The Digital Operational Resilience Act (DORA) contains specific and comprehensive requirements for drafting contracts with service providers who provide ICT services to a financial institution. ICT services are all services related to information and telecommunications technologies. In many financial institutions, ICT services represent up to 90% (and even more) of the entire outsourcing portfolio, as the business model of financial companies is data-based and depends on ICT systems — particularly those provided by external service providers.

Challenge: enormous effort for each individual ICT service

DORA distinguishes between ICT services that support a critical or non-critical internal function. Both types of ICT services (critical and non-critical) have far-reaching requirements, including the drafting of contracts with the respective service provider. For critical ICT services, in accordance with BaFin's implementation instructions Just under 70 minimum content to be contractually agreed with ICT service providers, for non-critical ICT services just under 20.

In practice, therefore, every ICT service must be classified as critical or non-critical and the relevant minimum content must be agreed accordingly in the contract. In particular, it must be documented where exactly the minimum content is agreed in the contract in order to ensure traceability and audit security. Since agreements with external service providers are often based on several contract documents (framework contract, service certificate, annexes, etc.), this task is time-consuming and ties up resources.

‍

These requirements apply both to existing contracts and to future contracts. Assuming that there are around 200 ICT services in the inventory, of which only 10% are critical, over 4,000 minimum contents must be searched for and documented in around 1,000 contract documents (as contracts often include several documents). An optimistic assumption of 10 minutes per minimum content means that the review of contracts for the 200 ICT services in our example takes around 100 person-days. With the LENO application, the effort required to review contracts in accordance with DORA can be reduced to a minimum.

As part of LENO, a software suite for sourcing, third-party risk management (TPRM), contract lifecycle management (CLM) and AI/IT security & compliance, LENO AI helps Contract Check accelerate the closing of future contracts by filing, verifying and approving them more quickly.

Solution with LENO - AI Contract Check

After the ICT service has been automatically classified as critical or non-critical in “LENO - Outsourcing Management” (or Third Party Risk Management), the contracts have been uploaded (fields such as notice periods, costs or contract start are also automatically filled in with AI) and automatically assigned to this ICT service, the relevant minimum content for this ICT service is displayed in the Contract Review tab. The fields can be completed either manually or using AI Contract Check.

In LENO, a single click is all it takes to check the contracts for the 200 ICT services. Even though the algorithm is highly reliable, we recommend validating the results, at least on a random basis. However, we assume that a manual review of 10 to 30 minutes is sufficient for the entire contract. LENO therefore only takes around 10 days to review the contract for the 200 ICT services.

All contract documents in the relevant contract hierarchy are used for review. After a few seconds (duration depends on many factors, such as the number of words in the contracts and whether it is a critical or non-critical ICT service), the test results are entered in the appropriate fields. In particular, it is automatically documented which minimum content was found in which contract document on which page. All fields can of course be edited again by the user.

All contract documents in the relevant contract hierarchy are used for review. After a few seconds (duration depends on many factors, such as the number of words in the contracts and whether it is a critical and uncritical ICT service), the test results are entered in the appropriate fields. In particular, it is automatically documented which minimum content was found in which contract document on which page. All fields can of course be edited again by the user.

Outlook: more AI in LENO

With LENO, contracts can be checked against internal or other legal and regulatory obligations in the near future. The minimum content for each contract category (e.g. rental contracts) can be defined individually and by yourself. When creating a contract document and defining the contract category, a mouse click is enough to check this contract document for internal requirements.

Further useful AI functionalities will follow shortly — stay informed!

‍