Koen Vercauteren, Product Management Leader at Birdseye.
.webp)
Creating a contracts register is just the beginning. Discover why true DORA compliance demands continuous IT contract management, supplier oversight, and risk governance.
All ICT contracts sorted in the register? Great. But don’t assume that means meet the DORA compliance requirements just yet. Without active management, that register will be outdated by the time of the first audit. True compliance requires an ongoing effort.
Financial institutions across Europe face a major task: compiling a register of all contracts that include ICT services. This is a crucial step in complying with the Digital Operational Resilience Act (DORA).
Since 17 January 2025, DORA has been fully in effect, and by April 2025, companies must submit their first report to the regulator, proving they comply with the legislation. But this DORA compliance deadline is set and there’s still more to tackle. DORA compliance requires continuous effort, going far beyond simply creating a register.
The contracts register provides an overview of all relevant contracts for external ICT services within the organization. However, without active management processes, it remains just a snapshot—likely outdated by the time it is submitted. Compliance is not just about ‘getting things in order’ but about ‘staying on top of things.’
Many organizations currently struggle to compile and maintain an up-to-date register, often because they lack the necessary resources to sustain this effort. As a result, they fail to allocate enough attention to other critical aspects, such as risk management, supplier management, and long-term DORA compliance for contracts. This challenge became evident in last year’s ‘dry run’ assessment conducted by the European Banking Authority (EBA) and other regulatory bodies.
DORA is not just about having a contracts register—it requires organizations to demonstrate that they are actively ‘in command’ and managing risks effectively. This demands a structured approach where contract management is seamlessly integrated with risk management, compliance, and governance. Achieving this requires four key efforts.
Firstly, it involves dynamic contract management. A contracts register must be continuously updated. This means not just recording contracts but actively monitoring changes in agreements, service levels, and compliance requirements.
Secondly, organizations must have insight into the impact of their IT suppliers and the risks they pose. This involves supplier and contract management: Which services are critical? How dependent is the organization on specific vendors? And what is the contingency plan?
As a third effort, DORA requires businesses to continuously assess operational risks and take proactive measures to strengthen IT resilience. This includes regularly verifying whether contracts and suppliers still meet regulatory requirements and ensuring risks are properly identified and managed.
Lastly, regulators expect more than just an up-to-date register. They demand proof that companies are ‘in command.’ This necessitates well-structured monitoring and reporting processes, supported by advanced technology that helps capture and present relevant data effectively.
Creating a contracts register is an essential first step in DORA compliance, but without a robust operational approach, it remains a static and ultimately ineffective document. Manually maintaining a contracts register and related processes is labor-intensive and prone to errors.
To achieve and sustain compliance, financial institutions must invest in continuous management of their IT contracts and suppliers, leveraging technology that provides real time insights and control. This requires clearly defined roles and responsibilities across the organization.
In the next blog, we will explore which departments should be involved in automated contract management. And it’s not just Risk & Compliance…
