Author: Nikoletta Maouri – Legal & Compliance Director
Contracts with ICT Service Providers
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, came into force on January 17, 2025, introducing a comprehensive legislative framework to enhance the resilience of the financial sector across the EU. This regulation aims to reinforce cyber resilience capabilities and third-party risk management arrangements.
A core element of DORA compliance lies in the contractual framework governing ICT service providers, as mandated by Article 30. Financial institutions are now required to ensure that agreements with third-party ICT providers contain specific provisions addressing cyber risk mitigation, operational continuity, and regulatory compliance. It is important to note that these contractual requirements apply to any contract for the provision of ICT Services, regardless of whether they support critical, important or non-critical functions.
Why DORA is Focusing on ICT Contracts
Financial institutions today are deeply intertwined with a vast ecosystem of ICT providers—from cloud services and cybersecurity vendors to SaaS applications and payment processors. However, ICT service acquisition and/or outsourcing, does not eliminate regulatory responsibility.
DORA ensures that financial institutions retain full accountability for ICT risks, even when outsourcing services. It also mandates the establishment of clear contract terms to define security, resilience, and compliance obligations, and aims to prevent excessive third-party concentration risk to avoid systemic failures. By enforcing strict contractual requirements, DORA seeks to reduce ICT-related disruptions and ensure financial stability across the EU.
Key Pillars of DORA’s Contractual Requirements
The European Supervisory Authorities (ESAs) are tasked with creating Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to provide detailed specifications for DORA. These standards are subsequently reviewed and formally adopted by the European Commission via delegated acts. One such delegated regulation is Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024, which specifies the detailed content of the Guideline on contractual arrangements for the use of ICT services in support of critical or important functions provided by third-party ICT service providers.
This Delegated Regulation outlines principles that financial institutions must include in their ICT service contracts supporting essential or important functions. At the forefront is the principle of governance and responsibility, which places the ultimate accountability for managing cyber risk on the financial institution’s management body, mandating at least an annual review of the ICT service policy. This is complemented by the need for comprehensive contract policies that govern the entire lifecycle of ICT contracts, from initial approval and risk assessment to ongoing monitoring and eventual exit strategies. Furthermore, essential contractual clauses must be embedded in contracts for critical ICT services, covering crucial aspects like service levels, data security, and the financial institution’s audit rights. Finally, a risk-proportionate approach is advocated, meaning that policies should be adaptable and tailored to the specific risk level, size, and complexity of the services being provided.
Practical Steps to Ensure DORA Compliance
To translate these principles into concrete actions, financial institutions must integrate several key practices into their operational workflows. A mandatory first step is to conduct a thorough risk assessment before finalizing any new ICT contract, and retrospectively for all existing agreements. This assessment must be comprehensive, covering a wide spectrum of risks including operational, legal, ICT, and reputational. Following the risk assessment, a robust due diligence process is essential for the selection and evaluation of ICT providers, a process that needs to be meticulously documented and consistently executed.
Finally, the contractual agreements themselves must be fortified with clear contractual clauses, monitoring mechanisms, and exit strategies. This means ensuring contracts are comprehensive, with clearly defined rights and obligations for both parties. It also means establishing a framework for ongoing monitoring, complete with clear performance indicators and reporting requirements. To prepare for any eventuality, institutions are required to have well-defined exit and termination plans for their critical contracts, ensuring business continuity is maintained.
Article 30: What Your ICT Contracts Need
Article 30 of DORA specifies the minimum content for all outsourcing contracts between financial entities and ICT Service providers. While standard contractual clauses (SCCs) created by regulatory authorities should be used wherever feasible, there are currently no such SCCs.
Article 30(2) outlines the general elements to be included, and Article 30(3) details additional minimum content for contracts with ICT service providers supporting critical or important functions.
Summary of Article 30(2) Requirements
| Subject | Summary |
| Description of Services | A clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of services supporting a critical or important function is permitted and under which circumstances. |
| Location of Data | The locations where data will be processed and stored must be identified, and any changes to these locations must be communicated in advance. |
| Data Protection | Measures ensuring data availability, authenticity, integrity, and confidentiality. |
| Data Access and Recovery | The right of financial organizations to access and retrieve data, in the event of insolvency, contract termination, or discontinuation, of the ICT third-party service provider. |
| Service Level Descriptions | Clear and precise service level descriptions. |
| Incident Assistance | The obligation for ICT providers to assist in the financial entity in response to ICT incidents, related to the services provided, at no extra or predetermined cost. |
| Cooperation with Authorities | ICT providers must collaborate with regulatory bodies and competent authorities. |
| Termination Rights | Termination rights, including the minimum notice periods to be clearly defined. |
| Participation in Security Programs | Conditions for the ICT Provider’s participation in the financial entity’s ICT security awareness program. |
Summary of Article 30(3) Requirements for Critical or Important Functions
For ICT services that support critical or important functions, Article 30(3) imposes even more stringent requirements in addition to the above:
| Subject | Summary |
| Enhanced Service Level Requirements | Full service level descriptions with precise quantitative and qualitative performance targets to allow effective monitoring and enable appropriate corrective actions. |
| Notice and Reporting Obligations | Stricter notice periods and reporting obligations for the ICT provider, including notification of any development that might have a material impact on service delivery. |
| Contingency Planning and Security | Requirements for the ICT provider to implement and test business contingency plans and to have in place ICT security measures, tools, and policies that provide an appropriate level of security. |
| Participation in Threat-Led Penetration Testing (TLPT) | The obligation of the ICT provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27. |
| Monitoring and Audit Rights | Financial entities have the right to monitor the ICT provider’s performance, which entails unrestricted rights of access, inspection, and audit by the financial entity, an appointed third party, and by the competent authority. |
| Exit Strategies & Transition Planning | Provisions must ensure a seamless transition to alternative providers or in-house solutions upon contract termination/expiration, including a mandatory adequate transition period. |
Conclusion
DORA fundamentally reshapes how financial entities engage with ICT third-party service providers by establishing a clear shift from procurement-driven contracting to resilience-driven governance. Financial entities remain fully accountable for operational resilience, even where ICT services are outsourced.
Contracts with ICT third parties are no longer a formality, but a core control mechanism, requiring enforceable rights on access, audit, monitoring, incident reporting, subcontracting and termination.
Operational resilience cannot be outsourced, and it always lies with the Financial Entity.
ICT third-party relationships must be actively governed, contractually robust, and aligned with the financial entity’s critical functions and risk appetite.
Comments are closed