RGPD
The European regulation on digital operational resilience for the financial sector, also known as the "DORA Regulation" ( Digital Operational Resilience Act ) is a European directive aimed at ensuring the digital operational resilience of financial entities and ICT service providers
Reading time:
9 min
The European regulation on digital operational resilience for the financial sector, also known as the "DORA Regulation" (Digital Operational Resilience Act), is a European directive aimed at ensuring the digital operational resilience of financial entities and ICT service providers.
Adopted by the European Union, this regulation imposes strict obligations on players in the financial sector to protect their critical activities and ensure service continuity in the event of a cyber threat or a major IT incident.
Being a Cybersecurity Lawyer is a plus!
DORA applies to a wide range of players in the financial sector, including:
Compliance with DORA notably involves specific contractual clauses, which are essential to govern relationships with providers and ensure the implementation of appropriate security measures. These obligations concern both financial institutions and their providers, underscoring the importance of compliant contracts in meeting the legal framework set out by DORA.
Contracts occupy a central place in the regulation, as they make it possible to clearly identify the parties' responsibilities in the event of an incident, to formalise the security measures and risk management policies imposed by DORA, and to ensure transparency and the reporting of incidents to the competent authorities (DORA contract lawyer).
The RTS (Regulatory Technical Standards) are technical standards defined by the European Commission to set out in detail the obligations provided for by DORA. These standards specify the requirements that contracts must include as major obligations, in particular:
Financial entities must identify and assess the risks related to the technologies used, by adopting appropriate policies and procedures to minimise those risks.
Critical systems must be subjected to regular testing to ensure their ability to withstand cyber threats or disruptions.
Contracts must clearly specify the parties' responsibilities, including in the event of failure.
Include clauses specifying the deadlines and procedures for notifying incidents to the competent authorities, within the specified timeframes. Reports must include a detailed analysis of the incident, its impacts, and the corrective measures implemented.
To ensure compliance with the DORA Regulation, contracts between financial entities and their ICT providers must be carefully drafted and include specific clauses. A lawyer can play a key role in this process to protect companies' interests and meet the regulatory requirements.
To comply with DORA, contracts must include clauses covering:
Practical example: An ICT provider supplying critical services to a bank must include in its contract clear commitments on system availability and on the management of cyber incidents. In the event of a breach, financial penalties may be applied.
Let's discuss your needs for 15 minutes!
To ensure that your contracts comply with the DORA Regulation, a structured and strategic process is essential. Begin with an initial audit of existing contracts in order to identify the gaps and missing clauses in relation to DORA's requirements.
This work includes verifying the obligations related to IT operational resilience and incident reporting. Next, proceed to update or draft new clauses.
Incorporate specific clauses, such as incident reporting clauses, defining notification deadlines and the content of reports; resilience testing clauses, requiring providers to carry out regular tests; and service continuity clauses, which set out the contingency plans and guarantees to maintain critical services in the event of failure.
In addition, make sure to clearly define the parties' responsibilities in order to avoid any legal ambiguity (DORA contract lawyer).
A prior identification of critical services is essential. Analyse your relationships with your ICT providers to assess the potential impact of their failures on your essential activities. Once the contracts have been revised, train your teams on the new contractual obligations to ensure effective application and raise your partners' awareness of their responsibilities.
The implementation of regular monitoring and contractual audits is also necessary to verify the ongoing compliance of contracts. Document your actions and organise your contracts clearly so as to be ready to face the regulatory audits that are essential under DORA. For this step, a lawyer can support you in preparing the documents proving your compliance, in managing exchanges with the competent authorities such as the ACPR and the AMF, and in establishing internal protocols to respond effectively to future audit requests.
Without being exhaustive, the mandatory clauses are:
These clauses apply to all contracts, regardless of the level of criticality of the ICT services. They provide a solid foundation for governing the contractual relationship:
For contracts related to critical or important functions, additional obligations are necessary to ensure enhanced monitoring and increased risk management:
Although the DORA Regulation imposes strict obligations on financial entities and their ICT providers, certain exemptions apply depending on the nature or size of the organisations concerned. Understanding these exceptions is essential to know whether your company is directly affected by DORA (DORA contract lawyer).
The exemptions mainly concern:
The competent authorities, such as the ACPR (Autorité de Contrôle Prudentiel et de Résolution) and the AMF (Autorité des Marchés Financiers), play a key role in the supervision and enforcement of DORA.
The ACPR mainly supervises banks and insurers, while the AMF focuses on financial markets and asset management companies. These authorities may grant specific derogations or assess whether an entity must comply with DORA's requirements (DORA contract lawyer).
Compliance with DORA's contractual requirements requires a methodical and proactive approach. Contracts with ICT providers and other critical partners must be aligned with the requirements of the DORA Regulation, failing which there is a risk of penalties or major operational disruptions.
Practical example: A company using an ICT provider to manage its critical infrastructures must ensure that the reporting and resilience testing obligations are clearly specified in the contract. In the event of an audit, these elements will be examined as a priority (DORA contract lawyer).
Compliance with DORA's contractual requirements is much more than a mere regulatory compliance exercise. It represents an opportunity for financial entities and their ICT providers to strengthen their IT operational resilience and ensure the continuity of their activities in the face of growing cyber threats.
Working with a lawyer offers several key benefits:
The issues related to DORA are complex and require specific expertise in European regulation and IT risk management. A DORA contract lawyer will be able to anticipate regulatory developments and provide you with strategic support over the long term.
➡️ Ensure the compliance of your contracts and protect your company against the risks related to DORA. Contact an expert lawyer for tailored support.
To learn more
DORA applies to a wide range of financial players: banks, insurance companies, asset managers, market infrastructures such as clearing houses, as well as ICT service providers offering critical solutions to these institutions. Its scope is therefore broad and includes the IT subcontracting chain.
Because they make it possible to identify the parties' responsibilities in the event of an incident, to formalise the security measures and risk management policies imposed by DORA, and to ensure transparency and the reporting of incidents to the authorities. Contractual compliance is one of the major undertakings of DORA.
The RTS (Regulatory Technical Standards) are technical standards defined by the European Commission to set out DORA's obligations in detail. They specify, in particular, the requirements that contracts must incorporate regarding provider risk management, resilience testing, transparency of responsibilities and incident reporting.
Contracts with ICT providers must cover system resilience, security measures, obligations to ensure the continuity of critical services, incident reporting procedures, as well as the responsibilities of each party in the event of failure. These clauses must be drafted carefully to ensure compliance with DORA.
Under Chapter V, financial entities must identify and assess the risks related to their ICT providers, and structure their contracts to ensure compliance with security and resilience standards. This often involves renegotiating existing contracts to incorporate the requirements of DORA and its RTS.
Yes. Contracts must specify the deadlines and procedures for notifying incidents to the competent authorities, in accordance with Chapter III. Reports must include an analysis of the incident, its impacts and the corrective measures. Incorporating these clauses ensures that the chain of providers allows for compliant and coordinated reporting.
Often, yes. Many provider contracts predating DORA do not contain the required clauses on security, resilience, reporting and responsibilities. Bringing them into compliance requires a mapping of the agreements and a renegotiation. This is a substantial legal undertaking, central to the DORA compliance process.
Because DORA compliance largely relies on precise contractual clauses, at the intersection of IT contract law and financial regulation. A lawyer helps to map the contracts, to incorporate the clauses imposed by DORA and its RTS, and to protect the company's interests while complying with the regulatory framework.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin