What should a DORA-compliant ICT provider agreement include?

14.05.2025

Automation

Spis treści

A DORA-compliant contract should contain a number of elements to meet regulatory requirements and ensure effective cooperation between financial entities and ICT providers.

How should an ICT provider be evaluated before entering into a cooperation?

According to Article 2(1)(u), ICT third-party service providers that provide services to financial entities are subject to the guidelines of the Digital Operational Resilience Act in the same way as the financial entities themselves. For this reason, it is important to find out whether a particular provider is DORA-compliant before entering into a relationship with it. A useful tool for this purpose can be a document prepared by the Supervision Authorities, namely questionnaires on the third-party risk management associated with the use of ICT in a financial entity. These ICT supplier surveys help ensure that financial entities are adhering to the requirements set out by DORA.

For example:

BaFin in Germany has developed specific guidelines and questionnaires for financial institutions to assess their compliance with DORA.

AMF in France has also issued detailed questionnaires to help financial entities report their ICT provider agreements and compliance status.

CSSF in Luxembourg has prepared similar resources to assist financial institutions in meeting DORA requirements.

Bank of Italy (Banca d’Italia): They have issued specific guidelines and questionnaires to help financial institutions assess their compliance with DORA.

Financial Conduct Authority (FCA) in the UK: Although the UK is no longer part of the EU, the FCA has developed similar questionnaires to ensure financial entities comply with their own operational resilience regulations, which are aligned with DORA principles.

De Nederlandsche Bank (DNB) in the Netherlands: They have prepared detailed questionnaires for financial institutions to report on their ICT provider agreements and compliance status.

Central Bank of Ireland: They have also issued questionnaires and guidelines to assist financial entities in meeting DORA requirements.

The Supervision Authorities have prepared this material for the representatives of the sector who have to report to them on their level of compliance with the regulation. Due to the simultaneous application of DORA to ICT providers, you can use this material as a questionnaire for ICT providers. It is worth adapting this document to your organization and adopting it as a standard in your cooperation with providers. Whatever form you choose, keep in mind its purpose. An effective questionnaire will allow you to translate its results into compliance tasks and map the supplier with assets and processes.

Form of contract

It is necessary to clearly and precisely define all rights and obligations of both the ICT provider and the financial entity. The contract must be available in paper form or in another accessible and durable format that allows stakeholders to easily download its contents. Such accessibility is intended to increase transparency, facilitate access to critical information, and comply with legal and industry practices.

Service description and service delivery principles

The ICT service provider shall provide a complete and unambiguous description of all ICT functions and services to be provided under the contract. This description must include both key functions and specific services. This will enable the financial entity’s staff who will operate the services provided to have a full understanding of the scope of the services provided. The contract should include detailed descriptions of Service Delivery Levels (SLAs), focusing on specific criteria such as upgrades and revisions. Special attention should be paid to critical or important functions, specifying their key parameters and expected performance levels. This should include records of update procedures, response times and any corrective actions for critical or important functions to ensure the continuity and reliability of the services provided. This ensures the quality and consistency of the services provided, as well as the definition of the objectives to be met by the contracting parties.

Monitoring of services and communication with the supplier

The frequency of monitoring of services provided by critical third-party providers should be established to ensure ongoing evaluation of the performance of ICT systems and functions. In addition, it is necessary to clearly indicate which functions are considered critical or important, requiring special attention and immediate response. Shorter monitoring periods should be specified for these functions, and a process should be established for immediate notification of any deviations from the norm.

Contract termination

The financial entity must ensure within the contractual provisions that it has the option to terminate the contract, especially in the event of serious violations, identified risks, ICT weaknesses, or supervisory problems.

Clear reporting procedures are provided for situations where serious violations of the contract, and possible sanctions for the guilty party are described. The contract must carefully define termination conditions and exit strategies, providing clear guidelines for both parties in the event of termination. The purpose of these provisions is to ensure a smooth termination process.

The exit strategy should describe the steps for a smooth termination of the contract and services. This includes the transfer of data, access to resources and protection against loss of functionality. The service exit process should include specific steps to be taken in such a situation, including warning procedures and consultation with both parties.

Subcontractors

The contract must include provisions to explicitly state whether the ICT provider has the right to use subcontractors for critical or important functions. If the contract permits such a chain of service provision, the terms and conditions for working with subcontractors should be described. This will include both the criteria by which subcontractors can be involved in the project, and safeguards to ensure that standards and contractual obligations are maintained regardless of subcontractor involvement. This allows flexibility for the supplier while ensuring that quality and safety are maintained for critical and essential functions.

Audit of the financial entity and cooperation with supervision

The financial entity must contractually provide full rights to monitor the ICT provider, including both inspections and audits to assess compliance with the contract and industry standards. The provider agrees to cooperate fully with any inspections conducted by the supervisory authorities, including providing full access to information and resources necessary to conduct the inspections. This aspect enables the financial institution to effectively monitor and ensure that the services provided meet regulatory requirements and are of the highest standard.

Physical location

The contract must specify the location where the ICT services will be provided. The provider must commit to providing information on the physical location, infrastructure and all related aspects, to provide the financial institution with full transparency about the environment in which the ICT services will be provided. In addition, the financial entity must secure a provision that obligates the provider to notify of any planned location changes. This will allow for preparation and adaptation to possible impacts on the services provided.

Data security

Another area that should be addressed in the contract is data security, which ensures the availability, authenticity, integrity and confidentiality of the information provided to the provider. These provisions are designed to ensure the full protection of the financial entity’s customer data and to eliminate the potential risk of breaches within the provider’s ICT environment. In addition, the contract must address access issues, disaster recovery procedures, and data return policies in various situations.

Business continuity and operational digital resilience

The financial entity must include a contingency plan and ICT security measures in the contract, bearing in mind the critical and essential functions supported by the ICT third-party provider. It must commit to maintaining high operational digital resilience through effective countermeasures in the event of disruption or failure of ICT systems. In addition, contract provisions should include a commitment by the supplier to provide support in the event of ICT incidents, including proactive assistance to quickly restore ICT services to operation.

Cooperation with competent authorities

The contract should include provisions for cooperation with competent authorities. The ICT provider must commit to full cooperation and compliance with all requirements of regulatory authorities, including necessary reporting, audits and other activities by applicable regulations. To help organizations implement DORA, the European Supervisory Authorities (ESAs) are conducting a public consultation on policy mandates under the Digital Operational Resilience Act (DORA).

Similar entries from the category

10.06.2025
- Automation
- Risk control
Tenable and RIG DORA – Technical and business cybersecurity

Discover how Tenable and RIG DORA combine technical and business cybersecurity to meet DORA and NIS2 requirements and manage ICT risk.

Read more
10.06.2025
- Automation
- ICT providers
GRC tools and compliance with the DORA regulation

DORA requires a new approach to ICT risk and compliance. See how GRC tools supports documentation, risk analysis, and oversight of providers.

Read more
22.05.2025
- Automation
ICT provider vs. its subcontractors

Learn what responsibilities does DORA impose on the ICT provider regarding subcontractors and the risk of long supply chains.

Read more