DORA contractual clauses for agreements with ICT service providers

Requirements for the content and management of ICT contracts according to DORA

Robin Schmeisser

Created on 20. January 2025

Frau arbeitet am Laptop

DORA stipulates different minimum contract contents for the outsourcing of IT services to third-party service providers*. For example, the ICT contracts must cover security requirements, incident reporting, data processing and storage, emergency and recovery plans and transitional arrangements. Significant changes compared to previous regulations include the participation of third-party service providers in threat-led penetration tests (TLPTs) as well as the specified termination rights and notice periods.

The regulations differentiate between requirements that apply to all ICT contracts and those that relate to ICT outsourcing that supports critical or important functions**:

 

Minimum contractual terms according to DORA

Contractual clauseCritical / important functionNon critical / important function
Location
Data protection
Access to data
Assistance in ICT incident
Cooperation with competent authorities
Participation in training by financial company
Requirements for the form and amendment of contractual agreements

(Extended)

ICT service description

(Extended)

Description of the service quality

(Extended)

Termination rights and minimum notice periods

(Extended)

Subcontracting (e.g. Admissibility)x
Inspection/ Monitoring rightsx
Reporting obligations of the ICT service providerx
Business contingency plansx
Specific ICT security measuresx
TLPT participationx
Exit strategyx

Source: BaFin
You will find a detailed list of the minimum contractual clauses according to DORA here. 

 

Bring contracts with ICT service providers into DORA compliance

The above contract contents must be taken into account in both new and existing agreements. Financial companies are therefore required to check all outsourcing contracts for DORA compliance and adapt them if necessary. The Fabasoft DORA software provides support in this regard with an AI-supported contract check and automated creation of the necessary supplementary agreements based on your clause library. Read more about this here: AI: Check contracts automatically for DORA compliance | Fabasoft DORA

 

*) Regulation see: 
  • Requirements for all contractual agreements (mainly Art. 30 (2) DORA); 
  • Requirements for contractual agreements for ICT services that support critical or important functions (mainly Art. 30 (3) DORA); 
  • Requirements from the two RTS on ICT third party risk management: RTS TPPoIRTS E-SUB
**) See definition, Art. 3 DORA: „a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;“
 

Don't miss any news about DORA

Subscribe to our newsletter

Subscribe now

Recent articles