If your organization uses third-party technology providers in the EU financial sector, you need to know exactly what should be included in your ICT contracts. The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has been fully enforceable since January 17, 2025, and its contractual requirements are more specific than anything the sector has faced before.
Here is what you need to know.
What DORA Is and Why Contracts Are Central to It
DORA is an EU regulation that creates a single, harmonized framework for managing Information and Communication Technology (ICT) risk across the financial sector. It applies to banks, insurers, investment firms, payment institutions, crypto-asset service providers, and dozens of other entity types listed in Article 2.
Chapter V of the regulation—Articles 28 through 30—covers ICT third-party risk.
Article 28 sets out general principles and termination rights. Article 30 specifies exactly what must appear inside every ICT contract. The two articles work together, and you need both to be compliant.
The Two-Tier Contract Structure
DORA uses a tiered approach. The required contract content scales with the service’s criticality.
- Tier 1 (Article 30.2): A baseline set of mandatory clauses applies to every ICT agreement, regardless of the service’s criticality.
- Tier 2 (Article 30.3): A more extensive set of additional requirements applies to contracts covering functions whose disruption would materially impair a financial entity’s performance, continuity, or regulatory compliance.
DORA allows for a proportionality assessment based on the nature, scale, and complexity of ICT-related dependencies, as well as the risks arising from contractual relations with ICT providers. Bird & Bird, a small firm that uses cloud email, faces a lighter burden than a bank that runs its core systems on the same platform. The function determines the requirement level, not the provider.
Mandatory Clauses for All ICT Contracts (Article 30.2)
Article 30.1 establishes that rights and obligations must be clearly allocated and set out in writing, with the full contract documented in one written document available in a downloadable, durable, and accessible format. Beyond that, every ICT contract must include at a minimum:
| Clause | What It Must Cover |
|---|---|
| Service description | Regions or countries where services are delivered, and data is processed |
| Data location | Regions or countries where services are delivered and data is processed |
| Data protection | Availability, authenticity, integrity, and confidentiality of data, aligned with GDPR (Regulation (EU) 2016/679) |
| Data recovery | Guaranteed access to and return of data on insolvency, discontinuation, or contract termination |
| Service levels | Descriptions of service levels, including updates and revisions |
| Incident assistance | Provider assistance during ICT incidents, at no extra cost or at a pre-agreed cost |
| Regulatory cooperation | Full cooperation with the financial entity’s competent authorities and resolution authorities |
| Termination rights | Explicit termination rights and minimum notice periods |
| Security training | Conditions for the provider’s participation in the financial entity’s resilience and security awareness programs |
Additional Requirements for Critical Functions (Article 30.3)
If the contract covers a critical or important function, Article 30.3 adds a second layer of obligations on top of the baseline.
- Quantitative service level targets. General descriptions are not enough. The contract must include precise quantitative and qualitative performance targets to allow the financial entity to effectively monitor ICT services and take appropriate corrective actions without undue delay when agreed service levels are not met.
- Material impact notifications. The provider must notify the financial entity of any development that could materially affect its ability to provide ICT services effectively in line with agreed service levels. This is a forward-looking disclosure obligation, not a reactive one.
- Business continuity and security requirements. The provider must contractually commit to implementing and testing business contingency plans and maintaining ICT security measures aligned with the financial entity’s regulatory framework.
- Threat-Led Penetration Testing (TLPT) participation. The provider must participate in the financial entity’s TLPT exercises, as defined in Articles 26 and 27 of DORA. Securing this agreement from large vendors is one of the more challenging negotiating points in practice.
- Unrestricted audit rights. Financial entities must ensure contractual arrangements for access, inspection, and audit rights over the ICT provider, including the frequency of audits, the areas to be audited, and the applicable audit standards. A nominal audit right that cannot be exercised in practice does not satisfy the regulation.
- Exit and migration rights. The contract must include the right to migrate to another provider or to bring the service in-house, which directly relates to the exit strategy requirements in Article 28.
Termination Rights: What Article 28.7 Requires
Termination rights are not optional contract terms to be negotiated away. Article 28.7 mandates that financial entities ensure contractual arrangements on the use of ICT services may be terminated in any of the following circumstances:
| Trigger | Description |
|---|---|
| Significant legal or contractual breach | The provider materially breaches applicable laws, regulations, or contract terms |
| Material change affecting performance | Monitoring identifies circumstances that alter how contracted functions are delivered |
| ICT risk management weaknesses | The provider shows evidenced weaknesses in data availability, authenticity, integrity, or confidentiality |
| Supervisory impairment | The competent authority can no longer effectively supervise the financial entity due to conditions arising from the contract |
The fourth trigger is the one most organizations miss. If your regulator loses visibility over your operations because of how your third-party relationship is structured, that alone grounds mandatory termination rights under DORA.
Exit Strategies: Beyond the Termination Clause
Having the right to terminate is not the same as being able to exit safely. Article 28.8 requires that for critical or important functions, financial entities put in place exit strategies that account for risks such as provider failure, deterioration of service quality, and material risks to the continuous deployment of the ICT service. Exit plans must be comprehensive, documented, and periodically tested and reviewed.
Vendor lock-in must be mitigated: exit strategies must define exit paths, data portability, and plans that are realistic and embedded in continuity planning. The Commission Delegated Regulation (EU) 2025/532 of March 24, 2025, adds further specificity to subcontracting assessment requirements that feed directly into exit planning.
Practical Steps to Get Compliant
- Map your ICT contracts into a register (Article 28.3), noting services, provider locations, and function criticality for each.
- Classify functions as critical or important using the Article 3 definition. This classification drives everything else.
- Run a gap analysis against Article 30.2 for all contracts, and Article 30.3 for critical function contracts.
- Review termination clauses to ensure all four Article 28.7 triggers are explicitly covered.
- Build your exit strategies for critical functions. If you cannot describe how you would migrate away from a given provider, that is a compliance gap.
- Address hyperscaler asymmetry. Providers like AWS, Azure, and Google dominate the market, leaving firms with limited negotiation power. Customized clauses required by DORA often clash with standardized offerings, so firms must develop risk-mitigation strategies and document any deviations
DORA’s contractual requirements are demanding, but working through them produces a clearer picture of your technology dependencies and vendor relationships built on documented accountability. Supervisory scrutiny in this area is active.
