Ensuring Digital Operational Resilience (DORA) via AI is complied with strictly, automatically.
The context
The Digital Operational Resilience Act (DORA) is a rigorous EU regulation that mandates financial entities to maintain high standards for ICT risk management. A core requirement is the maintenance of a DORA register of information detailing all contractual arrangements with third-party ICT service providers. DORA rests on five pillars, four of which are relevant for implementing a DORA register:
- ICT risk management; from a DORA register’s perspective, the heart of the application: a comprehensive framework for managing IT risks, with responsibility placed on senior management.
- Incident reporting: a harmonised, streamlined process for classifying and reporting major ICT-related incidents to regulators.
- Operational resilience testing: monitoring of annual, mandatory testing of ICT systems, including threat-led penetration tests (TLPT) every three years for critical entities.
- Third-party risk management: strengthened oversight of critical third-party ICT service providers, requiring specific contractual arrangements, which can be managed and monitored in Weagree CLM.
The fifth pillar relates to information sharing amongst financial institutions and regulators of cyber threat information.
The challenge
Building a DORA register is not a simple administrative task. It requires a deep legal review of every ICT contract to extract specific, granular data points mandated by the European Supervisory Authorities (ESAs). You must identify the ‘criticality’ of the function supported, the location of data storage, subcontracting conditions, and audit rights.
Manually finding these specific clauses in dense, complex service agreements is difficult. Terms like ‘subcontracting’ or ‘data location’ may be buried in annexes or technical schedules. Missing a critical provider or misreporting a contract’s details can lead to significant regulatory penalties.
A DORA register is a living legal hold: not only do new technology providers be added, also the existing portfolio must be monitored, and probably audited. As this is a recurring task, it needs to pop up at the appropriate periodicity, with notifications to the right people internally.
The requirements
A compliance solution must focus specifically on the ICT or SaaS vendor portfolio. It needs to extract the exact data fields required for DORA compliance and store them into a DORA register. Such AI-tabular review solution must also be able to easily ‘validate’ the presence or absence of mandatory clauses (e.g., ensuring an ‘unrestricted right to audit’ exists).
While most tasks are periodically triggered, some technology vendors in the DORA register require particular, relationship-specific or context-dedicated action. It means that tasks need not only be triggered according to a templated tasks and notification pattern but also permit contract-dependent or context-specific action.
Weagree's solution
Weagree’s Tabular review AI solution enables initial set up of a DORA register, while the Weagree Wizard automates the continuous recurring compliance monitoring.
Setting up a DORA register specifically for regulatory compliance, transforming your vendor contracts into a DORA register-compliant dataset.
- DORA-specific template. You can configure contract sheets that mirror DORA’s required register fields. The AI is then prompted to extract specific data such as ‘data storage location,’ ‘termination notice period’ and ‘subcontractor authorisation’ clauses. Needless to say, Weagree tabular review comes with elaborate contract sheets that you may adjust to your needs.
- Mandatory field validation. Weagree allows you to mark specific columns as ‘Mandatory’. If the AI cannot find a required value (e.g., choice of law), the cell is highlighted in red, alerting inhouse counsel or a compliance officer that the contract may be ‘defective’ or incompliant with contracting policies.
- Lookup columns for standardisation. To ensure the DORA register is consistent, you can use ‘lookup’ data fields. The AI will attempt to match extracted values (like country or service type) against a pre-defined list of valid DORA codes (and upon exporting validated AI-extracted data into the DORA register, such codes can be reflected in the API data mapping), ensuring the output is perfectly standardised for reporting.
- Gap analysis. Weagree’s AI tabular review can be used for gap analysis. You can create fields with a prompt like: “Does this contract include a right for the regulator to audit the SaaS provider? Answer Yes/No”. This instantly flags contracts that need renegotiation for the customer to become DORA compliant.
Continuous recurring compliance monitoring is set up in the Weagree CLM itself:
- The implemented DORA register with all metadata (if you wish, clustered by their nature or purpose; and visible to users as their access rights may permit).
- Immediate insights in all DORA-required data and information (on dashboard and reporting or monitoring widgets).
- Periodical review with automated tasks (automated task triggers, timely indicating compliance checks, audits or renewal, and if necessary, even anticipating a procurement period for replacement).
- Automated notifications to all stakeholders, internal and external (even enabling the technology vendor to access, as a temporary guest user).
The result
By automating the extraction of register data, Weagree allows its users to reduce contract review time by 83%. You transform a frantic compliance exercise into a controlled, repeatable process. The result is a robust, audit-ready DORA register that is accurate, complete, and maintained with a fraction of the manual effort.
