Skip to main content
Image coming soon

DORA Contract Drafting for In-House Bank Lawyers

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

DORA Contract Drafting for In-House Bank Lawyers

A skills course for legal counsel who need to write enforceable ICT third-party clauses under the Digital Operational Resilience Act.

The ICT third-party clause your vendor just redlined is overdue. Article 30 lists what must be in it. Your counterpart's markup removes two of those items. You know the regulator will ask. You need to know exactly which provisions survive negotiation and which do not.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

In-house lawyers at banks are now the front line of DORA compliance. The regulation transferred drafting responsibility from risk teams to legal: ICT third-party registers, contractual provisions for critical functions, subcontracting chain transparency, incident notification windows, and the exit strategy documentation that auditors check first. Most bank lawyers were trained on deal documentation and regulatory advice, not on operational resilience contract architecture. The result is contract review cycles that drag to four rounds, audit findings that cite missing clauses, and risk committee presentations that expose the gap between what the contract says and what Article 30 requires.

What you walk away with

  • Draft ICT third-party clauses that satisfy Article 30 without giving the vendor a blanket exit from incident notification obligations.
  • Identify which subcontracting chain provisions are mandatory versus negotiable and document the rationale in a form regulators accept.
  • Build a repeatable contract review checklist that reduces review rounds from four to two.
  • Write the exit strategy clause in a way that is enforceable and does not trigger the vendor's change-of-control carve-out.
  • Produce the contractual evidence package your internal audit team needs without a separate legal memo.
  • Advise business stakeholders on which vendor requests represent genuine risk and which are standard negotiating positions.

The 12 modules

Module 1. Article 30 as a Drafting Checklist
Article 30 of DORA is a mandatory clause inventory, not a principles list. This module maps each Article 30 provision to a specific clause type, identifies which provisions the EBA considers non-waivable, and shows you how to structure the contract so a regulator can cross-reference the register entry to the signed agreement without a cover memo. You leave with a clause-by-clause annotation template you use on every new ICT vendor engagement.
Module 2. Classifying the Vendor Relationship Before You Draft
Whether the vendor is critical, important, or standard changes what Article 30 requires. This module gives you the four-factor test the EBA uses and shows you how to apply it to a real vendor profile before the first draft goes out. You build a classification worksheet that integrates with your firm's third-party register so the contract category is set before legal ever opens a template.
Module 3. The Subcontracting Chain Clause
Vendors outsource. Your regulator wants to see the chain. This module covers how to draft the subcontracting disclosure obligation, what level of detail satisfies supervisory examination, and how to write the prior-approval clause so it is not rendered meaningless by a broad carve-out for routine operations. You draft two clause variants: one for critical function vendors, one for standard ICT services, and test them against the EBA Q&A.
Module 4. Incident Notification Windows
Article 30 requires contractual notification timelines that align with DORA's incident reporting obligations. This module shows you how to draft the notification window so it matches your internal DORA incident response procedure, what to do when the vendor proposes a 72-hour window that conflicts with your 24-hour internal escalation, and how to document the agreed timeline in the register in a way that satisfies both your CISO and your auditor.
Module 5. Exit Strategy Documentation
The exit strategy clause is the one auditors check first. This module covers what a compliant exit plan clause looks like in practice, how to write the transition assistance obligation without triggering the vendor's change-of-control carve-out, and how to produce the exit strategy document referenced in the contract. You leave with a clause template and a one-page exit strategy document structure that satisfies the regulatory requirement without committing the bank to an unworkable migration timeline.
Module 6. Negotiating Non-Negotiable Provisions
Some vendors push back on Article 30 provisions by calling them operationally unworkable. This module gives you the language to distinguish genuine operational constraints from standard negotiating positions, the internal escalation path when a vendor refuses a mandatory clause, and the regulatory risk memo format that protects you when business pressure to close the deal is high. You practice on three real redline scenarios from ICT service agreements at banks of different sizes.
Module 7. Audit Rights and Information Access
Article 30 requires the right to audit. Most vendors offer a third-party audit substitution. This module covers when substitution is acceptable under the EBA's guidance, how to draft the audit rights clause so it includes the right to inspect in a supervisory examination context, and how to write the information access obligation so your risk team can actually use it when an incident occurs. You draft the clause and the accompanying audit protocol reference.
Module 8. Jurisdiction, Governing Law, and Cross-Border Complications
the firm operates across multiple jurisdictions. An ICT vendor may be headquartered in a third country. This module covers how governing law interacts with DORA's extraterritorial scope, which jurisdiction-specific amendments your clause library needs for UK, EU, and US vendor arrangements, and how to handle the case where the vendor's standard agreement proposes a jurisdiction that creates a regulatory supervision gap. You build a jurisdiction checklist that flags risk before drafting begins.
Module 9. The Register Entry as Legal Evidence
The ICT third-party register is a legal evidence document in a supervisory examination. This module covers what the register entry must contain to be defensible, how to link it to the signed contract so a regulator can trace the chain, and how legal can contribute to register accuracy without displacing the risk team's process. You produce a register entry template that incorporates the contractual references a supervisor will look for.
Module 10. Renegotiating Existing Contracts
Most of your ICT vendor agreements were signed before DORA was in force. This module covers how to conduct the contract gap analysis, which gaps require immediate renegotiation versus which can be addressed at renewal, and how to draft the DORA compliance amendment that closes the Article 30 gap without reopening commercial terms. You work through a gap analysis on a real pre-DORA agreement and produce the amendment letter.
Module 11. Advising Internal Stakeholders
The business wants to close. The risk team wants full Article 30 compliance. This module covers how to frame the legal risk of a non-compliant clause in terms a business stakeholder understands, when to escalate to the CCO versus when to resolve at the legal level, and how to write the internal advice memo that protects you if the deal closes with a residual gap. You draft the memo template and the escalation protocol.
Module 12. Building the Clause Library
The goal is a repeatable method, not a one-time fix. This module covers how to build a DORA clause library that your team can use across every ICT vendor engagement, how to version-control it as the regulatory guidance evolves, and how to brief junior lawyers so the review standard is consistent. You leave with a complete clause library structure, a version log template, and the briefing note you give to any lawyer joining a DORA-related transaction.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Vendor just sent a redline removing the incident notification window: Modules 4 and 6.
Preparing for supervisory examination of the ICT third-party register: Modules 1, 9, and 2.
Renegotiating a pre-DORA agreement at renewal: Module 10.
Advising business stakeholders on whether to accept a vendor's proposed carve-out: Modules 6 and 11.

What you get with this course

  • 12 written modules covering the full Article 30 drafting lifecycle from classification through clause library.
  • Downloadable clause templates for each provision type: subcontracting chain, incident notification, exit strategy, audit rights.
  • A gap analysis worksheet for existing ICT vendor agreements.
  • A jurisdiction checklist for cross-border ICT arrangements.
  • The hand-built implementation playbook: a complete DORA clause library and review protocol tailored to your firm's vendor profile, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

ICT vendor contract reviews run four rounds because each draft surfaces a new Article 30 gap. Audit findings reference missing clauses. Internal stakeholders see legal as a bottleneck rather than an advisor.

After

Contract review runs two rounds with a documented rationale for every clause decision. The register entry links directly to the signed agreement. Audit findings cite no contractual gaps. Business stakeholders receive a clear legal position at the start of negotiations, not after two weeks of drafting.

What happens if you do not address this

DORA's supervisory examination cycle is running. Banks with incomplete ICT third-party contracts are receiving findings letters. Each finding requires a remediation response and a revised contract. Legal teams that have not built a repeatable Article 30 method are relearning it on every new vendor engagement, at the cost of review cycles, audit exposure, and credibility with the risk committee.

Who it is for

Legal counsel or senior associate at a bank or financial institution who advises on technology contracts, vendor agreements, or regulatory compliance. You are the person your risk team calls when the ICT third-party register needs a contract reference. You understand the regulation's intent but want a reliable method for translating Article 30 into clause language that holds under examination.

Who this is NOT for. External law firm partners billing by the hour on DORA advisory work. Compliance officers who are not involved in contract drafting. Technology procurement teams without legal authority over clause selection.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Each module is designed to be completed in one focused session of 30-45 minutes. The full course is 12 modules. The implementation playbook is a working document, not reading material.

Why $199 is the right number

External law firm DORA advisory runs at partner rates for general guidance that is not specific to your firm's vendor portfolio. Internal training programmes cover the regulation but not the drafting method. This course teaches the specific clause-level skill and delivers a clause library you use on day one.

FAQ

Does this course cover the full DORA regulation or just Article 30?
The course focuses on Article 30 and the third-party contract provisions because that is where legal counsel has direct drafting responsibility. Operational resilience testing, ICT risk management, and incident reporting are covered only where they affect clause drafting decisions.
Is the clause library customised to my firm?
The implementation playbook is built for your firm's vendor profile based on the information you provide at enrolment. The clause library in the playbook reflects your firm's classification categories and the jurisdictions your ICT vendors operate in.
What if my firm's vendors are pushing back on provisions I know are mandatory?
Module 6 covers exactly this. You get the language to distinguish genuine operational constraints from negotiating positions, the internal escalation path, and the risk memo format that protects you when business pressure is high.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!