With DORA now in effect, financial institutions across the EU are strengthening their cyber resilience and third-party risk management frameworks. One of the most critical aspects of compliance is contracting with ICT service providers—a key requirement under Article 30 of DORA.
Financial institutions must ensure that all third-party ICT contracts include specific clauses to mitigate cyber risks, ensure business continuity, and meet regulatory expectations. For ICT providers supporting a “critical or important” function, additional contractual obligations apply.
In this second installment of our "Prepare for DORA" series, we’ll break down:
Key DORA contract requirements for ICT service providers
How to determine if an ICT provider is “critical or important”
Concrete examples of contract clauses for DORA requirements
1. Why Does DORA Regulate Third-Party ICT Contracts?
Financial institutions rely heavily on ICT providers—from cloud services and cybersecurity vendors to SaaS applications and payment processors. However, outsourcing does not eliminate regulatory responsibility.
DORA ensures that financial institutions:
Retain full accountability for ICT risks, even when outsourcing services.
Establish clear contract terms to define security, resilience, and compliance obligations.
Prevent excessive third-party concentration risk to avoid systemic failures.
By enforcing strict contractual requirements, DORA aims to reduce ICT-related disruptions and ensure financial stability across the EU.
2. What Must Be Included in ICT Contracts Under DORA?
Under Article 30(2) of DORA, all ICT contracts must contain the following provisions:
2-1. Full Service Description & Performance Metrics
Clearly define the scope of services, security expectations, and performance standards.
Include Service Level Agreements (SLAs) to measure system availability, downtime limits, and security incident response times.
2-2. Security & Risk Management Obligations
The ICT provider must implement appropriate security controls to protect against cyber threats.
Financial institutions must be able to audit and verify the provider’s security posture.
2-3. Incident Reporting & Crisis Management
ICT providers must report any cybersecurity incident that could impact financial services.
Contracts should specify incident notification timelines and reporting obligations.
2-4. Business Continuity & Disaster Recovery
The contract must outline the provider’s resilience measures, including backup strategies, redundancy, and failover procedures.
Ensure recovery time objectives (RTOs) and recovery point objectives (RPOs) align with regulatory expectations.
2-5. Termination & Exit Strategy
Financial institutions must have a clear exit strategy if they switch ICT providers or bring operations in-house.
Ensure data migration, system continuity, and security obligations continue beyond contract termination.
3. When Do Additional Contract Obligations Apply? (Critical or Important Functions)
Under Article 30(3) of DORA, ICT service providers that support a “critical or important function” are subject to additional contractual requirements. A function is considered critical or important if:
Its failure would significantly disrupt operations or impact financial stability.
It cannot easily be replaced without substantial cost or operational disruption.
It is directly tied to regulatory or security obligations (e.g., payments processing, identity verification, cloud storage of sensitive data).
Examples of critical ICT service providers under DORA:
Cloud Infrastructure Providers (e.g., AWS, Microsoft Azure, Google Cloud)
Payment Processors (e.g., SiX Group, Worldpay, Adyen)
Core Banking Software Vendors (e.g., Temenos, Avaloq)
If an ICT provider supports a critical or important function, contracts must also include:
Enhanced security testing & resilience requirements
Regulatory cooperation agreements (allowing authorities to audit the ICT provider)
Stronger business continuity & transition planning measures
4. Concrete Examples of DORA-Compliant Contract Clauses
To help financial institutions meet DORA’s contractual obligations, here are sample clauses to include in ICT agreements:
Security & Risk Management Clause
"The ICT Service Provider shall implement and maintain technical and organizational security measures, including but not limited to encryption, multi-factor authentication (MFA), attack surface management and real-time threat monitoring, in alignment with applicable cybersecurity regulations, including DORA."
Incident Reporting Clause
"The ICT Service Provider shall notify the Financial Institution of any security incident, data breach, or operational disruption within [X ] hours of detection. The notification shall include the nature of the incident, potential impact, and remediation steps."
Audit & Monitoring Clause
"The Financial Institution reserves the right to conduct security audits, penetration testing, and risk assessments of the ICT Service Provider’s infrastructure and security controls. The ICT Provider shall provide relevant documentation and support upon request."
Business Continuity & Exit Strategy Clause
"The ICT Service Provider shall maintain a Business Continuity and Disaster Recovery Plan, ensuring uninterrupted service availability. In the event of contract termination, the provider shall facilitate secure data migration and ensure a seamless transition to an alternative provider."
Compliance & Regulatory Cooperation Clause
"The ICT Service Provider agrees to cooperate with relevant financial supervisory authorities and provide necessary information regarding risk management, incident reporting, and operational resilience, as required under DORA."
5. What’s Next?
Part 3: Incident Reporting & Response Under DORA
What are DORA’s strict new reporting deadlines?
How should financial institutions structure their incident response plans?
What role do ICT service providers play in regulatory reporting?
Stay tuned for Part 3 coming soon!
Comentarios