Contents
- What do all ICT third-party service providers under DORA actually have to do?
- 1. Support a single written, durable and permanently accessible contract
- 2. Deliver ICT services exactly as described
- 3. Operate only in the approved locations
- 4. Notify the financial entity before any location change
- 5. Maintain information security
- 6. Guarantee continuous data access, recovery and return
- 7. Maintain service level descriptions (including updates and revisions)
- 8. Provide immediate assistance during ICT incidents
- 9. Cooperate fully with supervisors and authorities
- 10. Ensure termination readiness and minimum notice periods
- 11. Participate in training and awareness activities
- Important Regulatory Technical Standards (RTS)
- Minimum contractual clauses
What do all ICT third-party service providers under DORA actually have to do?
The Digital Operational Resilience Act (DORA) sets strict, harmonised rules for ICT third-party service providers working with European financial institutions. But the core question remains:
What do ICT service providers actually have to do—practically, operationally, every day?
1. Support a single written, durable and permanently accessible contract
Under Art. 30(1) DORA, providers must support and maintain:
- one single written contract (including SLAs),
- which is downloadable, durable and permanently accessible,
- and which contains all rights and obligations.
This means ICT providers must ensure that the contract—and every update—is maintained in a stable, accessible, non-volatile format.
2. Deliver ICT services exactly as described
Under Art. 30(2)(a) DORA, the provider must deliver:
- all ICT services and functions,
- exactly as contractually defined,
- in a complete, unambiguous manner, every day.
This requires stable production operations, up-to-date documentation and reliable service delivery.
3. Operate only in the approved locations
DORA requires providers to process and store all data only in the:
- regions or countries explicitly listed in the contract.
(Art. 30(2)(b))
Providers must implement strict geographic controls, mapping data flows and preventing deviation.
4. Notify the financial entity before any location change
Under Art. 30(2)(b), providers must:
- notify the financial entity in advance of any change of data location or processing site.
This prevents unapproved data transfers and ensures regulatory compliance.
5. Maintain information security
DORA imposes a daily operational duty to uphold:
- availability,
- authenticity,
- integrity,
- confidentiality
of all systems and data. (Art. 30(2)(c))
Providers must operate secure ICT environments, enforce access controls, maintain patching, encryption and network protection.
6. Guarantee continuous data access, recovery and return
Under Art. 30(2)(d), ICT providers must ensure:
- continuous access to data,
- restoration from backups,
- return of data upon request,
- and continued availability even in insolvency or internal disruptions.
This requires tested backup routines, export tools and robust recovery processes.
7. Maintain service level descriptions (including updates and revisions)
Per Art. 30(2)(e), providers must maintain:
- up-to-date service level descriptions,
- including revisions and updates,
- aligned with actual performance.
This must be reflected in daily operations and performance tracking.
8. Provide immediate assistance during ICT incidents
Under Art. 30(2)(f), providers must:
- support incident detection,
- assist with containment and investigation,
- help restore services,
- at no or pre-agreed cost.
This is not optional—incident cooperation is an enforceable operational duty.
Art. 30(2)(g) requires providers to:
- answer supervisory requests,
- provide logs, data and documents,
- enable onsite inspections,
- and support resolution authorities.
This requires maintaining audit-ready documentation and technical access procedures.
10. Ensure termination readiness and minimum notice periods
Under Art. 30(2)(h), providers must:
- support termination processes,
- honour minimum notice periods,
- ensure data return and handover processes.
They must also maintain operational “exit readiness” at all times.
11. Participate in training and awareness activities
Per Art. 30(2)(i), ICT providers must:
- participate in ICT-security awareness training,
- engage in digital operational resilience training activities,
- cooperate in client-specific DORA programmes.
This requires ongoing staff involvement, not just a contractual promise.
Important Regulatory Technical Standards (RTS)
RTS TPPol
RTS SUB
Source: BaFin, Supervisory statement: Guidance notes on the implementation of DORA for ICT risk management and ICT third-party risk management
Minimum contractual clauses
Additional information
This table contains an overview of the contractual clauses that must be agreed between the financial institution and the ICT third-party service provider in accordance with DORA or the RTS TPPol and RTS SUB.
Contractual elements that should ideally be agreed but are not explicitly listed in the legal texts are not included in this list.
Column E marks contractual requirements that are only necessary for ICT services supporting critical or important functions (cif).
Column F indicates requirements for financial entities in accordance with Article 16 DORA.
Information for microenterprises in accordance with Article 3 no. 60 DORA is provided in column G, whereby microenterprises may also fall under the simplified risk management framework in accordance with Article 16 DORA. Exception: Micro-enterprises that fall under the scope extension pursuant to section 1a (2a) KWG do not have to apply the requirements of ICT third party risk management pursuant to sentence 2 no. 3 of this paragraph.
| Area | Contractual clause | Location | Excerpt from the legal text | Critical or important functions only | Relevant for Art. 16 DORA enterprises | Information for micro-enterprises |
|---|---|---|---|---|---|---|
| Form | Written, permanently accessible document | Art. 30 (1) DORA | The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format. | X | ||
| Form | Written document with date and signature for significant changes | Art. 8 (4) RTS TPPol | The policy shall ensure that material changes to the contractual agreement are to be formalised in a written document which is dated and signed by all parties and shall specify the renewal process for the contractual arrangements. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| ICT service description | Clear and complete description of all functions and ICT services | Art. 30 (2) (a) DORA | a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, […] | X | ||
| Subcontracting | Admissibility of subcontracting (“supporting critical or important functions or essential parts thereof”) and subcontracting conditions | Art. 30 (2) (a) DORA | […] indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting; | X | X | |
| Location | Locations (regions or countries) of processing, storage or provision | Art. 30 (2) (b) DORA | the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, […] | X | ||
| Location | Notification of intended change of location | Art. 30 (2) (b) DORA | […] and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations; | X | ||
| Security | Information security objectives and data protection | Art. 30 (2) (c) DORA | provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data; | X | ||
| Access to data | Ensuring access to data (e.g. in case of insolvency), restoration and return | Art. 30 (2) (d) DORA | provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements; | X | ||
| ICT service description | Descriptions of the service quality, including updates and revisions | Art. 30 (2) (e) DORA | service level descriptions, including updates and revisions thereof; | X | ||
| ICT incident | Assistance in an ICT incident, setting costs | Art. 30 (2) (f) DORA | the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs; | X | ||
| Supervision | Cooperation with competent authorities | Art. 30 (2) (g) DORA | the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them; | X | ||
| Termination | Termination rights and minimum notice periods in line with the expectations of the competent authorities | Art. 30 (2) (h) DORA | termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; | X | ||
| Training | Participation in financial company awareness raising and training on ICT security and digital operational resilience | Art. 30 (2) (i) DORA | the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6). | According to needs and ICT risk profile (see article 16 (1) (h) DORA), as article 13 (6) DORA is not applicable | ||
| ICT service description | Full description of service quality with precise quantitative and qualitative performance targets (including updates and revisions) | Art. 30 (3) (a) DORA | full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met; | X | X | |
| Termination | Notice periods of the ICT third-party service provider | Art. 30 (3) (b) DORA | notice periods [...] of the ICT third-party service provider to the financial entity […]; | X | X | |
| Reporting | Reporting obligations of the ICT service provider | Art. 30 (3) (b) DORA | [...] reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels; | X | X | |
| BCM | Implement and test business contingency plans | Art. 30 (3) (c) DORA | requirements for the ICT third-party service provider to implement and test business contingency plans […] | X | X | |
| Security | ICT security measures (appropriate level of security, in line with the financial entity’s legal framework) | Art. 30 (3) (c) DORA | requirements for the ICT third-party service provider […] to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework; | X | X | |
| TLPT | TLPT participation and cooperation | Art. 30 (3) (d) DORA | the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27; | X | Not relevant as TLPT is not necessary | Not relevant as TLPT is not necessary |
| Monitoring | Right to continuously monitor the performance of the ICT third-party service provider | Art. 30 (3) (e) DORA | the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following: | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Inspection rights for FU and CAs, including the right to make copies | Art. 30 (3) (e) (i) DORA | unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies; | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Restriction of audit rights in case of rights of other customers are affected | Art. 30 (3) (e) (ii) DORA | the right to agree on alternative assurance levels if other clients’ rights are affected; | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Full cooperation in on-site inspection and audit | Art. 30 (3) (e) (iii) DORA | the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Obligation to share information on audit planning | Art. 30 (3) (e) (iv) DORA | the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits; | X | X | see Art. 30 (3) last sub-paragraph DORA |
| Audit rights | Exercise of audit rights by independent third parties in financial entities that are microenterprises | Art. 30 (3) last sub-paragraph DORA | By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a microenterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time. | X | Option only exists for micro-enterprises | |
| Audit rights | Information access, inspection, audit, and ICT testing rights | Art. 8 (2) RTS TPPol | The policy shall specify that the relevant contractual arrangements are to include the right for the financial entity to access information, to carry out inspections and audits, and to perform tests on ICT. For that purpose, the policy shall require that the financial entity uses the following methods, without prejudice to the ultimate responsibility of the financial entity: | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Audit by internal audit or appointed third party | Art. 8 (2) (a) RTS TPPol | its own internal audit or an audit by an appointed third party; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Pooled audit and testing, including TLPT | Art. 8 (2) (b) RTS TPPol | where appropriate, pooled audits and pooled ICT testing, including threat-led penetration testing, that are organised jointly with other contracting financial entities or firms that use ICT services of the same ICT third-party service provider and that are performed by those contracting financial entities or firms or by a third party appointed by them; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Third-party certifications | Art. 8 (2) (c) RTS TPPol | where appropriate, third-party certifications; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Audit by ICT third-party service provider internal audit | Art. 8 (2) (d) RTS TPPol | where appropriate, internal or third-party audit reports made available by the ICT third-party service provider. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Expansion of the scope of testing/certification when using certifications or test reports provided by the service provider | Art. 8 (3) (g) RTS TPPol | has the contractual right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Audit rights | Retention of audit rights when using certifications or test reports provided by the service provider | Art. 8 (3) (h) RTS TPPol | has the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Exit | Exit strategies and a mandatory adequate transition period | Art. 30 (3) (f) DORA | exit strategies, in particular the establishment of a mandatory adequate transition period: | X | X | |
| Exit | Exit strategy ensuring continued provision of functions | Art. 30 (3) (f) (i) DORA | during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring; | X | X | |
| Exit | Exit strategy with adequate changeover option | Art. 30 (3) (f) (ii) DORA | allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided. | X | X | |
| Supervision | Cooperation with competent authorities | Art. 3 (8) (c) RTS TPPol | The policy shall explicitly specify that the contractual arrangements: […] are to require that the ICT third party service providers cooperate with the competent authorities; | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Access to data | Access to data and premises | Art. 3 (8) (d) RTS TPPol | The policy shall explicitly specify that the contractual arrangements: [...] are to require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the use of ICT services supporting critical or important functions. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Other relevant contractual clauses | Relevant contractual clauses on requirements under Art. 1(1)(a) DORA and other relevant laws | Art. 8 (1) RTS TPPol | The policy shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554. The policy shall also include elements regarding requirements referred to in Article 1(1), point (a), of Regulation (EU) 2022/2554, as well as other relevant Union and national law as appropriate. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Other relevant contractual clauses - risk management | ICT risk management | Art. 1 (1) (a) (i) DORA | [as appropriate, requirements applicable regarding] information and communication technology (ICT) risk management; | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - ICT incident | Major ICT incident reporting | Art. 1 (1) (a) (ii) DORA | [as appropriate, requirements applicable regarding] reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities; | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - ICT incident | Major payment incident reporting | Art. 1 (1) (a) (iii) DORA | [as appropriate, requirements applicable regarding] reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d); | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - DOR testing | DOR testing | Art. 1 (1) (a) (iv) DORA | [as appropriate, requirements applicable regarding] digital operational resilience testing | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - cyber information sharing | Cyber information sharing | Art. 1 (1) (a) (v) DORA | [as appropriate, requirements applicable regarding] information and intelligence sharing in relation to cyber threats and vulnerabilities; | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Other relevant contractual clauses - risk management | Third-party risk management | Art. 1 (1) (a) (vi) DORA | [as appropriate, requirements applicable regarding] measures for the sound management of ICT third-party risk | X | Not relevant, as Art. 8 (1) RTS TPPol is not relevant | Not relevant, as Art. 8 (1) RTS TPPol is not relevant |
| Monitoring | Measures and key indicators to monitor performance, information security requirements and the financial entity’s policies and process | Art. 9 (1) RTS TPPol | The policy shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, integrity and authenticity of data and information, and the compliance of the ICT third-party service providers with the financial entity’s relevant policies and procedures. [...] | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Monitoring | Measures for inadequate service quality | Art. 9 (1) RTS TPPol | […] The policy shall also specify measures that apply when service level agreements are not met, including contractual penalties where appropriate. | X | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA | Not relevant, as the RTS TPPol is not applicable in accordance with Art. 28 (2) DORA |
| Termination | Safeguarding contractual termination rights | Art. 28 (7) DORA | Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances: | X | ||
| Termination | Right of termination in the event of significant breach of existing rules | Art. 28 (7) (a) DORA | significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms; | X | ||
| Termination | Right of termination in circumstances capable of altering the performance | Art. 28 (7) (b) DORA | circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider; | X | ||
| Termination | Right of termination in the event of evidence of weaknesses in ICT risk management of the ICT third-party service provider | Art. 28 (7) (c) DORA | ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; | X | ||
| Termination | Right of termination in the event of evidence of weaknesses in ICT risk management of the ICT third-party service provider | Art. 28 (7) (d) DORA | where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement. | X | ||
| Subcontracting - Termination | Termination rights in connection with subcontracting | Art. 6 (1) RTS SUB | The financial entity shall have the right to provide in the contractual arrangement with the ICT third-party service provider that the contractual arrangement is to terminate in each of the following cases: | X | X | |
| Subcontracting - Termination | Termination rights when implementing material changes to subcontracting without consent | Art. 6 (1) (a) RTS SUB | the financial entity has objected to material changes to the subcontracting arrangements supporting critical or important functions and requested for modifications to those arrangements, but the ICT third-party service provider has nevertheless implemented those material changes; | X | X | |
| Subcontracting - Termination | Termination rights when implementing material changes to subcontracting without consent | Art. 6 (1) (b) RTS SUB | the ICT third-party service provider has implemented material changes to subcontracting arrangements supporting critical or important functions or material parts thereof before the end of the notice period without approval by the financial entity; | X | X | |
| Subcontracting - Termination | Termination rights in case of a not explicitly permitted subcontracting of critical or important functions | Art. 6 (1) (c) RTS SUB | the ICT third-party service provider subcontracts an ICT service that supports a critical or important function or material part thereof not explicitly permitted to be subcontracted by the contract between the financial entity and the ICT third-party service provider. | X | X | |
| Subcontracting | Obligation to replicate relevant contract clauses in case of subcontracting | Art. 3 (1) (c) RTS SUB | the ICT third-party service provider ensures that the contractual arrangements with the subcontractors that provide ICT services that support critical or important functions or material parts thereof enable the financial entity to comply with its own obligations stemming from Regulation (EU) 2022/2554 and applicable Union and national legislation; | X | X | |
| Subcontracting - Audit rights & access to data | Obligation to grant the same inspection and access rights in case of subcontracting | Art. 3 (1) (d) RTS SUB | the subcontractor grants the financial entity and competent and resolution authorities the same contractual rights of access and inspection as those granted by the ICT third-party service provider; | X | X | |
| Subcontracting - Permission | Description and conditions under which subcontracting is permitted | Art. 4 (1) RTS SUB | The contractual arrangement concluded between the financial entity and the ICT third-party service provider shall identify which ICT services that support critical or important functions or material parts thereof are eligible for subcontracting and under which conditions. That contract shall specify: | X | X | |
| Subcontracting - Responsibility for the provision of services | ICT third-party service provider is responsible for the provision of the services provided by the subcontractors | Art. 4 (1) (a) RTS SUB | that the ICT third-party service provider is responsible for the provision of the services provided by the subcontractors; | X | X | |
| Subcontracting - Monitoring | Monitoring obligation with regard to the subcontracting of critical or important functions | Art. 4 (1) (b) RTS SUB | that the ICT third-party service provider is required to monitor all subcontracted ICT services that support critical or important functions or material parts thereof to ensure that its contractual obligations with the financial entity are continuously met; | X | X | |
| Subcontracting - Monitoring and reporting obligations | Monitoring and reporting obligations towards the financial entity | Art. 4 (1) (c) RTS SUB | the monitoring and reporting obligations of the ICT third-party service provider towards the financial entity regarding subcontractors that provide ICT services that support critical or important functions or material parts thereof; | X | X | |
| Subcontracting - Risk assessment | Assessment of all risks (incl. location-related ICT-risks) | Art. 4 (1) (d) RTS SUB | that the ICT third-party service provider is to assess all risks associated with the location of the current or potential subcontractors that provide ICT service that support critical or important functions or material parts thereof, and their parent company and with the location where the ICT service concerned is provided from; | X | X | |
| Subcontracting - Location | Data processing and storage location of subcontracted ICT services | Art. 4 (1) (e) RTS SUB | the location of data processed or stored by the subcontractor, where relevant; | X | X | |
| Subcontracting - Monitoring and reporting obligations | Specification of the monitoring and reporting obligations of the subcontractor | Art. 4 (1) (f) RTS SUB | that the ICT third-party service provider is to specify in its contract with its subcontractors the monitoring and reporting obligations of that subcontractor towards the ICT third-party service provider, and where agreed, towards the financial entity; | X | X | |
| Subcontracting - BCM | Obligation of continous service provision at the ICT subcontractor | Art. 4 (1) (g) RTS SUB | that the ICT third-party service provider is to ensure the continuity of the ICT services that support critical or important functions throughout the chain of subcontractors in case of failure by an ICT subcontractor to meet its contractual obligations; | X | X | |
| Subcontracting - BCM | Obligation of business contingency plans at the ICT subcontractor | Art. 4 (1) (h) RTS SUB | that the contractual arrangement between the ICT third-party service provider and its subcontractors contains the requirements on business contingency plans referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554 and specifies the service levels to be met by the ICT subcontractors in relation to those plans; | X | X | |
| Subcontracting - Security | ICT security standards of the subcontractor | Art. 4 (1) (i) RTS SUB | that the contractual arrangement between the ICT third-party service provider and its subcontractors specifies the ICT security standards and any additional security requirements referred to in Article 30(3), point (c), of Regulation (EU) 2022/2554; | X | X | |
| Subcontracting - Audit rights & access to data | Granting of comparable audit, information and access rights | Art. 4 (1) (j) RTS SUB | that the subcontractor is to grant to the financial entity and relevant competent and resolution authorities the same rights of access, inspection, and audit as those referred to in Article 30(3), point (e), of Regulation (EU) 2022/2254; | X | X | |
| Subcontracting - Sufficient advance notice | Obligation to notify material changes to subcontracting arrangements | Art. 4 (1) (k) RTS SUB | that the ICT third-party service provider is to notify the financial entity of any material change to subcontracting arrangements; | X | X | |
| Subcontracting - Termination | Termination rights of the financial entity according to article 6 | Art. 4 (1) (l) RTS SUB | that the financial entity has the right to terminate the contract with the ICT third-party service provider when the conditions laid down in either Article 6 of this Regulation or the conditions laid down in Article 28(7) of Regulation (EU) 2022/2554 have been fulfilled. | X | X | |
| Subcontracting - Notification obligation | Obligation to provide information about any intended material changes in subcontracting | Art. 5 (1) RTS SUB | The contractual arrangement shall provide that the ICT third-party service provider shall inform the financial entity about any intended material changes to its subcontracting arrangements well in time to enable the financial entity to assess: (a) the impact on the risks it is or might be exposed to; (b) whether such material changes might affect the ability of the ICT third-party service provider to meet its contractual obligations vis-a-vis the financial entity. | X | X | |
| Subcontracting - Sufficient advance notice | Sufficient notice period in case of material changes in subcontracting | Art. 5 (2) RTS SUB | The contractual arrangement shall contain a reasonable notice period by which the financial entity is to approve or object to the changes. | X | X | |
| Subcontracting - Right to object | No changes to subcontracting during the notification period or without consent | Art. 5 (3) RTS SUB | The ICT third-party service provider shall only implement the material changes to its subcontracting arrangements after the financial entity has either approved or not objected to the changes by the end of the notice period. | X | X |
Source: https://www.bafin.de/SharedDocs/Downloads/DE/Anlage/dl_Mindestvertragsinhalte_DORA_DE_EN.html