DORA Regulations: How Contract AI Can Help Financial Services Achieve Compliance

Beat the 2025 Deadline! EU's DORA regulations require financial firms to ensure strong cybersecurity. But manually reviewing vendor contracts is slow and error-prone. Learn how Contract AI can help you achieve DORA compliance faster and easier.

By Jim Burnick Alex Gaidukov

Herculean efforts are underway across the financial services sector to ensure compliance with the Digital Operational Resilience Act, better known as DORA.

DORA, passed by the EU in 2022, aims to protect customers in Europe from cyber-security threats by creating uniform requirements for the security of network and information systems used in the financial sector. An estimated 22,000 financial entities with customers in the EU must be compliant with DORA by January 17, 2025. 

It’s not enough for financial institutions to be DORA compliant within their own systems

This is a massive undertaking for compliance teams, in no small part because financial institutions are so reliant on third-party ICT services providers: Per DORA, it is not enough for financial institutions to be DORA-compliant with their own systems; they are also responsible for the security practices of their vendors and must register all contractual arrangements they have with ICT vendors.

As such, contracts themselves have emerged as a critical piece to the DORA compliance puzzle. In fact, Article 30 of DORA spells out the minimum terms that must be included in any ICT contract.

Yet even with regulators literally spelling out what is required in ICT contracts, compliance is anything but assured due to insufficient contract visibility.

What this means for governance, risk and compliance

In an age of rapid digital transformation across business processes and systems, contracts have remained notably analog for many financial organizations. Most organizations lack a single source of truth for contracts across the enterprise, and the contracts they do have access to are not digitized in a way that makes their contents easy to review in bulk or integrate with their governance, risk, and compliance (GRC) systems.

In the past, the only recourse in these cases would have been to hire large numbers of paralegals to find contracts scattered across the business, review them against their risk policies, and then initiate renegotiations for non-compliant contracts. The cost would be huge, and the chance for human error significant.

But in a stroke of good luck for any compliance manager, now we have generative AI.

Icertis is working with some of the biggest financial institutions in the world to leverage our Risk Assessment Copilot to analyze ICT vendor contracts at scale, specifically for DORA compliance.

Risk assessment with gen AI

The Risk Assessment Copilot leverages the highly secure Microsoft Azure OpenAI LLM to review contracts in bulk and then prompt them with a series of pre-defined questions about their data security provisions.

Users then get a dashboard report showing which required clauses are present, which are not, and which have language that deviates significantly from approved contract language and should be reviewed. In this example, we can see that the “IT locations description is not present,” violating a DORA provision and returning a risk score of 10 out of 10.

risk-score-for-dora

The Risk Assessment Copilot provides insights regarding the impact of risk aggregation across a corpus of contracts where individually the contract impact could be below a critical threshold but in aggregate, the impact exceeds a regulatory threshold.

Once risk is detected, Icertis streamlines corrective action.

Integrated risk discovery

A significant advantage of our Risk Assessment Copilot compared to eDiscovery point solutions is that it is embedded in the Icertis Contract Intelligence platform, which has end-to-end contract management capabilities. This improves operational resiliency and can ensure proper incident reporting per contract requirements. 

Bulk actions auto-creates obligations to address noncompliance

Bulk actions can be taken regardless of contract volume: Our platform auto-creates obligations to address non-compliant cases, which can then be routed to the vendor for review and signing within a single system.

This kind of workflow is crucial for companies with tens of thousands of contracts with IT service providers. Often, remediation activities in these cases exceed 100,000 tasks, a volume manageable only with an intelligent system capable of assessing, recommending, and executing all the necessary tasks to become compliant before January 1, 2025.

New contracts automatically assessed for DORA compliance

New contracts can also be automatically assessed for DORA compliance, to ensure no new risks emerge. Post signature, vendor obligations can be tracked through automated alerts, workflows, and reports. As regulations change or new requirements are added, the Copilot can recommend updates to the contract.

At Icertis, we call this contract intelligence – the ability to ensure that every contract that a company enters into reflects the intended business and compliance outcomes; and that those outcomes are realized in practice. 

While contract intelligence is hugely beneficial for managing operational risk such as DORA compliance, its applications are countless: Business continuity, GDPR compliance, credit/market risk, surfacing inflation clauses, Know your Supplier/Customer  … the list goes on, and we can rest assured that regulators will be adding to this list well into the future!

To learn more about our unmatched approach to contract management and contract AI, contact us today.

Icertis Risk Assessment Copilot

Accelerate contract reviews by 40% with generative AI

The Icertis Contract Intelligence (ICI) Risk Assessment Copilot, powered by the Icertis ExploreAI Service, significantly accelerates the contract review process while reducing risk by using AI to compare contract language to a company’s predefined risk parameters based on the contract type.

Explore Icertis Risk Assessment Copilot

Financial Services Industry

Leading Banks and Financial Services Are Embracing Contract Intelligence

The industry faces increasing regulations while operating in challenging market conditions. Companies are turning to a central CLM platform to help them manage obligations, reduce contract risks and meet regulatory compliance.

Learn More