DORApp Blog
DORA Fundamentals

DORA Contract Requirements for ICT Providers (2026)

M
ByMatevž Rostaher

DORA contracts are not just a procurement artifact. Under the Digital Operational Resilience Act (DORA), contractual arrangements with ICT third-party service providers (ICT TPPs) become a supervisory-facing control, because they underpin access, auditability, resilience obligations, and your ability to evidence ongoing oversight. This is why many financial entities struggle: legal clauses may exist, but the organization still cannot prove end-to-end governance across inventories, supplier risk assessments, and contract-linked operational controls.

This article explains what “mandatory clauses” typically means in practice for a what is dora implementation program, how to read DORA requirements alongside the RTS on contractual arrangements, and how to evaluate whether your current contracting and vendor governance approach is defensible in an audit or inspection.

Contents

  • What DORA requires for ICT contracts (and why it is operational)
  • DORA mandatory contractual clauses: a practical checklist
  • Subcontracting under DORA: what to contract for when the provider relies on sub-outsourcing
  • Negotiating DORA clauses with large ICT providers: common friction points and defensible compromises
  • Turning clauses into evidence: the operating model most institutions miss
  • Where Dorapp can fit: operationalizing third-party governance and audit readiness
  • How to evaluate your options (criteria that map to DORA)
  • Strengths and Challenges
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion

    • What DORA requires for ICT contracts (and why it is operational)

    DORA sets explicit expectations for how financial entities manage ICT third-party risk, including what must be covered in contractual arrangements with ICT TPPs. At a minimum, your contracts should support your ability to manage ICT risk across the full lifecycle: due diligence, ongoing monitoring, incident handling, business continuity, termination, and supervisory access.

    At a regulation level, the contracting obligation is primarily anchored in DORA Article 30 (general principles on ICT third-party risk management) and DORA Article 28 (oversight of critical ICT third-party service providers, where relevant). The details of “what must be in the contract” are further specified in the RTS on contractual arrangements. Supervisory expectations may also be influenced by joint guidance and Q&A from the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA).

    The practical implication is that “having the clause” is rarely enough. You typically need to show, for example, that audit rights are usable, access rights are operationally feasible, subcontractor transparency is maintained, and exit plans are realistic for the service in scope. This intersects directly with dora third party risk governance and how your institution defines and maintains an inventory of ICT services and dependencies.

    DORA mandatory contractual clauses: a practical checklist

    The RTS on contractual arrangements is where most teams translate DORA into contract templates and negotiation playbooks. Specific wording will depend on your service type (for example cloud, managed security, core banking outsourcing, SaaS, data providers) and your classification and risk profile. Still, the same “clause families” tend to appear repeatedly in supervisory reviews.

    1) Clear description of services and service locations

  • Precise scope of the ICT service, including what is included and excluded.
  • Where processing and storage occur (including relevant data locations).
  • Dependencies that are integral to delivery (for example specific platforms or components).

    • This usually ties directly to your dora register of information obligations and data quality. If your contract scope and your inventory do not match, your reporting and oversight narrative becomes fragile.

    2) Information security, resilience, and control expectations

  • Baseline ICT security requirements and expected control outcomes.
  • Availability, continuity, and resilience requirements (often reflected in service levels).
  • Obligations to support your digital operational resilience testing program, where applicable.

    • Many institutions already have security schedules, but under DORA these need to be demonstrably connected to risk ownership and ongoing oversight.

    3) Incident notification and cooperation

  • Notification duties and timelines aligned to your internal incident classification workflow.
  • Cooperation requirements, including evidence provision, root cause analysis, and remediation tracking.
  • Escalation and communication channels, including out-of-hours arrangements.

    • Be careful with “best efforts” language. Supervisors often expect notification and cooperation to be enforceable enough to support your major ICT-related incident reporting obligations (with thresholds defined in the relevant RTS).

    4) Access, audit, and information rights

  • Right to access relevant premises, systems, logs, and evidence, subject to proportionality and security constraints.
  • Audit rights (including third-party audits and pooled audits, depending on the context).
  • Obligations to provide information needed for oversight and for competent authorities when requested.

    • This is one of the most negotiated areas. The test is whether the clause is operationally usable for your institution, not whether it is theoretically present.

    5) Sub-outsourcing and supply chain transparency

  • Requirements for prior notification or approval for material subcontracting changes.
  • Obligations to maintain visibility into subcontractors relevant to the service.
  • Flow-down of key DORA-aligned obligations to subcontractors, where relevant.

    • This is closely tied to concentration risk management and supply chain mapping, especially for providers that rely on multiple upstream ICT vendors.

    6) Termination rights and exit support

  • Termination triggers linked to material breaches, persistent service issues, or supervisory direction.
  • Exit assistance, data portability, and transition support obligations.
  • Practical transition periods and responsibilities (including access to data and documentation).

    • Supervisors may challenge “paper exits” that are not feasible due to technical lock-in, lack of alternatives, or missing transition support commitments.

    7) Performance monitoring and reporting

  • Defined service levels and reporting obligations that enable ongoing monitoring.
  • Quality metrics and remediation timelines.
  • Governance mechanisms such as review meetings, service reporting cadence, and escalation routes.

    • These clauses matter because they are often the foundation for evidence that oversight is continuous, not a yearly questionnaire exercise.

    8) Data protection and confidentiality alignment

  • Confidentiality commitments and handling requirements.
  • Alignment with applicable data protection obligations (for example GDPR), where relevant.

    • DORA does not replace GDPR. You typically need both sets of obligations to align without contradictions.

    For broader context on how these obligations fit within the regulation’s structure, see digital operational resilience act dora and dora regulation explained.

    Subcontracting under DORA: what to contract for when the provider relies on sub-outsourcing

    Sub-outsourcing is where DORA contracting often breaks down in practice. Many ICT TPPs deliver services through layered supply chains, including cloud infrastructure providers, managed service partners, and specialized subcontractors. Under DORA, you are still expected to maintain effective oversight of the ICT service you rely on, including material changes in the provider’s subcontracting arrangements.

    What the regulation actually requires is not a blanket prohibition on subcontracting. Under DORA Article 30, contractual arrangements should specify whether subcontracting of ICT services supporting critical or important functions is permitted, and under what conditions. The European Supervisory Authorities (EBA, ESMA, EIOPA), through RTS, further specify elements you typically need to determine and assess when subcontracting is in scope, especially for ICT services supporting critical or important functions.

    Contract elements that usually matter most for sub-outsourcing controls

  • Clear definitions of what constitutes subcontracting (and what does not), and what counts as a “material” change, subject to your institution’s risk taxonomy.
  • Notification and, where appropriate, prior approval mechanics for material changes, including the information you must receive to assess impact on resilience and compliance.
  • Flow-down of relevant obligations to subcontractors, particularly around incident cooperation, security controls, audit support, and continuity measures, where feasible given the service model.
  • Right to obtain sufficient information to understand the relevant supply chain, not necessarily to map every dependency, but to maintain risk-based control over material upstream components.
  • Exit and transition feasibility where a subcontractor change affects the service materially, including continuity safeguards and your ability to maintain service integrity.

    • Here’s the thing: even strong subcontracting clauses can become “non-operational” if you do not define internally who assesses notifications, what information is required for a decision, and what the escalation path is when a provider cannot or will not provide adequate transparency. This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified legal or regulatory counsel for institution-specific DORA compliance guidance.

    Negotiating DORA clauses with large ICT providers: common friction points and defensible compromises

    Many financial entities encounter a predictable negotiation pattern with large ICT providers. Providers may offer standardized terms, resist bespoke audit language, or redirect you to third-party assurance reports and “shared responsibility” statements. DORA does not require you to achieve identical language with every provider, but supervisors may expect you to demonstrate a risk-based negotiation outcome and a controlled exceptions process.

    Where negotiations typically get stuck

  • Audit and access rights: providers may restrict on-site audits, limit system-level access, or propose pooled audits and independent certifications as substitutes.
  • Incident notification timelines and content: providers may propose broad notification windows or vague language that does not support your internal major ICT-related incident process.
  • Sub-outsourcing transparency: providers may disclose only high-level subcontractor categories, or treat subcontractor identities as confidential.
  • Exit support: providers may offer generic termination assistance that does not address data portability, transition support, or realistic timelines for complex services.

    • What a “defensible compromise” often looks like under DORA

  • A documented position that ties each contested clause to a DORA obligation (for example auditability, incident cooperation, exit feasibility), and a rationale for any alternative control accepted.
  • Use of assurance artifacts (for example SOC reports, ISO certifications, third-party audit summaries) as supporting evidence, while being clear internally about what they do not cover and how gaps are addressed.
  • An explicit exceptions workflow with approvals, expiry dates where appropriate, and compensating controls that are owned and tracked, rather than informal “acceptance by email.”
  • Service scoping clarity: negotiating enhanced clauses for higher-risk or critical ICT services while keeping a baseline for lower-impact services, consistent with proportionality.

    • Consider this: in a supervisory conversation, it is usually easier to defend a clear risk-based outcome with traceable approvals than to defend an inconsistent mix of contracts where deviations are not visible, not governed, or not linked to risk treatment decisions. This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified legal or regulatory counsel for institution-specific DORA compliance guidance.

    Turning clauses into evidence: the operating model most institutions miss

    A common supervisory pain point is the gap between legal documentation and operational control. Contracts may contain DORA-aligned clauses, but the financial entity cannot demonstrate that those rights and obligations are actively exercised and tracked. In most cases, the gap is caused by fragmented ownership across Legal, Procurement, Risk, Compliance, and IT/security.

    What “good” typically looks like

  • A maintained inventory of ICT services, mapped to internal functions and to the relevant ICT TPPs.
  • Risk assessments that reference the contract, the service scope, and the provider’s operational dependencies.
  • Ongoing monitoring artifacts (service reports, meeting minutes, remediation tickets, audit results) that are linked back to the service and provider record.
  • Clear sign-offs and review gates for key decisions (for example onboarding a high-risk provider, accepting residual risk, approving an exception).

    • Common failure modes (and how to detect them early)

  • Clause coverage without traceability: contract templates exist, but you cannot show which contracts include which clauses and which ones are exceptions.
  • Inconsistent vendor taxonomy: different teams use different naming and identifiers for the same provider or service, leading to reporting inconsistencies.
  • Questionnaire-only oversight: the institution collects periodic questionnaires but cannot show risk treatment, remediation tracking, or governance decisions.

    • This is also where correct scoping matters. Not every provider is an dora ict service provider in the way DORA uses the term, and not every contract needs the same depth of control. A defensible approach usually depends on criticality, service type, and risk.

    Where Dorapp can fit: operationalizing third-party governance and audit readiness

    Dorapp is positioned as a DORA-focused compliance platform for EU financial entities, with modular coverage aligned to DORA pillars. Based on current product documentation, Dorapp provides a Register of Information (ROI) module and a Third Party Risk Management (TPRM) module that can help structure and evidence ICT third-party oversight across the year.

    Practically, Dorapp’s documented capabilities that are relevant to DORA contracting and contractual oversight include:

  • DORApp ROI to manage Register of Information data and export DORA-compliant reports in XBRL format (per ESA taxonomy and technical requirements, as described in Dorapp documentation).
  • Automatic LEI validation and enrichment during record creation/import, supporting data consistency for providers and entities.
  • DORApp TPRM for questionnaire-driven information collection combined with review and approval workflow orchestration, integrated risk scoring and monitoring, and periodic reporting.
  • An “Execution Governance Engine” concept described in Dorapp documentation, emphasizing controlled workflows with review gates and sign-offs across modules.
  • Audit trail logging of record changes, workflow transitions, approvals, timestamps, and decision rationale.

    • If your primary DORA contracting challenge is proving that contractual obligations are operationalized (for example, consistent provider inventory, contract-to-service traceability, evidence of oversight decisions), these capabilities may reduce manual coordination effort and make audit preparation more repeatable.

    To evaluate fit, you can start by reviewing Dorapp’s core entry points: DORApp Modules and Book a Demo.

    Pricing context (as documented): Dorapp subscription is described as modular and charged by user seat. The first module for each user is documented at 200 EUR/user/month (excluding VAT), and additional modules at 100 EUR/user/month each (excluding VAT). A 14-day trial is available via Free Trial – 14 Days. You should confirm current pricing and module availability with Dorapp directly, especially where roadmap modules are involved.

    How to evaluate your options (criteria that map to DORA)

    Many financial entities can meet “contract clause coverage” using templates and legal playbooks. The harder part is building a sustainable control system across vendor inventory, contracting, risk assessment, and evidence production. When evaluating whether to rely on internal processes, a general GRC platform, external support, or a DORA-focused platform, focus on criteria that map to supervisory expectations under DORA.

    1) Regulatory alignment to DORA Article 30 and the RTS on contractual arrangements

  • Does your approach explicitly track clause requirements and exceptions for each ICT service and contract?
  • Can you show how contractual rights (audit, access, exit) are translated into executable procedures?
  • Is there a clear linkage between contracts, services, and risk assessments?

    • 2) Inventory quality and reporting readiness (Register of Information)

  • Can you maintain consistent provider identity data (for example LEI where applicable) and relationships across entities?
  • Can you produce audit-ready evidence of what data was reported, when, and under which approvals?
  • Do you have a repeatable process to reconcile contracting scope with ROI records?

    • 3) Third-party oversight beyond questionnaires

  • Do you capture risk decisions, residual risk acceptance, and remediation actions?
  • Are review gates and sign-offs enforced (maker-checker where appropriate)?
  • Can management obtain periodic oversight reporting without a manual “data chase”?

    • 4) Evidence traceability and audit trail

  • Can you show who changed what, when, and why for key records and decisions?
  • Do you have an auditable record of approvals for onboarding, exceptions, and escalations?
  • Is the evidence linked to the relevant service/provider and contract scope?

    • 5) Practical implementation and operating model fit

  • Can Legal, Procurement, Risk, and IT/security operate in one consistent workflow without duplicating records?
  • Does the approach scale across group entities while preserving entity-level accountability?
  • Is onboarding realistic given your current maturity and resource constraints?

    • A good internal benchmark is whether you can answer supervisory questions with traceable evidence within days, not weeks. If meeting that bar requires repeated manual consolidation, it is usually a signal that the operating model (not the legal clause set) is the constraint.

    Strengths and Challenges

    Strengths

  • Clear regulatory linkage: DORA’s contracting expectations are directly connected to third-party oversight and governance under DORA Article 30, which supports a structured compliance program.
  • Auditability focus: When implemented well, contractual rights (audit, access, information) can materially improve evidence quality and supervisory defensibility.
  • Operational resilience uplift: Exit support, incident cooperation, and subcontractor controls can reduce the operational impact of provider disruptions.
  • Improved cross-functional alignment: DORA contract work often forces Legal, Procurement, and ICT risk to converge on one risk-based approach.

    • Implementation Considerations

  • Negotiation constraints: Some ICT TPPs may resist audit/access language or offer standardized terms that require careful risk-based compromises.
  • Proving operationalization is harder than drafting clauses: Supervisors may expect evidence that rights are usable and exercised, not only written into contracts.
  • Supply chain transparency remains challenging: Sub-outsourcing and fourth-party mapping can be difficult to maintain, especially in complex cloud and managed service ecosystems.
  • Tooling and data quality can become the bottleneck: If service inventories, contract repositories, and risk assessments are not reconciled, reporting and oversight become inconsistent.

    • Frequently Asked Questions

    What is a “DORA contract” in practice?

    A “DORA contract” typically refers to an ICT service contract that includes the contractual provisions required by DORA Article 30 and the RTS on contractual arrangements. In practice, it is not a separate contract type. It is a contract whose clauses and operating procedures enable auditability, incident cooperation, subcontractor oversight, and exit feasibility for ICT services used by a financial entity.

    Are the contractual clauses identical for every ICT provider?

    Usually not. DORA is risk-based, and many institutions tailor clause depth based on service criticality, data sensitivity, and operational dependency. Still, supervisors may expect certain core clauses to appear consistently, especially for material ICT services. Your contracting playbook typically needs a baseline plus enhanced requirements for higher-risk or critical services.

    Do we need to renegotiate all existing ICT contracts?

    It depends on your gap analysis and contract renewal cycles. Many financial entities prioritize high-risk or critical ICT services first, then phase in remediation for the rest through renewals, addenda, or renegotiation events. You should align the remediation plan to your risk assessment methodology and be prepared to justify prioritization decisions to supervisors.

    How do contracts relate to the DORA Register of Information?

    The Register of Information (ROI) is an inventory-style obligation, while contracts are legal instruments. Supervisors may expect internal consistency between them, for example the service scope, provider identity, locations, and dependencies. If contract scope cannot be reconciled to ROI records, it can create reporting inaccuracies and weaken evidence of ongoing third-party oversight.

    What do supervisors usually look for beyond the clause text?

    Supervisors often look for operational evidence: how the financial entity monitors service performance, handles incidents with the provider, manages subcontractor changes, and executes exit planning. They may also assess whether audit/access rights are realistically exercisable, and whether exceptions are governed, approved, and documented with a defensible rationale.

    How should we handle subcontractors and fourth parties under DORA contracts?

    Most institutions implement notification and approval conditions for material sub-outsourcing changes, plus contractual flow-down obligations where feasible. The goal is not perfect transparency across every dependency, but a risk-based mechanism to identify and control material supply chain changes that could affect resilience, security, or compliance. The RTS provides more detailed expectations that you should verify.

    What is the main risk of relying on contract templates alone?

    The main risk is a “paper compliance” outcome. Templates may tick required clauses, but the institution still cannot demonstrate ongoing oversight, evidence production, and governance decision-making. Supervisory scrutiny tends to increase when the institution cannot show traceability between contracts, ICT services, risk assessments, and remediation actions over time.

    How can Dorapp support DORA contractual oversight without being a contract lifecycle tool?

    Dorapp is documented as a DORA-focused platform with ROI and TPRM modules, audit trails, and controlled workflows with review gates and sign-offs. Even if you keep contracts in a separate repository, Dorapp may help you maintain consistent service and provider records, link oversight activities to those records, run repeatable assessments, and produce audit-ready reporting artifacts for governance and regulators.

    When should we involve Legal counsel?

    Typically early. Contractual arrangements under DORA have legal and regulatory implications, including audit/access rights, termination triggers, liability, and data processing terms. Because enforceability and local law considerations vary, financial entities should involve qualified legal counsel to tailor clause language and negotiation positions, especially for high-risk or critical ICT services.

    What contracts does DORA apply to?

    DORA applies to contractual arrangements on the use of ICT services entered into by in-scope EU-regulated financial entities with ICT third-party service providers. In practice, this can include cloud services, software, data services, managed services, and outsourced ICT operations, subject to how the service supports your business functions. You should scope based on DORA definitions, your ICT service inventory, and your classification of services supporting critical or important functions, and confirm interpretation with qualified counsel where needed.

    Does DORA require “standard contractual clauses” or a specific contract template?

    DORA does not typically mandate a single, universal contract template. It sets required content areas and outcomes, primarily through DORA Article 30 and related RTS that specify what contractual arrangements should cover. Some organizations adopt internal standard clause libraries to speed remediation and enforce consistency, but you still need to tailor the clauses to the service, risk profile, and delivery model, and to confirm enforceability under applicable law.

    How do DORA contract clauses connect to incident reporting obligations?

    DORA contract clauses often provide the operational basis for your incident workflow: notification triggers, minimum content for incident notices, cooperation for investigation and remediation, and access to evidence. This matters because major ICT-related incident reporting under DORA depends on timely and reliable inputs from providers. The detailed classification criteria and timelines are specified in RTS and ITS developed by the ESAs, and practical implementation may differ by entity type and supervisory expectations.

    Can we rely on pooled audits, third-party certifications, or SOC reports instead of exercising audit rights?

    In many cases, pooled audits and independent assurance reports can be part of your evidence set, particularly where direct audits are impractical. The key is whether what you receive is sufficient for your risk profile and for demonstrating oversight in an audit or supervisory setting. Where assurance artifacts have scope gaps or timing limitations, financial entities typically document compensating controls and governance decisions, and may still require targeted audit or information rights for higher-risk services.

    Key Takeaways

  • DORA contractual clauses are a supervisory-facing control, not only a procurement artifact.
  • Core clause areas typically include audit/access, incident cooperation, sub-outsourcing transparency, and exit support.
  • Supervisors may challenge “paper compliance” where rights exist in theory but are not operationally exercised and evidenced.
  • Consistency between contracts, third-party risk assessments, and the Register of Information is a common audit focal point.
  • DORA-focused workflows, audit trails, and structured oversight reporting can reduce manual evidence production effort.

    • Conclusion

    DORA contract requirements are best treated as an operating model problem: you need legally sound clauses, but you also need repeatable oversight workflows, traceable approvals, and evidence that contractual rights are usable in practice. For many financial entities, the main implementation risk is fragmentation across systems and teams, leading to inconsistent inventories, untracked exceptions, and weak audit readiness.

    If you are formalizing ICT third-party oversight and want a DORA-specific way to structure ROI data, run ongoing TPRM workflows, and maintain audit trails, you can explore Dorapp’s approach through DORApp Modules and request a walkthrough via Book a Demo. A short demo is typically enough to assess whether the workflow and evidence model fits your institution’s DORA contracting reality.

    Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. DORA compliance obligations vary depending on the classification and size of your financial institution. Consult qualified legal or regulatory counsel to assess your specific obligations under the Digital Operational Resilience Act and applicable regulatory technical standards.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.