This guide is for financial entities and ICT service providers operating within the European Union. If your organisation relies on third-party ICT services, Article 30 of the Digital Operational Resilience Act (DORA) directly impacts you. It mandates clear contractual obligations to enhance digital security, mitigate risks, and ensure operational resilience in the financial sector.
Non-compliance with Article 30 can lead to regulatory scrutiny, financial penalties, and operational disruptions. Understanding these requirements helps your organisation establish robust agreements that safeguard critical functions and meet EU regulatory standards.
At ITLawCo, we provide expert guidance to ensure your contracts align with DORA’s requirements, reducing legal risks and strengthening operational resilience.
Key contractual requirements under Article 30
Clear allocation of responsibilities
Contracts must explicitly define the rights and obligations of both parties, ensuring clarity in service level agreements (SLAs). The agreement must be documented in a durable format.
Mandatory provisions for all ICT contracts
| Provision | Description |
|---|---|
| Service description & subcontracting terms | A full description of ICT services provided and whether subcontracting is allowed, including conditions. |
| Data processing locations | Identification of data storage and processing locations, with advance notification requirements for location changes. |
| Data protection & security | Measures ensuring data availability, authenticity, integrity, and confidentiality. |
| Data access & recovery | Rights for financial entities to access and retrieve data in case of insolvency, contract termination, or discontinuation. |
| Service level agreements (SLAs) | Clearly defined performance indicators to enable effective monitoring and enforcement. |
| Incident assistance obligation | ICT providers must assist financial entities in responding to ICT incidents at no additional or pre-determined cost. |
| Cooperation with authorities | ICT providers must collaborate with regulatory bodies and competent authorities. |
| Termination rights | Well-defined termination clauses with minimum notice periods. |
| Security awareness & training | ICT providers may be required to participate in security awareness programmes. |
Additional provisions for critical or important functions
For ICT services supporting critical or important functions, additional contractual obligations apply:
- Enhanced SLA requirements: Performance targets must be detailed and measurable.
- Notice and reporting obligations: ICT providers must notify financial entities of material developments that could impact service delivery.
- Contingency planning & security: ICT providers must maintain contingency plans and security protocols.
- Participation in threat-led penetration testing (TLPT): ICT providers must engage in TLPT exercises as mandated under DORA.
- Monitoring & audit rights: Financial entities must have unrestricted audit rights over service providers.
- Exit strategies & transition planning: Provisions must ensure a seamless transition to alternative providers or in-house solutions upon contract termination.
Standard contractual clauses & regulatory standards
Where possible, financial entities and ICT providers should adopt standard contractual clauses (SCCs) developed by regulatory bodies. No SCCs exist as yet.
The European Supervisory Authorities (ESAs) will develop further technical standards for subcontracting critical ICT services. The first batch of regulatory technical standards, finalised in January 2024, introduced key requirements for ICT risk management, incident classification and reporting, third-party contract registers, and ICT service policies. The second batch, published in July 2024, built upon these foundations by detailing requirements for threat-led penetration testing, major incident reporting, subcontracting, oversight harmonisation, and estimating costs of ICT incidents.
Ensuring compliance with ITLawCo
At ITLawCo, we help financial institutions and ICT providers structure contracts that align with DORA’s requirements. Our services include:
- Drafting & reviewing ICT contracts: Ensuring compliance with Article 30.
- Risk assessments: Identifying gaps in existing contractual agreements.
- Regulatory updates & training: Keeping your business up to date with evolving EU regulations.
Contact us today to ensure your ICT contracts are resilient, compliant, and future-proof.
