DORA Artifact GuideICT third-party contracts

DORA Contract Remediation Workflow

Remediate ICT third-party contracts by tracing each service to supported functions, required contract clauses, subcontracting conditions, exit rights, and register-of-information fields.

Use this workflow with legal, procurement, ICT risk, outsourcing, operational resilience, service-owner, and register owners before signing, renewing, materially changing, or remediating DORA-relevant ICT service contracts.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA contract remediation is not only a clause review. For each ICT third-party arrangement, financial entities need to know whether the service supports a critical or important function, whether subcontracting is permitted, whether access and audit rights can actually be exercised, how exit would work, and how the arrangement is reflected in the register of information.

Section 1

1. Build the remediation inventory

Start with the register of information and procurement inventory, not with a blank contract template. DORA requires financial entities to maintain and update a register of information for contractual arrangements on the use of ICT services provided by ICT third-party service providers.

Create one remediation row per contractual arrangement and link it to the financial entity using the service, the signer, the direct ICT third-party provider, the supported function, the ICT service type, start and end dates, and any termination status. This lets the team identify which contracts need full Article 30 remediation and which only need baseline ICT-service documentation.

  • Inventory fields: contractual arrangement reference number, financial entity using the ICT service, direct ICT third-party provider identifier, function identifier, ICT service type, start date, end or renewal date, termination reason if applicable, governing law country, service provision countries, data storage and processing countries, and reliance level.
  • Criticality fields: whether the ICT service supports a critical or important function, whether the function would suffer no significant, low, material, or full reliance impact from disruption, and whether subcontractors effectively underpin the service.
  • Owner fields: legal or outsourcing owner for the contract, ICT risk owner for the service risk assessment, business owner for the supported function, procurement owner for supplier remediation, and register owner for data quality.
  • Evidence to attach: current signed contract, statement of work or order form, service description, supplier and subcontractor list, due-diligence file, service reports, audit or assurance reports, exit plan, and register extract before and after remediation.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 28 requires the register of information and distinguishes ICT contracts supporting critical or important functions.
Implementing Regulation (EU) 2024/2956 on DORA register templates
The ITS defines the register templates and data points used to structure the contract remediation inventory.
Section 2

2. Classify critical or important function support

For each contract, decide whether the ICT service supports a critical or important function before selecting remediation depth. DORA defines a critical or important function by the effect of disruption, defective performance, or failed performance on financial performance, service continuity, authorisation conditions, or other financial-services-law obligations.

Where a contract supports a critical or important function, the remediation file should also cover concentration risk, subcontracting chains, audit and access rights, business continuity, exit strategy, and notification to the competent authority for planned arrangements or when a function becomes critical or important.

  • Record the function and service in plain language: for example, payment processing platform, trading venue connectivity, customer authentication, core banking hosting, policy administration, reporting platform, or backup and recovery service.
  • Map the service to business impact: continuity, availability, customer or market impact, regulatory authorisation impact, data sensitivity, recovery objectives, and dependency on other ICT services.
  • Flag critical or important function support where a disruption would materially impair financial performance, soundness or continuity of services, authorisation compliance, or other obligations under financial services law.
  • Document planned material changes: DORA requires timely information to competent authorities about planned ICT service arrangements supporting critical or important functions and when a function has become critical or important.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
DORA defines critical or important functions and sets pre-contracting checks for ICT service arrangements.
Implementing Regulation (EU) 2024/2956 on DORA register templates
The register templates include function identifiers, ICT service type, and reliance levels for services supporting critical or important functions.
Section 3

3. Remediate mandatory contract terms

Use a clause matrix for Article 30 remediation. The contract should describe the ICT services and functions, locations of service provision and data processing, service levels, data protection and security commitments, incident assistance, cooperation with authorities, termination rights, notice periods, audit and access rights, business continuity, and exit support.

For contracts supporting critical or important functions, add the enhanced terms: full service level descriptions with quantitative and qualitative targets, notice and reporting duties for developments that may materially affect service delivery, business contingency and ICT security commitments, participation and cooperation in digital operational resilience testing where relevant, ongoing monitoring rights, and unrestricted access, inspection, and audit rights for the financial entity, appointed third parties, and competent authorities.

  • Service description: complete description of functions and ICT services, including whether subcontracting of the ICT service or material parts is permitted and under what conditions.
  • Location and data: regions or countries of service provision, data processing and storage, and advance notice before location changes.
  • Performance and monitoring: service levels, performance targets, key performance indicators, key control indicators, reports on activities, incidents, ICT security, business continuity measures, and testing.
  • Audit and access: contract rights to information, inspections, audits, ICT testing, copies of relevant documentation where critical to operations, and cooperation during authority or appointed-third-party audits.
  • Exit and termination: termination rights, minimum notice periods, data return and recovery, portability or transition support, and an exit plan that is realistic, feasible, periodically reviewed, and tested.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Article 30 lists the contractual elements for ICT services and the additional clauses for critical or important functions.
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
The RTS specifies the contract-policy lifecycle, including due diligence, contractual clauses, monitoring, and exit planning.
Section 4

4. Fix subcontracting controls

Subcontracting review should be separate from general supplier due diligence. If an ICT third-party provider may subcontract ICT services supporting critical or important functions or material parts, the contract should say exactly which services may be subcontracted, the conditions for doing so, the provider's monitoring and reporting duties, and the financial entity's rights when subcontracting changes.

The financial entity should be able to identify subcontractors that effectively underpin the ICT service, assess the chain length and complexity, understand where subcontractors and data are located, consider concentration and transferability risks, and preserve equivalent access, inspection, and audit rights through the subcontracting chain.

  • Before approval: assess whether the provider can select, assess, identify, notify, and inform the financial entity about subcontractors supporting critical or important functions.
  • Contract conditions: require the provider to remain responsible for subcontracted services, monitor subcontractors, report on them, assess location risks, ensure continuity through the chain, and impose business contingency and ICT security requirements downstream.
  • Change control: require advance notice of intended material subcontracting changes, time to assess risk, and approval or non-objection before implementation.
  • Termination trigger: reserve the right to terminate where prohibited subcontracting occurs, material subcontracting changes are implemented without the required process, or the resulting risk exceeds the entity's tolerance.
Sources for this answer
Delegated Regulation (EU) 2025/532 on subcontracting ICT services supporting critical or important functions
The RTS specifies subcontracting assessment elements, contractual conditions, material-change controls, and termination rights.
Implementing Regulation (EU) 2024/2956 on DORA register templates
The register ITS requires information on subcontractors that effectively underpin critical or important ICT services.
Section 5

5. Close remediation with register updates and evidence

Do not close a remediation row when the contract is signed but the register and operating evidence still disagree. The close-out package should show the remediated clause set, the risk assessment result, the due-diligence and assurance basis, the subcontracting position, the exit plan, and the updated register fields.

The evidence file should also show how the contract will be monitored after remediation. Delegated Regulation 2024/1773 expects documented monitoring of performance, reports, incident information, service delivery, ICT security, business continuity measures, testing, shortcomings, and updates to the risk assessment.

  • Contract evidence: executed amendment or restated agreement, clause matrix showing Article 30 coverage, written material-change approvals, and renewal or change-control record.
  • Risk evidence: critical or important function classification, due-diligence result, concentration-risk review, subcontractor assessment, location-risk review, assurance reports, and residual-risk approval where gaps remain.
  • Operational evidence: service reports, incident reports, ICT security reports, business continuity and testing evidence, audit plan or pooled-audit arrangement, and corrective-action tracking for supplier shortcomings.
  • Register evidence: updated contractual reference, provider identifiers, function identifiers, ICT service type, start and end or renewal dates, termination reason when relevant, notice periods, data and service locations, reliance level, and subcontractor chain records.
Sources for this answer
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
The RTS supports documented monitoring, assurance, shortcomings remediation, and exit-plan testing after contract remediation.
Implementing Regulation (EU) 2024/2956 on DORA register templates
The register ITS identifies the data fields that should be reconciled after remediating an ICT third-party contract.
Recommended next step

Use this DORA workflow to prioritize contract gaps and register updates

Sorena can help turn your ICT contract inventory into remediated clause matrices, subcontractor assessments, exit-plan evidence, and register-of-information updates tied to DORA sources.

Research workflow
Open Research Copilot for DORA

Ask source-linked questions about DORA ICT third-party contracts, subcontracting, audit rights, exits, and register fields using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through DORA contract remediation

Review your ICT third-party contract gaps, critical or important function mapping, subcontracting controls, and evidence plan with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Article 30 lists the contractual elements for ICT services and the additional clauses for critical or important functions.
"full service level descriptions"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.