In 2024/7, financial institutions around the world were severely hit by a series of IT failures due to regular software updates from a major cybersecurity vendor. The transaction system went offline, the payment network went down, and the customer portal froze. It wasn't a cyber attack. It wasn't a data breach. CrowdStrike's now-famous fault was a failure to monitor risk by a third party and was buried in contractual details.

Let's go back to January 17, 2025. Now that the Digital Operational Resilience Act (DORA) has been fully implemented, financial institutions are “protected by contracts if vendors or their subcontractors go bankrupt?”
We are being asked an important question.

For general advisors and compliance officers, the message from regulators is clear. Dealing with Dora is no longer just an IT issue; it is also a legal and contractual issue. Reviewing and correcting hundreds, if not thousands, of ICT contracts is no longer an option, but the process involves complexity, delays, and legal blind spots. So, let's take a closer look at the six key risks in DORA contracts and strategies to correct them before they become liabilities.

Why is contract compliance important at DORA

Financial institution legal teams are familiar with complex regulatory frameworks such as MiFID II, PSD2, and GDPR. However, DORA completely changed the situation, elevating ICT risk management from governance best practices to clear and enforceable contractual obligations in all ICT third party relationships, setting it apart from normal conventional outsourcing.

What's at stake?

An earlier survey conducted by Dora revealed that only 20% of EU financial services companies are ready for regulation, highlighting the widespread preparedness gap. This gap makes it necessary to systematically review major revisions to ICT contracts to ensure compliance, otherwise there is a risk of being exposed to the following risks.

• Failure to fulfill resilience obligations in vendor agreements can result in regulatory fines.
• Business interruptions caused by unknown incident response or BC/DR conditions.
• Reputation is damaged when regulators, customers, or investors lose trust in ICT risk management.

Until now, ICT risk has been treated as part of broader operational risk. DORA completely changed this and made it a clear compliance pillar that needs to be clearly reflected in contracts. This means that legal teams must conduct a thorough gap analysis and establish an ongoing monitoring process to ensure that all existing vendor agreements are in line with DORA's resilience, security, and incident response obligations.

So where are the risks? Below, we'll discuss seven contractual pitfalls in Dora and strategies for fixing them before an institution's funding, compliance, and credibility are compromised.

1. Inadequate regulations on BC/DR

The financial impact of business continuity and disaster recovery (BC/DR) plans can be more devastating than you might imagine.

Under DORA, financial institutions must ensure that third party ICT providers have implemented robust business continuity and disaster recovery frameworks, including clear recovery time objectives (RTOs), recovery point objectives (RPOs), and structured incident response obligations.

Some agreements are based on general “best effort” clauses and do not specify test frequency or clarify incident response responsibilities. Such ambiguity forces general counsel to struggle to prove compliance when critical services fail.

Action steps

Be sure to include detailed BC/DR obligations as well as regular testing schedules, joint improvement paths, and shared responsibility terms. Set clear goals, including clear goals (RTO and RPO) that clarify the roles and responsibilities of both financial institutions and service providers in the event of an ICT incident.

To support regular testing related to BC/DR, Execo's intelligent digitalization proactively tracks key contractual obligations, flags them for renewal, and performs verification to prevent deviations in compliance.

2. Incident reporting obligations are weak or vague

43% of chief legal officers (CLO) cite global regulatory changes as a key factor in strengthening legal oversight. Therefore, DORA's stringent incident reporting requirements are particularly pressing.

Under DORA, financial institutions may only take a few hours to initially disclose a serious ICT incident, and it is completely unacceptable for the definition of a “serious incident” to be vague or notification channels unknown. These gaps can result in fragmented crisis responses and ultimately lead to regulatory penalties.

General counsel and legal teams are generally hard at work to ensure vendor compliance, but thousands of pages of ICT agreements (often with outdated or inconsistent wording) may hide clauses that are no longer consistent with DORA's rapidly evolving obligations. Even one provision that is often overlooked, such as an outdated incident reporting schedule or undefined reporting standards, could jeopardize compliance.

Action steps

Create taxonomies (critical, high, medium, low, etc.) and associate each classification with a specific reporting period. This approach eliminates confusion and ensures a consistent escalation process.

Establishing both internal and external communication channels allows vendors to know exactly who to contact when. Standardizing these channels minimizes guesswork during a crisis. You can also set up both internal and external notification channels so vendors know when and who to contact.

Automate as much as possible. Innovating team efficiency and strengthening data competitiveness using Execo's Genai has continuously digitized and structured ICT contracts, making it possible to immediately check important clauses, from incident reports to continuation conditions. Instead of spending countless hours on manual reviews, GC can immediately understand where the clauses are and how they are consistent with DORA.

Beyond GenAI, the legal experts responsible for Execo can verify the extracted clauses, perform quick reviews, and confirm that all details are consistent with DORA's evolving obligations, so you can stay ahead of regulatory scrutiny.

3. Omission of specific operational resilience terms (SLAs, KPIs)

DORA requires financial institutions to continuously monitor performance, an obligation often overlooked in typical service level agreements (SLAs). Agreements that do not clearly define operational resilience metrics, such as uptime commitments, recovery times, and security KPIs, are subject to regulatory violations and close scrutiny, and enforcement actions may be taken.

Then there's vague and outdated language that complicates implementation. For example, consider a simple “commercially reasonable effort” clause. If vendor failure causes regulatory violations, this may not provide a firm legal basis. Since DORA requires legally enforceable contracts, such vague terms pose a compliance risk.

Action steps

Execo's innovations in team efficiency and enhanced data competitiveness keep SLAs and KPIs up to date in line with evolving DORA requirements. Our AI-driven tracking and expert-led verification allows financial institutions to continuously monitor vendor performance and meet contractual obligations without administrative burdens.

Incorporating penalty clauses and corrective clauses enhances accountability by outlining the financial or operational consequences of not meeting agreed benchmarks. Execo's legally managed services can help ensure that poor performance triggers corrective action through service credits, contract renegotiation, or, in extreme cases, cancellation rights.

4. Poor subcontract management (chain outsourcing)

Subcontracting poses a risk layer beyond major vendors, and compliance may be compromised if subcontractors do not meet DORA requirements. Without properly structured flow-down provisions that extend all resilience, security, and reporting obligations to subcontractors, financial institutions risk losing control over critical ICT functions that have been outsourced, such as missed incident reports, weakened resilience tests, and data leaks.

According to the European Supervisory Authority's report, it is emphasized that financial institutions need to assess the risks associated with subcontracting at the pre-contract stage, but many financial institutions only discover gaps once issues have arisen.

Action steps

Implement a governance framework to continuously monitor subcontractor compliance. This includes prior notice and approval requirements for subcontract agreements. Execo's intelligent digitalization further supports this by securing Dora compliant flow-down clauses, extracting and verifying subcontract clauses, and enabling continuous visualization.

In accordance with DORA Section 30, contracts are required to explain our cancellation and termination strategies in order to minimize confusion when subcontractors fail to meet resilience requirements.

5. Lack of strong audit and monitoring rights

Today, financial institutions must go beyond vendor self-certification and actively supervise and continuously monitor third-party ICT providers.

As vendors may resist scrutiny due to confidentiality concerns, agreements without explicit audit or access rights expose financial institutions to unidentified risks such as cybersecurity, operations, and regulations. Without contractual authority to conduct on-site or remote audits, financial institutions will find it difficult to grasp vendor controls and compliance gaps.

Action steps

The agreement must explicitly establish the right to conduct regular audits, such as on-demand reviews, access to security documentation, and direct monitoring of vendor controls. But DORA goes further and requires continuous monitoring rather than just regular assessments. Education institutions must implement automated risk assessments, real-time performance tracking, and ongoing compliance checks to maintain vendor resilience.

So, Execo's contract performance solution bridges the gap between audit and action. Rather than treating compliance as a static review process, Execo tracks contractual obligations, SLAs, and compliance gaps in real time and ensures continuous vendor monitoring. The system acts as an early warning mechanism, proactively flags risks, overdue corrections, and potential compliance violations, and enables timely action before issues escalate.

6. Non-compliant documentation practices

DORA requires comprehensive and structured documentation on ICT risk management frameworks, incident response plans, digital resilience tests, and third party service agreements to ensure auditability, traceability, and regulatory oversight. In other words, system logs, security incidents, previous audit implementation results, and repair work are recorded in a form that guarantees availability, completeness, and confidentiality, and in a form that can be audited in real time (Section 9).

Failure to clearly define how records are maintained, updated, and shared with competent authorities during regulatory reviews creates gaps in compliance visibility and increases the risk of enforcement actions.

Missing or inconsistent documentation can be just as damaging as non-compliance itself. Under Section 17, financial institutions must record and report ICT-related incidents in a standardized and traceable manner to ensure that regulators receive complete and timely updates.

Action steps

Financial institutions need to move away from fragmented manual documentation and adopt centralized automated records management in order to stay ahead of compliance. This means that instead of waiting for an audit to assess compliance, all records are consolidated into a single system to ensure continuous monitoring.

Intelligent contract digitalization using Execo's Genai allows agencies to maintain an audit-ready repository by clarifying and classifying contract-specific compliance elements, such as vendor risk conditions, regulatory obligations, and audit rights. About Us With reports and dashboard visualizations, legal and risk teams can gain immediate insight into key provisions, upcoming deadlines, and regulatory gaps.

Turn compliance into an opportunity

DORA is more than just a check box. It's also an opportunity to increase business resilience and shine a spotlight on board-level accountability. For financial institutions grappling with an expanding ICT environment, responding to new regulatory standards can strain resources and governance structures. But instead of treating DORA as a burden, legal teams can use this opportunity to gain executive buy-in and seek stronger risk management and future-proof infrastructure that can withstand both current and future regulatory demands.