The Digital Operational Resilience Act became fully applicable on 17 January 2025. For financial entities across the EU — banks, insurers, investment firms, payment institutions, crypto-asset service providers, and dozens of other categories — this means the full regulatory framework is now binding. One of the most operationally demanding aspects is what DORA requires of contracts with ICT third-party service providers.
Why ICT contracts matter under DORA
DORA is built on the recognition that financial entities depend critically on ICT services provided by third parties — cloud providers, core banking software vendors, payment processors, network operators, cybersecurity firms — and that this dependency creates systemic risk. A single critical provider failing or being compromised can affect dozens of financial institutions simultaneously.
Articles 28 through 44 of DORA establish a comprehensive framework for managing this risk. At its core is a requirement that every contract with a third-party ICT provider include a specific set of mandatory provisions. These are not defaults that can be contractually excluded — they are binding minimum requirements that override conflicting contract terms.
What contracts must include
Article 30 specifies the mandatory contractual content. Every contract with a third-party ICT provider must include:
- A clear description of all the functions and ICT services to be provided, including whether the sub-contracting of critical or important functions is permitted and, if so, the conditions applying to such sub-contracting.
- The locations where the functions or services are to be provided and where data is to be processed, including backup locations.
- Provisions on availability, authenticity, integrity, and confidentiality, including data protection for personal data.
- Descriptions of the full service levels agreed, with quantitative and qualitative performance targets, enabling the financial entity to effectively monitor ICT third-party services.
- Relevant notice periods and reporting obligations of the ICT third-party service provider toward the financial entity in the event of any development that could materially impact the ability to provide services.
- Requirements for the ICT third-party service provider to implement and test business contingency plans, and to have in place ICT security measures, tools, and policies that provide an appropriate level of security.
- The right for the financial entity and its designated auditors to inspect and audit the ICT third-party service provider on an ongoing basis.
- Clear termination rights and exit strategies, including a minimum notice period and specific provisions for migration, portability, and return or deletion of data upon exit.
The audit rights problem
The audit rights requirement is proving the most difficult to satisfy in practice. Large cloud providers (AWS, Azure, Google Cloud) have historically resisted contractual audit clauses on the grounds that individual audits are impractical at scale. Under DORA, this resistance has legal limits.
Article 30(2)(f) requires that contracts give financial entities the right to audit and inspect — but it provides that this right may be exercised through pooled audits, where multiple financial entities use the same third-party auditor, or by accepting certifications (SOC 2, ISO 27001) in lieu of individual inspections. Most large cloud providers have structured their DORA compliance responses around these pooled/certification alternatives.
The problem is that accepting a certification does not always meet DORA's requirements. Certifications must be "appropriate" for the risk, and they must cover the specific functions and services you rely on. A generic ISO 27001 certificate for a vendor's entire operations does not necessarily cover the specific services you use.
Exit strategy and concentration risk
DORA requires financial entities to maintain documented exit strategies for their ICT third-party arrangements, particularly for functions designated as critical or important. This means you must have a credible, tested plan for migrating away from each critical provider within a defined timeframe — not just a contractual termination right.
Article 29 also requires financial entities to identify and manage ICT concentration risk at both the entity level and the group level. If your organisation uses the same cloud provider for 80% of its ICT infrastructure, that concentration itself represents a risk that must be assessed, documented, and managed — regardless of the quality of that provider.
Practical next steps for in-scope entities
- Audit your ICT supplier register and identify which arrangements support critical or important functions. Apply the enhanced requirements of Article 30 to those contracts first.
- Review existing contracts against the Article 30 checklist. Most pre-DORA contracts will be missing several required provisions — particularly around sub-contracting transparency, termination rights, and data portability.
- Start vendor conversations early. Renegotiating a cloud or core banking contract takes months. Waiting until the competent authority requests your contract register is too late.
- Document your ICT concentration risk assessment. This is a supervisory question — not a hypothetical. Competent authorities are already asking how firms have mapped and assessed concentration risk.
DORA's contractual requirements are non-negotiable in the literal sense: a contract term that attempts to exclude them is void. If your ICT supplier contracts do not contain the required provisions, you are already non-compliant — not potentially non-compliant, but presently. The question is only whether competent authorities have reviewed your contracts yet.