Why paperwork is now a strategic asset

When contracts became critical

For decades, contracts with ICT providers were seen as legal housekeeping, a box to tick once due diligence was complete. Most executives signed them with the assumption that if something went wrong, the contract would protect them.

But the truth is different. In practice, many contracts have historically been weak – vague on accountability, silent on regulatory access and often skewed in favour of powerful providers. That left financial institutions exposed.

The Digital Operational Resilience Act (DORA) has changed the game. Under DORA, contracts are no longer background detail, they are frontline instruments of resilience. They define how services are delivered, how oversight is maintained and how regulators can step in if needed.

In the DORA era, contracts are not fine print, they are strategic assets.

Why DORA elevates the contract

The reason is simple: accountability cannot be outsourced.

Financial institutions remain responsible for operational resilience, even if they rely on third-party ICT services. That responsibility must be reflected in the contract. DORA makes this explicit by requiring contractual clauses that secure oversight, ensure regulatory cooperation and prevent responsibility from being diluted.

In other words, if your contracts are not strong, neither is your resilience.

What every DORA contract must contain

DORA sets clear expectations for the structure and content of ICT third-party agreements. The essentials include:

1. Written form

All contractual arrangements must be in writing, ensuring enforceability.

2. Clear responsibilities

Contracts must state that regulatory obligations remain with the financial entity, not the provider. Providers cannot relieve firms of responsibility to clients or regulators.

3. Regulator access

Providers must commit to cooperating with competent authorities. That includes giving regulators effective access to data, information and even premises if required.

4. Audit and inspection rights

Contracts must grant the financial entity rights to access information, conduct inspections and perform audits. This can include internal audits, pooled audits or third-party audits, but reliance solely on certifications is not enough.

5. Material change procedures

Any significant change to the arrangement must be documented in writing, dated and signed by both parties. Renewal processes must be clear and formalised.

Why this is harder than it sounds

On paper, these requirements are straightforward, but in practice, negotiating them can be complex.

Large ICT providers, particularly global cloud service providers, have historically resisted contract terms that give financial clients broad audit rights or regulatory access. Their scale means they prefer standardised contracts rather than bespoke clauses. For smaller financial entities, negotiating leverage can be limited.

This is where DORA’s impact will be most felt. By making these clauses regulatory requirements, it strengthens the position of financial entities. Providers will be forced to adapt.

But firms must still be vigilant. A contract that looks compliant on the surface may fail to deliver in practice if rights are limited, vague or not exercised.

The dangers of weak contracts

The risks of poor contractual terms show up in real-world failures:

• Cloud outages where clients had no contractual right to detailed incident reports or post-mortems.

• Cyber breaches where regulators demanded access to provider systems, but contractual terms did not support it.

• Sudden termination of services where clients had no transfer rights or exit strategies in place.

In each case, the absence of strong contractual protections left financial entities scrambling – facing disruption, reputational damage and regulatory scrutiny.

Contracts as enablers of resilience

Strong contracts enable firms to manage ICT relationships with confidence.

When audit rights are clearly defined, firms can test resilience proactively. When regulatory access is guaranteed, compliance officers can engage supervisors without hesitation. When renewal and change processes are formalised, surprises are minimised.

In other words, the contract becomes a tool for governance, not a barrier.

Best practice for leaders

For boards and senior executives, the challenge is to ensure that contracts truly deliver resilience, not just compliance. That means:

1. Engage early. Contracts should be shaped with risk and resilience teams involved from the start, not handed over to legal at the end.

2. Test enforceability. Rights are only useful if they can be exercised. Firms should regularly test audit provisions and simulate regulator requests.

3. Plan for change. ICT services evolve rapidly. Contracts must allow for updates, renewals and changes without weakening oversight.

4. Think about exit. Contracts must enable exit strategies, not just for termination, but also for transferability in the event of provider failure.

From fine print to frontline

DORA’s clear message that resilience starts long before an incident. It starts with the paper you sign.

For too long, financial entities treated ICT contracts as background detail. But in an industry where digital services underpin every transaction, those details are important.

Contracts are now strategic assets – the playbooks firms will turn to in times of disruption and the evidence regulators will scrutinise when things go wrong. They are the foundations of trust between financial entities and their providers.

In the DORA era, a weak contract is a resilience risk.

Contracts as strategy

The lesson for leaders is to treat contracts not as housekeeping, but as strategy.

Every clause is a lever for resilience, every audit right is a tool for oversight, and every access provision is a safeguard for compliance.

When contracts are strong, resilience is strong. When contracts are weak, resilience is weak.

DORA has put the spotlight on ICT contracts. The firms that embrace this shift will be the ones that compete. In a digital financial system, resilience is reputation. And reputation is everything.