Financial institutions and ICT suppliers are updating their contracts to comply with the Digital Operational Resilience Act (DORA), impacting agreements like outsourced services and software.
Templates are used for medium to low-risk services, but high-risk services need tailored approaches. Compliance must align with existing regulations like GDPR and EBA Outsourcing Guidelines. The process is challenging due to tight timelines and internal dependencies.
“The CSSF DORA readiness survey revealed that, as of last September, 70% of institutions considered themselves partially or not ready when it comes to ICT third-party risk management, so a lot of work remains to be done before the deadline of 17 January 2025.”