Introduction. Regulation (EU) 2022/2554 on the Digital Operational Resilience of the Financial Sector (“DORA”) imposes certain obligations on financial entities (“FEs”) regarding their contractual relationships with Information and Communication Technology third-party service providers (“ICT Providers”). These obligations are structured across four levels: a) pre-contractual obligations, b) content of contractual arrangements, c) monitoring and reporting obligations, and d) adoption of a specific policy regarding contractual arrangements on the use of ICT services supporting “critical or important functions.”

A “critical or important function” refers to a function whose disruption would materially impair the financial performance of the FE, the soundness or continuity of its services and activities, or the compliance of the FE with the conditions of its authorization or other obligations under applicable financial services law.

Article 28 of DORA outlines general principles for ICT third-party risk management, and Article 30 specifies key contractual provisions that must be included in agreements between FEs and ICT Providers.

A. Pre-Contractual Obligations

I. Before entering a contractual agreement for ICT services, FEs shall:

• Assess whether the contractual arrangement involves ICT services supporting a critical or important function;
• Evaluate whether supervisory conditions for contracting are met;
• Identify and assess all relevant risks (e.g., concentration risk);
• Conduct due diligence;
• Identify and assess conflicts of interest arising from the contractual arrangement.

II. FEs must inform the competent authority promptly about planned contractual arrangements involving ICT services supporting critical or important functions as well as when a function becomes critical or important.

B. Key Contractual Provisions

I. Contracts for ICT services must include the following minimum elements:

• A description of all functions and ICT services provided, indicating whether subcontracting of services supporting critical or important functions is permitted and under what conditions;
• The regions or countries where contracted or subcontracted services are provided, and where data is processed;
• Provisions addressing the availability, authenticity, integrity, and confidentiality of data, including personal data, as well as ensuring access, recovery, and return in cases of ICT Provider insolvency, resolution and discontinuation of operations, or contract termination;
• Service level descriptions;
• Obligation to provide assistance in case of ICT incidents related to the services provided;
• Obligation to fully cooperate with competent authorities;
• Termination rights;
• Conditions for the ICT Provider’s participation in the FE’s ICT security awareness program.

II. Contracts related to critical or important functions must also include:

• Full-service level descriptions, including updates and precise performance targets;
• Notice periods and reporting obligations for the ICT Provider;
• Requirements for contingency plans, ICT security measures, tools, and policies;
• The right to monitor ICT Provider’s performance, including unrestricted access, inspection, and audit rights;
• Exit strategies, particularly the establishment of a mandatory adequate transition period.

C. Monitoring and Reporting Obligations

FEs must maintain and update a Register of Information (“ROI”) for all ICT service contracts. They must provide the ROI or specified sections to competent authorities upon request, alongside any necessary information. FEs must not only monitor ICT Providers but also the entire subcontracting chain for critical functions.

European authorities have published final drafts of Implementing Technical Standards (ITS) for the ROI, applicable after their adoption by the EU Commission via Delegated Regulation.

FEs must report yearly to competent authorities on the number of new ICT service arrangements, categories of ICT Providers, contract types, and the services provided.

D. Policy on the Use of ICT Services Supporting Critical or Important Functions

Each FE must adopt and implement a policy on ICT services supporting critical functions as part of its ICT third-party risk strategy. This policy must comply with Commission Delegated Regulation (EU) 2024/1773 and must:

• Align with the FE’s size, risk profile, and operational complexity;
• Ensure due diligence of ICT Providers;
• Assign clear governance responsibilities and mandate regular reviews;
• Include provisions for audits, data access, and incident reporting;
• Establish mechanisms to monitor ICT Provider performance and enforce compliance;
• Define and test exit strategies to ensure continuity;
• Apply consistently across group entities while ensuring compliance with EU and national regulations.

Conclusion. DORA requires FEs to establish robust contractual agreements with ICT Providers. Both FEs and ICT Providers must adjust their organizational and operational practices to meet DORA’s requirements. As a first step, FEs must determine whether a service supports a critical or important function. Contracts must emphasize security standards, audit rights, exit strategies for continuity, and robust data handling provisions. Additionally, FEs must maintain an ROI, monitor ICT Provider relationships, and comply with reporting obligations.

Key Contacts

Nikos Kontizas                                 

Counsel

Giannis Koutsoumpinas                  

Associate

Melanthia Papadopoulou                

Trainee

Eftychia Kyrgiou                              

Trainee