DORA Contractual Requirements: ICT Third-Party Agreements
DORA Article 30 specifies mandatory provisions that must be included in contracts with ICT third-party service providers. These requirements ensure that contractual arrangements support digital operational resilience rather than undermining it.
For many financial entities, existing contracts will need review and amendment to meet DORA standards, particularly for services supporting critical or important functions.
Key Takeaways
| Point | Summary |
|---|---|
| Mandatory provisions | Specific terms required in all ICT service contracts |
| Enhanced for critical functions | Additional requirements for critical/important function support |
| Audit rights | Unrestricted access, inspection, and audit rights mandatory |
| Exit provisions | Clear termination and transition terms required |
| Sub-outsourcing controls | Visibility and controls over sub-contractors |
Quick Answer: DORA requires all ICT service contracts to include provisions covering service description, data location, service levels, incident notification, regulatory cooperation, and termination rights. Contracts supporting critical or important functions must additionally include full service specifications, sub-outsourcing conditions, performance monitoring rights, unrestricted audit and access rights, business continuity requirements, and detailed exit provisions. Existing contracts should be reviewed against these requirements and amended where necessary.
Requirements for All ICT Contracts
Basic Contractual Elements
All contracts with ICT third-party service providers must include:
| Provision | Description |
|---|---|
| Service description | Clear description of services to be provided |
| Service locations | Where data will be processed and stored |
| Service levels | Quantitative and qualitative performance targets |
| Incident notification | Provider obligation to notify of ICT incidents |
| Assistance obligation | Provider support during incidents at no extra cost |
| Regulatory cooperation | Provider must cooperate with competent authorities |
| Termination rights | Clear termination conditions and procedures |
| Exit and transition | Provider assistance during exit or transition |
Service Description
The contract must clearly define:
- Functions and services to be performed
- Technical specifications where relevant
- Dependencies and interfaces
- Service boundaries
Data Location
Specify:
- Where data will be processed
- Where data will be stored
- Any data transfers between locations
- Changes to locations and notification requirements
Service Level Agreements
Contracts should include measurable SLAs covering:
| Aspect | Examples |
|---|---|
| Availability | Uptime percentage, maintenance windows |
| Performance | Response times, throughput |
| Support | Response and resolution times |
| Reporting | Regular performance reporting |
Incident Notification
Provider obligations for incident notification:
- Timely notification of ICT-related incidents
- Information content requirements
- Communication channels
- Escalation procedures
- Ongoing updates during incidents
Regulatory Cooperation
Providers must agree to:
- Cooperate with competent authorities
- Provide information upon request
- Support regulatory examinations
- Comply with regulatory requirements
Termination Rights
Clear provisions for:
- Termination notice periods
- Grounds for termination
- Immediate termination rights (material breach, regulatory requirement)
- Effects of termination
Enhanced Requirements for Critical Functions
When ICT services support critical or important functions, additional provisions are required.
Comprehensive Service Description
Beyond basic description, specify:
| Element | Coverage |
|---|---|
| Full service scope | Complete specification of all services |
| Critical function mapping | How services support critical functions |
| Dependencies | All technical and operational dependencies |
| Performance criteria | Detailed performance expectations |
Sub-Outsourcing Conditions
Controls over provider sub-contracting:
| Provision | Description |
|---|---|
| Prior notification | Advance notice of material sub-outsourcing |
| Approval rights | Approval required for critical function sub-contractors |
| Information rights | Visibility into sub-contractor arrangements |
| Flow-down requirements | Equivalent terms in sub-contracts |
| Termination triggers | Rights if sub-outsourcing is unacceptable |
Performance Monitoring Rights
The contract must provide:
| Right | Description |
|---|---|
| Ongoing monitoring | Ability to monitor performance continuously |
| Performance data | Access to performance metrics and reporting |
| Issue escalation | Defined escalation paths for issues |
| Remediation | Provider obligations to address deficiencies |
Audit and Access Rights
DORA requires "unrestricted rights of access, inspection and audit":
| Right | Scope |
|---|---|
| Access | Access to provider premises and systems |
| Inspection | Ability to inspect operations and controls |
| Audit | Rights to audit provider (directly or via third party) |
| Documentation | Right to take copies of relevant documentation |
| Regulatory access | Equivalent rights for competent authority |
These rights cannot be impeded by other contractual arrangements.
Business Continuity
Provider obligations for resilience:
| Requirement | Description |
|---|---|
| Continuity plans | Provider must have and maintain continuity plans |
| Testing | Regular testing of continuity arrangements |
| Results sharing | Sharing of test results with financial entity |
| Coordination | Alignment with entity's own continuity planning |
Testing Participation
For resilience testing:
- Provider must participate in entity's testing program
- Includes participation in TLPT where applicable
- Cooperation with testing activities
- Remediation of identified issues
Exit Provisions
Detailed exit and transition requirements:
| Provision | Description |
|---|---|
| Transition period | Adequate time for orderly transition |
| Assistance | Provider support during transition |
| Data access | Continued access to data during transition |
| Data return | Return of data in usable format |
| Service continuity | Continuation of services during transition |
| Knowledge transfer | Transfer of operational knowledge |
Negotiating DORA-Compliant Contracts
Approach to Existing Contracts
Review existing contracts against DORA requirements:
| Gap Type | Approach |
|---|---|
| Missing provisions | Negotiate amendments or addenda |
| Incomplete provisions | Supplement with additional terms |
| Conflicting provisions | Modify to align with DORA |
| Absent rights | Add required rights |
New Contract Negotiations
For new contracts:
- Use DORA requirements as baseline
- Include all mandatory provisions from the start
- Consider enhanced provisions for critical functions
- Document negotiation outcomes
Major Provider Challenges
Major cloud and technology providers often resist custom contract terms:
| Challenge | Approach |
|---|---|
| Standard terms only | Push for DORA addenda or supplements |
| Limited negotiation | Escalate through account management |
| Audit restrictions | Request alternative assurance (certifications, reports) |
| Liability limitations | Document risk acceptance where needed |
Many major providers have developed DORA-specific amendments or addenda.
Risk-Based Prioritization
Prioritize contract remediation:
| Priority | Focus |
|---|---|
| High | Critical function providers |
| Medium | Important function providers |
| Lower | Other ICT providers |
Documenting Contract Compliance
Contract Review Records
Document for each contract:
- Review date and reviewer
- DORA provisions present
- Gaps identified
- Remediation actions
- Risk acceptance where applicable
Gap Tracking
Maintain tracking of:
- Contracts reviewed
- Gaps identified
- Remediation status
- Outstanding issues
- Risk acceptance decisions
Evidence for Regulators
Be prepared to demonstrate:
- Systematic contract review process
- Remediation efforts undertaken
- Current compliance status
- Risk management where gaps exist
Common Questions
Do all existing contracts need to be amended?
Review all ICT service contracts against DORA requirements. Contracts supporting critical functions are highest priority for remediation. Where gaps exist, pursue amendments. Where providers will not agree, document risk assessment and compensating controls.
What if providers refuse to include required provisions?
Document your attempts to negotiate and the provider's position. Assess the risks of proceeding without the provisions. Consider alternative providers. If continuing, document your risk acceptance and any compensating controls.
How do we handle standard cloud provider terms?
Major cloud providers increasingly offer DORA addenda. Engage with account teams about DORA-specific terms. Where standard terms fall short, document your risk assessment and any compensating controls. Consider how provider certifications and attestations address requirements.
Are verbal agreements acceptable?
No. DORA requirements must be documented in written contractual arrangements. Verbal agreements are not sufficient for demonstrating compliance.
How often should contracts be reviewed?
Review contracts at renewal, when significant changes occur, and periodically (at least annually for critical function providers). Ongoing monitoring of provider compliance is also required.
How Bastion Helps
Bastion supports financial entities in achieving DORA contractual compliance:
- Contract review: Assessment of existing contracts against DORA Article 30
- Gap analysis: Identification of missing or inadequate provisions
- Amendment support: Drafting of contract amendments and addenda
- Negotiation guidance: Support for provider negotiations
- Risk documentation: Documentation of risk acceptance where needed
- Ongoing monitoring: Frameworks for contract compliance monitoring
Ready to review your ICT service contracts? Talk to our team
Sources
- DORA Article 30 - Key contractual provisions
- DORA Article 28-29 - General principles and preliminary assessment
- ESA RTS on Third-Party Risk - Technical standards on contractual requirements