats facing organisations, regardless of their size or sector of activity. Beyond the operational and reputational consequences, these incidents give rise to strict legal obligations that companies must imperatively comply

1 min

Romain Mirabile recognized by Best Lawyers in information technology law
Romain Mirabile has just been recognized by the prestigious Best Lawyers ranking in the “Ones To Watch” category in information technology law for 2026.

11 min

Custom software development: the key contractual elements to protect your investment
The development of custom software represents a major strategic investment for a company. Beyond the financial aspects, it is a project that mobilises considerable internal resources and can profoundly transform business processes.

13 min

Blockchain and Web3: new challenges for domain name protection
The emergence of blockchain technologies and the advent of Web3 are profoundly transforming domain name protection.

6 min

GDPR and international data transfers: the new post-Schrems II requirements
In a world where data sharing has become a daily necessity for businesses, the legal framework surrounding international transfers of personal data has never been more complex.
Prendre rendez-vous
Book an appointment