Thank you to Aida Kaloci and Axel Desmet from Cresco’s Innovation team for taking part in our webinar, DORA compliance after January: What's next?.

DORA is already in effect, and while enforcement may ramp up post-April 2025, companies should act now. Reviewing, negotiating, and aligning contracts is key to ensuring compliance and avoiding financial and operational risks.

Here are the key takeaways from the informative session. Alternatively, you can watch the webinar here.

The growing cyber threat and the birth of DORA

In 2024, cyberattacks reached record levels worldwide, with a 75% increase in Q3 compared to the same period in 2023.  

At the same time, we’re seeing a wave of new regulations, including DORA (Digital Operational Resilience Act), a framework aimed at strengthening the operational resilience of financial institutions across the EU.

Who does DORA apply to?

DORA applies to traditional financial institutions such as:

• Credit institutions
• Payment institutions
• Trading venues

It also applies to modern financial entities, including:

• Investment management companies
• Crypto-asset service providers

Importantly, third-party ICT providers that serve these financial institutions are indirectly covered under DORA.

DORA compliance timeline

DORA has applied since 17 January 2025. That was a hard deadline. However, there is an unofficial transition period until 30 April 2025, when national regulators must submit a list of critical third-party service providers to EU authorities.

Until then, enforcement may be limited, but companies should not delay compliance efforts.

Why DORA compliance matters

Non-compliance with DORA can lead to:

• Fines up to 2% of global turnover, similar to GDPR. 
• Licensing risks. Some speculate that non-compliance could impact PSD2 and other financial service licences.

How to navigate DORA’s core obligations and challenges

DORA introduces strict requirements for financial institutions and their third-party ICT providers. Ensuring compliance requires a structured approach across four key areas: ICT risk management, incident reporting, resilience testing, and third-party risk management.

Each of these obligations demands a proactive compliance strategy, with financial institutions expected to strengthen contractual safeguards and implement continuous monitoring. However, negotiations with ICT providers often present hurdles, making a risk-based approach essential.

1. Strengthening ICT risk management

Financial institutions need to continuously assess and manage risks arising from their ICT providers. This includes:

• Defining clear roles and responsibilities in contracts.
• Implementing ongoing risk assessments to ensure service providers meet resilience standards.

This requirement compels financial firms to treat ICT providers as integral to operational security, ensuring their systems and controls align with regulatory expectations.

2. Incident reporting 

DORA mandates that any significant ICT incident be reported to regulators without delay. Compliance requires:

• Establishing clear reporting mechanisms in contracts.
• Defining timeframes, escalation processes, and accountability for reporting.

For financial institutions, this means working closely with ICT providers to ensure seamless information flow when incidents occur. Contract terms must prevent ambiguity and outline concrete response protocols.

3. Digital operational resilience testing 

Resilience testing is a core pillar of DORA compliance, requiring financial institutions to regularly test their ICT systems. Contracts must specify:

• Testing frequency (at least annually, or more often for high-risk providers).
• Scope of testing, including penetration tests and disaster recovery drills.
• Mitigation measures to address vulnerabilities identified during testing.

This requirement ensures that financial entities can anticipate and respond to cyber threats before they escalate into major disruptions.

4. Managing third-party ICT risks through contracts

DORA extends its reach beyond financial firms, indirectly regulating third-party ICT providers. To comply, contracts should include:

• Exit clauses ensuring a smooth transition if a service provider is replaced.
• Subcontracting conditions, outlining whether prior approval is required before outsourcing services further.

Regulators expect financial institutions to maintain full visibility and control over their service providers, ensuring that disruptions at one vendor do not cascade across the financial ecosystem.

Challenges in contract negotiation: Where resistance emerges

Despite DORA’s clear requirements, many ICT providers push back against contract modifications due to:

• Compliance costs, as meeting regulatory standards requires additional investment.
• Limited capacity, with some providers lacking the resources to implement required controls.
• Disputes over classification, with providers challenging whether they support “critical” financial functions.

A risk-based approach will help. Focus on:

• Mapping all ICT providers supporting critical operations.
• Reviewing existing contracts to identify compliance gaps.
• Negotiating terms to ensure providers meet DORA requirements without imposing unnecessary burdens.

For example, a financial institution initially required an ICT provider to conduct three penetration tests per year, exceeding DORA’s minimum requirement of one annual test. After a risk assessment, it was determined that the services in question were not mission-critical, allowing the institution to adjust the requirement without compromising resilience.

Manual reviews make DORA compliance a massive challenge

DORA compliance is a complex and high-stakes process. It has also become a board-level priority due to the significant risk exposure. Compliance isn't just a legal issue but requires cross-functional alignment across legal, procurement, sales, and other teams.

Despite this, most legal teams still rely on manual contract reviews, a time-consuming process that demands thousands of hours for reading, renegotiating, and redrafting. This slows compliance, raises costs due to reliance on external advisors, and increases the risk of human errors, especially under high volumes.

AI enables proactive compliance

LEGALFLY simplifies DORA compliance by automating contract reviews, identifying risks, and ensuring ongoing regulatory alignment. It speeds up contract audits by scanning thousands of agreements in minutes, reducing review time from weeks to days. By detecting non-compliant clauses and suggesting DORA-compliant revisions, LEGALFLY enables legal teams to instantly apply redlines, ensuring consistency and accuracy.

Read more: DORA compliance made easy with legal AI

With custom compliance playbooks, LEGALFLY is helping institutions like KBC Bank create structured guidelines, making contract reviews more efficient for both legal and procurement teams. These playbooks ensure that compliance standards remain consistent across all agreements. LEGALFLY also provides continuous monitoring, automatically updating compliance playbooks to reflect new regulatory changes, reducing the need for manual updates and external legal advisors.

Beyond efficiency, LEGALFLY helps financial institutions proactively manage risk, minimising human errors and preventing regulatory fines or disruptions. By turning compliance into a streamlined, automated process, it allows organisations to stay ahead of DORA and future regulations with greater confidence and control.