A practical DORA guide for financial entities in scope reviewing ICT service contracts, critical or important functions, subcontracting chains, register records, audit rights, exit plans, and evidence.
Start by checking whether the ICT service supports a critical or important function. Use it when procurement, legal, ICT risk, security, resilience, outsourcing, internal audit, and business-service owners need one cited view of what the contract and register must show.
Structured answer sets in this page tree.
Cited legal and guidance references.
DORA applies to financial entities in scope of Article 2, and it treats ICT third-party risk as part of the entity's own ICT risk management framework. The first practical decision point is whether the ICT service supports a critical or important function. If it does, the contract review has to do more than collect security schedules: it must document the arrangement in the register of information, preserve access and audit rights, control subcontracting, and maintain a credible exit route.
The first control point is accountability. DORA Article 28 says financial entities remain responsible for compliance when they use ICT services to run business operations, and it requires ICT third-party risk to be managed inside the ICT risk management framework.
For arrangements that support critical or important functions, the review should connect three records: the business function assessment, the written contract, and the register of information. If those records disagree, the contract is not ready for approval.
DORA requires a register of information for contractual arrangements on ICT services, and the register must distinguish arrangements that support critical or important functions from those that do not. The register is not only a reporting file; it is evidence for internal ICT risk management, supervision, and critical-provider oversight.
The register ITS turns the contract into structured data. For a contract supporting a critical or important function, the evidence package should include the contractual reference number, parties and identifiers, function identifier, ICT service type, direct provider, relevant subcontractors, service supply chain rank, substitutability assessment, last audit date, exit-plan status, reintegration possibility, discontinuation impact, and alternatives.
DORA Article 30 sets minimum written-contract content for ICT services. For every ICT service arrangement, the contract needs a clear allocation of rights and obligations, a complete service description, service levels, locations, data protection provisions, cooperation duties, termination rights, and incident assistance.
For ICT services supporting critical or important functions, DORA adds stronger clauses: precise service-level targets, notice and reporting obligations for material developments, contingency-plan and ICT security requirements, cooperation in relevant resilience testing, ongoing monitoring rights, unrestricted access, inspection and audit rights, and exit strategies with an adequate transition period.
Subcontracting is not a background procurement detail under DORA. If an ICT third-party provider may subcontract a service supporting a critical or important function, the contract should define what is eligible for subcontracting, the conditions for use of subcontractors, the approval or objection process, and the provider's continuing responsibility for subcontracted services.
The subcontracting RTS requires financial entities to assess the chain before entering into the arrangement and periodically afterwards. That assessment should cover the provider's ability to identify relevant subcontractors, subcontractor resources and controls, locations, data processing and storage locations, concentration risk, transferability, continuity impact, and obstacles to audit, inspection, and access rights.
A DORA contract file should be reviewable by management, internal audit, competent authorities, and, where a provider is designated as critical, the relevant oversight structure. Oversight does not supersede the financial entity's own responsibility: contract evidence must show that the entity can monitor the provider, act on shortcomings, and exit without disrupting business activities, regulatory compliance, or client service continuity.
Critical ICT third-party provider designation is handled by the ESAs through the Joint Committee, with criteria covering systemic impact, financial-entity reliance, critical or important functions, direct and indirect reliance through subcontracting, and substitutability. The register of information is a key data source for that designation and oversight process.
Ask whether the ICT service supports a critical or important function. That answer drives the register entry, pre-contract risk assessment, required clauses, subcontracting controls, audit rights, and exit-plan depth.
No. Certifications and provider audit reports can support assurance, but DORA contract-policy rules require the financial entity to assess their scope and retain the contractual right to perform individual or pooled audits where needed.
For critical or important functions, focus on subcontractors that effectively underpin the ICT service or whose disruption would impair service security or continuity. The register ITS links those subcontractors to the ICT service supply chain.
Sorena can help map ICT provider contracts to DORA clauses, subcontracting conditions, register fields, audit-right evidence, and exit-plan records.
Ask cited questions about ICT third-party risk, critical or important functions, contract clauses, subcontracting, oversight, and evidence.
Walk through provider contracts, register fields, audit rights, subcontracting controls, and exit plans with Sorena.
"criteria for the designation"
"independent review and audits"
"overall chain of subcontractors"
"ICT service supply chain"
"Oversight Framework"