DORA Art. 30 mandatory contract clauses: checklist for ICT contracts

When Art. 30 applies

Art. 30 applies to any ICT services contract between a financial entity and an ICT third-party service provider. ICT services are broadly defined: SaaS, IaaS, PaaS, MDR, advisory with system access, outsourcing.

Obligations scale with function criticality: normal functions need baseline clauses, critical or important functions require the extended clauses under Art. 30(3).

Criticality is classified by the financial entity itself and reviewed by the supervisor.

Baseline clauses for normal functions

Clear description of services with functional and non-functional characteristics.

Location of data storage and processing, including sub-locations via sub-contractors.

Service-level agreements with availability, response time, recovery time.

Data-processing terms including security measures.

Termination provisions, minimum term, notice periods, agreed cooperation obligations.

Audit rights for the financial entity and its supervisor.

Provider obligation to notify the financial entity of any sub-outsourcing.

Extended clauses for critical or important functions

Full audit rights: on-site inspections, audits by independent third parties, audits by the competent authority. Provider-imposed limits (e.g. two audits per year) are supervisorily sensitive.

Sub-outsourcing control: prior notification of any change to sub-contractors, veto right for critical functions, mandatory clauses cascading down the supply chain.

Tested exit strategy: documented exit plan with appropriate transition periods (typically 12-24 months), regularly tested, with migration support by the provider.

Incident reporting obligations: immediate notification of the financial entity when an incident affects services or data, with all information needed for DORA reporting to the authority.

Cooperation with supervisors: active participation in audits, on-site access for supervisors where required, data and documentation provision.

Where negotiations fail

Audit rights: large cloud providers often refuse unlimited audit rights and offer standardised audit reports (SOC 2, ISO 27001, C5). BaFin accepts hybrid models but reserves the right to require on-site reviews case by case.

Sub-outsourcing: providers want flexible sub-chains. Financial entities need veto rights. Consensus: pre-notification, no change of critical function sub-contractors without approval.

Exit strategy: standard T&Cs often quote 30-day notice without migration support. Not enough; renegotiate to 12-24 months with documented migration steps and data export guarantee.

Data residency: blanket 'data in the EU' is not enough; require a list of processing locations plus sub-storage locations plus control over sub-processing in third countries.

Pragmatic playbook

1. Inventory: which contracts are in scope, which functions are critical / important vs. normal.

2. Gap analysis per contract: which clauses are in place, which are missing, which are insufficient.

3. Prioritisation: critical functions first, then important, then normal.

4. Negotiation strategy: prepare standard clause packs (sample texts from AFME, ISDA, EBF). With smaller providers directly; with hyperscalers usually via DORA addendum.

5. Decision memo per contract: documents the Art. 28 due diligence assessment, the critical/important/normal classification, the clause mapping and the concentration-risk assessment.