Reading time: 5 minutes
Sharing practical insights from implementing DORA requirements at a Danish GP
Before joining FundFrame, I worked at a Danish GP (General Partner) focusing on becoming compliant with DORA.
One of the toughest and most time-consuming challenges we faced was reviewing every vendor contract to ensure each met DORA’s strict ICT requirements. The task kept being postponed because it was simply too overwhelming to begin.
Our initial approach was to assign an analyst to manually review every contract. However, once we estimated the time required, which amounted to several weeks of work, we knew we needed a different strategy.
The solution we developed may be useful for others who are facing similar challenges.
Understanding the Challenge
DORA requires financial institutions to maintain comprehensive oversight of all ICT third-party providers.
For us, this meant verifying that every vendor contract included 13 specific requirements identified by the GP as critical.
The complexity stemmed from several factors:
- Different requirements applied depending on vendor criticality (Tier 1, 2, or 3)
- Contracts often spanned multiple documents (master agreements, addenda, and DPAs)
- Each requirement needed consistent interpretation across all vendors
- The findings needed to be actionable, not merely informational
This is a challenge that many financial institutions face when implementing DORA: ensuring systematic, consistent, and auditable reviews of vendor agreements.
The Solution: 15 Specialized AI Agents
Instead of relying on manual review, we built a system of 15 AI agents integrated directly into the GP’s existing vendor management platform.
Each “agent” was an LLM-powered evaluator focused on a single, well-defined task. Together, they created a structured and auditable compliance review process that allowed for scale, transparency, and repeatability.
The Architecture
Agents 1–13: Requirement Specialists
Each specialist agent reviewed contracts for one specific DORA requirement.
For example, Agent #4 verified whether contracts included clauses on “data access, recovery, and return in the event of insolvency or contract termination.”
Agent 14: The Synthesizer
This agent consolidated outputs from all 13 specialist agents into a unified compliance assessment for each vendor.
Agent 15: The Communicator
The final agent drafted clear, vendor-facing emails that translated technical findings into understandable requests for contract amendments.
.png)
See It in Action
To illustrate how this worked in practice, I recorded a walkthrough of the system in use:
🎥 Watch the AI agents in action
The video demonstrates how each agent processes contract documents independently and produces clear, actionable compliance results.
How the Agents Evaluated Contracts
Each agent provided binary and transparent feedback. Either the requirement was met or it was missing, with specific references to the text.
Example – Requirement Met:
✅ The DORA Addendum commits FundFrame to ensure access, recovery, and return or export of customer data in a commonly used format with transition assistance upon termination or insolvency.
Example – Requirement Missing:
❌ Confidentiality obligations and backup provisions are included, but there is no explicit commitment on data integrity or authenticity, and the referenced DPA was not provided.
This approach eliminated ambiguity and allowed the compliance team to immediately see which requirements were met and which required remediation.
Implementation Insights
The entire system was built in approximately one day, compared to the weeks a manual review would have required.
More importantly, it provided several key insights relevant to any organization regulated by DORA.
1. Vendor Tiering Matters
By tailoring requirements to vendor criticality, we ensured focus where it mattered most. Tier 1 vendors received stricter scrutiny than Tier 3 vendors.
2. Independence Enables Flexibility
Each agent operated independently, which meant that when regulatory guidance evolved, we could update one agent without rebuilding the entire system.
3. Context Is Crucial
Compliance clauses are often distributed across multiple documents. Training agents to evaluate an entire document set rather than a single file was essentia
Practical Takeaways for DORA Implementation
For organizations beginning their DORA journey, a few principles stand out:
- Start with Clear Requirements: Define precisely what each DORA requirement means for your organization before automating any processes.
- Leverage Existing Tools: Build within systems your team already uses to minimize training needs and accelerate adoption.
- Design for Iteration: Compliance evolves, so systems should be modular and easy to update as regulatory interpretation develops.
- Maintain Human Oversight: AI can efficiently identify gaps, but human judgment is still required to determine remediation priorities and manage vendor negotiations.
Beyond DORA
This agent-based approach can also be applied beyond contract review.
Similar systems can automate evaluations of:
- Annual audit reviews (SOC 2, ISO etc)
- Policies and procedures
- Risk assessment documentation
The essential idea is to identify discrete, well-defined requirements that can be consistently evaluated across multiple documents or scenarios.
Looking Forward
As DORA implementation progresses across Europe, sharing practical approaches and lessons learned will be increasingly valuable.
Of course, what worked for one institution may require adaptation for another, but the core principles remains the same.
In the end, what began as an overwhelming, time-consuming review process became structured, repeatable, and auditable.
Having been through DORA implementation ourselves, we understand the practical challenges institutions face. If you’d like to explore how similar AI-enabled approaches could support your compliance efforts, reach out to our consultancy team.
