Contents
- Minimum contractual clauses
- 1. Scope and structure of the Annex
- 2. Core domains of the mandatory clauses
- 3. Additional requirements for Critical or Important Functions (CIF)
- 4. Subcontracting obligations (draft RTS SUB)
- 5. Strategic implications for your organisation
- Minimum contractual clauses
Minimum contractual clauses
1. Scope and structure of the Annex
The Annex contains a tabular enumeration of all contractual elements required under:
- Art. 30(1)–(3) DORA
- RTS TPPol (Art. 3–9)
- draft RTS SUB (Art. 1–7)
It is divided into the following thematic areas:
- Form requirements
- ICT service description
- Location obligations
- Information security & data access
- Assistance in ICT incidents
- Cooperation with authorities
- Termination rights
- Training obligations
- Service levels & performance targets (CIF only)
- Reporting duties (CIF only)
- Business Continuity (CIF only)
- Security measures (CIF only)
- TLPT participation (CIF only)
- Monitoring rights (CIF only)
- Audit & information access rights (CIF only)
- Exit strategies (CIF only)
- Legal-basis-related clauses from Art. 1(1)(a) DORA
- Monitoring & KPIs (CIF only)
- Subcontracting (draft RTS SUB)
The table clearly tags clauses that apply only to critical or important functions: these are marked “cif” in the right-most column of the table.
2. Core domains of the mandatory clauses
2.1 Form requirements
(Page 31)
Mandatory for all contracts:
- Written contract, permanently accessible (Art. 30(1) DORA).
- Service Level Agreements must be part of one consolidated written document.
- Significant changes must be formally documented with:
- date
- signature
- explicit renewal process (Art. 8(4) RTS TPPol).
Impact:
This prohibits fragmented SLAs, email-based scope updates, and “living documents.”
2.2 ICT service description
(Page 31–32)
Contracts must include:
- Full and clear description of all ICT services and functions (Art. 30(2)(a)).
- Service levels, incl. updates & revisions (Art. 30(2)(e)).
- For CIF services:
- Precise quantitative and qualitative performance targets (Art. 30(3)(a)).
Impact:
Procurement must require providers to produce SLAs with measurable, testable metrics.
2.3 Location obligations
(Page 31–32)
Contracts must specify:
- Exact regions/countries of processing, storage and service provision (Art. 30(2)(b)).
- Provider must notify in advance before any location change.
Impact:
Cloud providers must disclose actual regions or countries, not generic “EU region.”
2.4 Information security & data access
(Page 32)
For all ICT services:
- Clauses on availability, integrity, confidentiality, authenticity (Art. 30(2)(c)).
- Rights ensuring access, recovery and return of data:
- in case of insolvency
- business discontinuation
- termination
(Art. 30(2)(d)).
This is a strong data-sovereignty requirement.
2.5 ICT incident handling
(Page 32)
Provider must:
- Assist in incidents at no additional cost or at a pre-agreed cost (Art. 30(2)(f)).
(Page 32)
Contracts must mandate:
- Full cooperation with competent authorities and resolution authorities (Art. 30(2)(g)).
2.7 Termination rights
(Pages 32, 36–37)
Includes:
- Termination rights & minimum notice periods aligned with supervisory expectations.
- Termination triggers (Art. 28(7)):
- significant breach of law/contract
- performance-affecting circumstances
- weaknesses in provider’s ICT risk management
- inability of the authority to supervise
Impact:
These clauses become mandatory, removing negotiation flexibility.
2.8 Training obligations
(Page 32)
Provider must participate in the financial entity’s:
- ICT security awareness training
- Digital operational resilience training (Art. 30(2)(i))
This is new.
3. Additional requirements for Critical or Important Functions (CIF)
These are the majority of the Annex clauses.
3.1 Service level precision & reporting obligations (CIF)
(Page 32–33)
Provider must:
- Provide precise SLA metrics (quantitative & qualitative).
- Notify any development affecting ability to meet SLA.
3.2 Business continuity (CIF)
(Page 33)
Provider must:
- Implement & test business contingency plans (Art. 30(3)(c)).
3.3 ICT security measures (CIF)
(Page 33)
Provider must:
- Implement ICT security measures aligned with the entity’s regulatory framework.
- Provide tools & policies ensuring adequate security.
3.4 TLPT cooperation (CIF)
(Page 33)
Provider must:
- Participate in Threat-Led Penetration Testing (TLPT).
This is particularly impactful for cloud providers.
3.5 Monitoring & audit rights (CIF)
(Pages 33–35)
The contract must guarantee:
Monitoring
- Continuous monitoring rights (Art. 30(3)(e)).
Audit & access
- Unrestricted rights to:
- inspect
- audit
- access information
- copy documentation
- Must not be hindered by other policies.
- Provider must fully cooperate during on-site inspections by competent authorities.
Alternative assurance
- Allowed only if needed to protect other customer rights.
Multiple audit paths (RTS TPPol Art. 8)
- Internal audits
- Third-party audits
- Pooled audits
- Certifications
- Provider’s own audit reports
3.6 Exit rights (CIF)
(Pages 35)
Must include:
- Provider continues service during transition (Art. 30(3)(f)(i)).
- Migration to new provider/in-house possible (Art. 30(3)(f)(ii)).
- Mandatory adequate transition period.
(Pages 35–36)
Must include references to:
- ICT risk management
- Incident reporting
- Payment incident reporting
- TLPT
- Cyber information sharing
- Third-party risk management
These ensure alignment with Art. 1(1)(a) DORA.
3.8 KPIs & corrective measures (CIF)
(Page 36)
Contracts must specify:
- Measures & key indicators for ongoing monitoring
- Measures when SLAs are not met
- Contractual penalties where appropriate
This is new vs. BAIT/MaRisk.
4. Subcontracting obligations (draft RTS SUB)
(Pages 37–39)
Covers subcontracting chains for CIF services.
Key obligations:
- Provider must monitor subcontractors.
- Provider must assess all subcontractor risks (incl. location risk).
- Subcontractor must:
- adopt required ICT security standards
- provide full audit, information and access rights
- implement business continuity measures
- No subcontracting changes during notice period without approval.
- Financial entity may object or require modifications.
- Termination rights where subcontracting rules are breached.
Impact:
Cloud and SaaS providers must disclose subcontractors, locations, and security posture in an unprecedented level of detail.
5. Strategic implications for your organisation
5.1 Contracts must be rewritten—not amended
Because DORA requires:
- unified documents
- precision SLAs
- lifecycle-consistent obligations
- subcontracting transparency
Providers’ boilerplates are almost certainly non-compliant.
5.2 Procurement & Legal must redesign the entire contract lifecycle
Required:
- New contract templates
- Mandatory risk-analysis attachments
- New supplier due-diligence questionnaires
- Contractual subcontractor registries
5.3 Legacy contracts
No grandfathering.
RTS TPPol Art. 3(1) requires:
- documented implementation timeline
- implementation as soon as possible
Source: BaFin, Supervisory statement: Guidance notes on the implementation of DORA for ICT risk management and ICT third-party risk management
Minimum contractual clauses
| Area | Contractual clause | Location | Excerpt from the legal text | Critical or important functions only | Relevant for Art. 16 DORA enterprises | Information for micro-enterprises |
|---|---|---|---|---|---|---|
| Form | Written, permanently accessible document | Art. 30 (1) DORA | The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format. | X | ||
| Form | Written document with date and signature for significant changes | Art. 8 (4) RTS TPPol | The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| ICT service description | Clear and complete description of all functions and ICT services | Art. 30 (2) (a) DORA | a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, […] | X | ||
| Subcontracting | Admissibility of subcontracting (“supporting critical or important functions or essential parts thereof”) and subcontracting conditions | Art. 30 (2) (a) DORA | […] indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting; | X | X | |
| Location | Locations (regions or countries) of processing, storage or provision | Art. 30 (2) (b) DORA | the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, […] | X | ||
| Location | Notification of intended change of location | Art. 30 (2) (b) DORA | […] and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations; | X | ||
| Security | Information security objectives and data protection | Art. 30 (2) (c) DORA | provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data; | X | ||
| Access to data | Ensuring access to data (e.g. in case of insolvency), restoration and return | Art. 30 (2) (d) DORA | provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements; | X | ||
| ICT service description | Descriptions of the service quality, including updates and revisions | Art. 30 (2) (e) DORA | service level descriptions, including updates and revisions thereof; | X | ||
| ICT incident | Assistance in an ICT incident, setting costs | Art. 30 (2) (f) DORA | the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs; | X | ||
| Supervision | Cooperation with competent authorities | Art. 30 (2) (g) DORA | the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them; | X | ||
| Termination | Termination rights and minimum notice periods in line with the expectations of the competent authorities | Art. 30 (2) (h) DORA | termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; | X | ||
| Training | Participation in financial company awareness raising and training on ICT security and digital operational resilience | Art. 30 (2) (i) DORA | the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6). | According to needs and ICT risk profile (see article 16 (1) (h) DORA), as article 13 (6) DORA is not applicable | ||
| ICT service description | Full description of service quality with precise quantitative and qualitative performance targets (including updates and revisions) | Art. 30 (3) (a) DORA | full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met; | X | X | |
| Termination | Notice periods of the ICT third-party service provider | Art. 30 (3) (b) DORA | notice periods [...] of the ICT third-party service provider to the financial entity […]; | X | X | |
| Reporting | Reporting obligations of the ICT service provider | Art. 30 (3) (b) DORA | [...] reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels; | X | X | |
| BCM | Implement and test business contingency plans | Art. 30 (3) (c) DORA | requirements for the ICT third-party service provider to implement and test business contingency plans […] | X | X | |
| Security | ICT security measures (appropriate level of security, in line with the financial entity’s legal framework) | Art. 30 (3) (c) DORA | requirements for the ICT third-party service provider […] to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework; | X | X | |
| TLPT | TLPT participation and cooperation | Art. 30 (3) (d) DORA | the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27; | X | Not relevant as TLPT is not necessary | Not relevant as TLPT is not necessary |
| Monitoring | Right to continuously monitor the performance of the ICT third-party service provider | Art. 30 (3) (e) DORA | the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following: | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Inspection rights for FU and CAs, including the right to make copies | Art. 30 (3) (e) (i) DORA | unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies; | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Restriction of audit rights in case of rights of other customers are affected | Art. 30 (3) (e) (ii) DORA | the right to agree on alternative assurance levels if other clients’ rights are affected; | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Full cooperation in on-site inspection and audit | Art. 30 (3) (e) (iii) DORA | the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Obligation to share information on audit planning | Art. 30 (3) (e) (iv) DORA | the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits; | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Exercise of audit rights by independent third parties in financial entities that are microenterprises | Art. 30 (3) last sub-paragraph DORA | By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a microenterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time. | X | Option only exists for micro-enterprises | |
| Audit rights | Information access, inspection, audit, and ICT testing rights | Art. 8 (2) RTS TPPol | The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Audit by internal audit or appointed third party | Art. 8 (2) (a) RTS TPPol | its own internal audit or an audit by an appointed third party; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Pooled audit and testing, including TLPT | Art. 8 (2) (b) RTS TPPol | where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testing, that are organised jointly with other contracting financial entities or firms that use ICT services of the same ICT third-party service provider and that are performed by those contracting financial entities or firms or by a third party appointed by them; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Third-party certifications | Art. 8 (2) (c) RTS TPPol | where appropriate, third-party certifications; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Audit by ICT third-party service provider internal audit | Art. 8 (2) (d) RTS TPPol | where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Expansion of the scope of testing/certification when using certifications or test reports provided by the service provider | Art. 8 (3) (g) RTS TPPol | has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Retention of audit rights when using certifications or test reports provided by the service provider | Art. 8 (3) (h) RTS TPPol | has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Exit | Exit strategies and a mandatory adequate transition period | Art. 30 (3) (f) DORA | exit strategies, in particular the establishment of a mandatory adequate transition period: | X | X | |
| Exit | Exit strategy ensuring continued provision of functions | Art. 30 (3) (f) (i) DORA | during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring; | X | X | |
| Exit | Exit strategy with adequate changeover option | Art. 30 (3) (f) (ii) DORA | allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided. | X | X | |
| Supervision | Cooperation with competent authorities | Art. 3 (8) (c) RTS TPPol | The policy shall explicitly specify that the contractual arrangements: […] are to require that the ICT third party service providers cooperate with the competent authorities; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Access to data | Access to data and premises | Art. 3 (8) (d) RTS TPPol | The policy shall explicitly specify that the contractual arrangements: [...] are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Other relevant contractual clauses | Relevant contractual clauses on requirements under Art. 1(1)(a) DORA and other relevant laws | Art. 8 (1) RTS TPPol | The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Other relevant contractual clauses - risk management | ICT risk management | Art. 1 (1) (a) (i) DORA | [as appropriate, requirements applicable regarding] information and communication technology (ICT) risk management; | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - ICT incident | Major ICT incident reporting | Art. 1 (1) (a) (ii) DORA | [as appropriate, requirements applicable regarding] reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities; | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - ICT incident | Major payment incident reporting | Art. 1 (1) (a) (iii) DORA | [as appropriate, requirements applicable regarding] reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d); | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - DOR testing | DOR testing | Art. 1 (1) (a) (iv) DORA | [as appropriate, requirements applicable regarding] digital operational resilience testing | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - cyber information sharing | Cyber information sharing | Art. 1 (1) (a) (v) DORA | [as appropriate, requirements applicable regarding] information and intelligence sharing in relation to cyber threats and vulnerabilities; | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - risk management | Third-party risk management | Art. 1 (1) (a) (vi) DORA | [as appropriate, requirements applicable regarding] measures for the sound management of ICT third-party risk | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Monitoring | Measures and key indicators to monitor performance, information security requirements and the financial entity’s policies and process | Art. 9 (1) RTS TPPol | The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity’s relevant policies and procedures. [...] | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Monitoring | Measures for inadequate service quality | Art. 9 (1) RTS TPPol | […] The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Termination | Safeguarding contractual termination rights | Art. 28 (7) DORA | Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances: | X | ||
| Termination | Right of termination in the event of significant breach of existing rules | Art. 28 (7) (a) DORA | significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms; | X | ||
| Termination | Right of termination in circumstances capable of altering the performance | Art. 28 (7) (b) DORA | circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider; | X | ||
| Termination | Right of termination in the event of evidence of weaknesses in ICT risk management of the ICT third-party service provider | Art. 28 (7) (c) DORA | ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; | X | ||
| Termination | Right of termination in the event of evidence of weaknesses in ICT risk management of the ICT third-party service provider | Art. 28 (7) (d) DORA | where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement. | X | ||
| Subcontracting - Termination | Termination rights in connection with subcontracting | Art. 6 (1) RTS SUB | The financial entity shall have the right to provide in the contractual arrangement with the ICT third-party service provider that the contractual arrangement is to terminate in each of the following cases: | X | X | |
| Subcontracting - Termination | Termination rights when implementing material changes to subcontracting without consent | Art. 6 (1) (a) RTS SUB | the financial entity has objected to material changes to the subcontracting arrangements supporting critical or important functions and requested for modifications to those arrangements, but the ICT third-party service provider has nevertheless implemented those material changes; | X | X | |
| Subcontracting - Termination | Termination rights when implementing material changes to subcontracting without consent | Art. 6 (1) (b) RTS SUB | the ICT third-party service provider has implemented material changes to subcontracting arrangements supporting critical or important functions or material parts thereof before the end of the notice period without approval by the financial entity; | X | X | |
| Subcontracting - Termination | Termination rights in case of a not explicitly permitted subcontracting of critical or important functions | Art. 6 (1) (c) RTS SUB | the ICT third-party service provider subcontracts an ICT service that supports a critical or important function or material part thereof not explicitly permitted to be subcontracted by the contract between the financial entity and the ICT third-party service provider. | X | X | |
| Subcontracting | Obligation to replicate relevant contract clauses in case of subcontracting | Art. 3 (1) (c) RTS SUB | the ICT third-party service provider ensures that the contractual arrangements with the subcontractors that provide ICT services that support critical or important functions or material parts thereof enable the financial entity to comply with its own obligations stemming from Regulation (EU) 2022/2554 and applicable Union and national legislation; | X | X | |
| Subcontracting - Audit rights & access to data | Obligation to grant the same inspection and access rights in case of subcontracting | Art. 3 (1) (d) RTS SUB | the subcontractor grants the financial entity and competent and resolution authorities the same contractual rights of access and inspection as those granted by the ICT third-party service provider; | X | X | |
| Subcontracting - Permission | Description and conditions under which subcontracting is permitted | Art. 4 (1) RTS SUB | The contractual arrangement concluded between the financial entity and the ICT third-party service provider shall identify which ICT services that support critical or important functions or material parts thereof are eligible for subcontracting and under which conditions. That contract shall specify: | X | X | |
| Subcontracting - Responsibility for the provision of services | ICT third-party service provider is responsible for the provision of the services provided by the subcontractors | Art. 4 (1) (a) RTS SUB | that the ICT third-party service provider is responsible for the provision of the services provided by the subcontractors; | X | X | |
| Subcontracting - Monitoring | Monitoring obligation with regard to the subcontracting of critical or important functions | Art. 4 (1) (b) RTS SUB | that the ICT third-party service provider is required to monitor all subcontracted ICT services that support critical or important functions or material parts thereof to ensure that its contractual obligations with the financial entity are continuously met; | X | X | |
| Subcontracting - Monitoring and reporting obligations | Monitoring and reporting obligations towards the financial entity | Art. 4 (1) (c) RTS SUB | the monitoring and reporting obligations of the ICT third-party service provider towards the financial entity regarding subcontractors that provide ICT services that support critical or important functions or material parts thereof; | X | X | |
| Subcontracting - Risk assessment | Assessment of all risks (incl. location-related ICT-risks) | Art. 4 (1) (d) RTS SUB | that the ICT third-party service provider is to assess all risks associated with the location of the current or potential subcontractors that provide ICT service that support critical or important functions or material parts thereof, and their parent company and with the location where the ICT service concerned is provided from; | X | X | |
| Subcontracting - Location | Data processing and storage location of subcontracted ICT services | Art. 4 (1) (e) RTS SUB | the location of data processed or stored by the subcontractor, where relevant; | X | X | |
| Subcontracting - Monitoring and reporting obligations | Specification of the monitoring and reporting obligations of the subcontractor | Art. 4 (1) (f) RTS SUB | that the ICT third-party service provider is to specify in its contract with its subcontractors the monitoring and reporting obligations of that subcontractor towards the ICT third-party service provider, and where agreed, towards the financial entity; | X | X | |
| Subcontracting - BCM | Obligation of continous service provision at the ICT subcontractor | Art. 4 (1) (g) RTS SUB | that the ICT third-party service provider is to ensure the continuity of the ICT services that support critical or important functions throughout the chain of subcontractors in case of failure by an ICT subcontractor to meet its contractual obligations; | X | X | |
| Subcontracting - BCM | Obligation of business contingency plans at the ICT subcontractor | Art. 4 (1) (h) RTS SUB | that the contractual arrangement between the ICT third-party service provider and its subcontractors contains the requirements on business contingency plans referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554 and specifies the service levels to be met by the ICT subcontractors in relation to those plans; | X | X | |
| Subcontracting - Security | ICT security standards of the subcontractor | Art. 4 (1) (i) RTS SUB | that the contractual arrangement between the ICT third-party service provider and its subcontractors specifies the ICT security standards and any additional security requirements referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554; | X | X | |
| Subcontracting - Audit rights & access to data | Granting of comparable audit, information and access rights | Art. 4 (1) (j) RTS SUB | that the subcontractor is to grant to the financial entity and relevant competent and resolution authorities the same rights of access, inspection, and audit as those referred to in Article 30(3), point (e), of Regulation (EU) 2022/2254; | X | X | |
| Subcontracting - Sufficient advance notice | Obligation to notify material changes to subcontracting arrangements | Art. 4 (1) (k) RTS SUB | that the ICT third-party service provider is to notify the financial entity of any material change to subcontracting arrangements; | X | X | |
| Subcontracting - Termination | Termination rights of the financial entity according to article 6 | Art. 4 (1) (l) RTS SUB | that the financial entity has the right to terminate the contract with the ICT third-party service provider when the conditions laid down in either Article 6 of this Regulation or the conditions laid down in Article 28(7) of Regulation (EU) 2022/2554 have been fulfilled. | X | X | |
| Subcontracting - Notification obligation | Obligation to provide information about any intended material changes in subcontracting | Art. 5 (1) RTS SUB | The contractual arrangement shall provide that the ICT third-party service provider shall inform the financial entity about any intended material changes to its subcontracting arrangements well in time to enable the financial entity to assess: (a) the impact on the risks it is or might be exposed to; (b) whether such material changes might affect the ability of the ICT third-party service provider to meet its contractual obligations vis-a-vis the financial entity. | X | X | |
| Subcontracting - Sufficient advance notice | Sufficient notice period in case of material changes in subcontracting | Art. 5 (2) RTS SUB | The contractual arrangement shall contain a reasonable notice period by which the financial entity is to approve or object to the changes. | X | X | |
| Subcontracting - Right to object | No changes to subcontracting during the notification period or without consent | Art. 5 (3) RTS SUB | The ICT third-party service provider shall only implement the material changes to its subcontracting arrangements after the financial entity has either approved or not objected to the changes by the end of the notice period. | X | X |
Soruce: https://www.bafin.de/SharedDocs/Downloads/DE/Anlage/dl_Mindestvertragsinhalte_DORA_DE_EN.html