FAQEU DORA

DORA ICT Third-Party Contracts

DORA makes ICT third-party contracts part of ICT risk management, not only procurement paperwork.

Use this FAQ to check the clauses, register entries, subcontracting controls, audit rights, termination rights, exit plans, and evidence expected when ICT services support critical or important functions.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under DORA, a financial entity remains responsible for its regulatory obligations even when ICT services are provided by a third party. Contract review should therefore start by identifying the ICT service, the supported business function, whether that function is critical or important, and the evidence needed for supervision, monitoring, subcontracting decisions, termination, and exit.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What must a DORA ICT third-party contract include?

Every ICT services contract should clearly allocate rights and obligations in writing, include service level agreements, describe the ICT services and functions being provided, identify service and data-processing locations, protect availability, authenticity, integrity and confidentiality of data, and cover data access, recovery and return if the provider fails, is resolved, discontinues operations, or the contract ends.

Where the ICT service supports a critical or important function, DORA adds a higher bar: full service level descriptions with quantitative and qualitative performance targets, provider reporting and notice obligations, business-contingency and ICT-security requirements, participation and cooperation in relevant resilience testing, ongoing monitoring rights, unrestricted access, inspection and audit rights for the financial entity or appointed third party and competent authority, and exit strategies with an adequate transition period.

  • Do not treat a master services agreement as complete unless the service order, SLA, data-location terms, audit rights, incident-assistance obligations, termination rights, and exit terms are all documented in an accessible durable format.
  • For critical or important functions, check whether the contract gives practical audit access and the right to take copies of relevant documentation where critical to provider operations.
  • Map each required clause to the affected ICT service, supported function, provider legal entity, subcontracting condition, and register-of-information reference.
Citations
Regulation (EU) 2022/2554 (DORA)

Article 30 sets the written contract requirements and the additional clauses for ICT services supporting critical or important functions.

Question 2

How should teams decide whether a contract supports a critical or important function?

Before signing, DORA requires the financial entity to assess whether the ICT service supports a critical or important function. DORA defines a critical or important function as one whose disruption would materially impair financial performance, soundness, continuity of services and activities, or continuing compliance with authorisation conditions or other financial-services-law obligations.

The assessment should be made before contract signature and reviewed when the service, supported function, data flow, provider, location, subcontracting chain, or business dependence changes. The 2024/1773 RTS also requires the contract policy to establish or refer to the methodology for determining which ICT services support critical or important functions and when that assessment is conducted and reviewed.

  • Record the supported business function, not only the technology category.
  • Assess operational, legal, ICT, reputational, data-protection, data-availability, provider-location, data-location, and concentration risks before contracting.
  • Escalate contracts that are hard to substitute, concentrate several important services with one provider, or make recovery of data or services dependent on a complex supplier chain.
Citations
Question 3

How do subcontracting terms affect DORA contract review?

If an ICT service supporting a critical or important function may be subcontracted, the contract must say whether subcontracting is permitted and under what conditions. DORA also requires the financial entity to weigh the risks of subcontracting, including long or complex chains, third-country subcontractors, concentration risk, data protection, and whether the chain affects the entity's ability to monitor the contracted function or the authority's ability to supervise it.

The 2025/532 subcontracting RTS makes this more concrete. Before entering the contract, the financial entity must decide whether the provider may subcontract a critical or important ICT service or material part of it. The arrangement should require provider identification of relevant subcontractors, notice of material changes, same access and inspection rights through the subcontracting chain, continuity obligations, location and data-location information where relevant, and termination rights where impermissible or unapproved material subcontracting changes occur.

  • List which critical or important ICT services or material parts are eligible for subcontracting.
  • Require notice early enough for the financial entity to assess material subcontracting changes before they apply.
  • Preserve equivalent access, inspection, and audit rights for the financial entity, competent authorities, and resolution authorities where subcontractors support critical or important functions.
  • Treat intra-group subcontractors as subcontractors when they provide ICT services supporting critical or important functions or material parts of them.
Citations
Question 4

What register and evidence should a DORA contract review leave behind?

The contract file should produce evidence for the DORA register of information as well as for legal, procurement, risk, security, outsourcing, and audit review. DORA requires a register for all contractual arrangements on the use of ICT services provided by ICT third-party service providers and requires it to distinguish arrangements that support critical or important functions from those that do not.

The 2024/2956 ITS turns that into structured register data. It requires templates for contractual arrangements, signing entities, providers, entities using ICT services, direct providers and subcontractors, ICT service supply chains, function identifiers, and assessments of ICT services supporting critical or important functions or material parts. The register information must be accurate, complete, consistent, integral, uniform, and valid.

  • Keep the contract reference number, contract type, provider identifiers, signing entity, entities using the service, ICT service description, supported function identifier, critical-or-important-function assessment, and annual expense or estimated cost where required by the template.
  • Keep the source evidence for due diligence: provider resources, information-security standards, business-continuity measures, audit reports or certifications used, location and data-location assessment, conflicts of interest, and concentration-risk assessment.
  • Keep monitoring evidence: periodic reports, incident reports, service delivery reports, ICT security reports, business-continuity testing reports, KPI and KCI reviews, independent review or audit outputs, shortcomings, corrective measures, and closure evidence.
  • Keep exit evidence: documented exit plan, periodic review and testing, transition schedule, alternative provider or in-house options, data-return plan, and contingency measures for service interruption, failed delivery, or unexpected termination.
Citations
Regulation (EU) 2022/2554 (DORA)

Article 28 requires the register of information for ICT third-party contractual arrangements and requires documentation distinguishing critical or important functions.

Recommended next step

Build the contract, register, subcontracting, and exit evidence together

Sorena can help map ICT third-party contracts to DORA clauses, critical-or-important-function decisions, register fields, subcontracting controls, monitoring evidence, and exit-plan records.

Research workflow
Open Research Copilot for EU DORA

Ask source-linked questions about ICT third-party contracts, subcontracting, register fields, and exit evidence using the cited DORA sources.

Explore next step
Talk to Sorena
Talk through implementation

Review your DORA ICT third-party contract workflow, evidence gaps, and register implications with Sorena.

Explore next step
Primary sources

References and citations

Implementing Regulation (EU) 2024/2956 on DORA register templates
eur-lex.europa.eu
Referenced sections
  • Provides the standard register templates and data-quality requirements for contractual arrangements, providers, supply chains, functions, and critical-or-important-function assessments.
"standard templates for the register of information"
Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Article 28 requires the register of information for ICT third-party contractual arrangements and requires documentation distinguishing critical or important functions.
"register of information"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.