DORA Article 30 Explained: Key Contractual Requirements for ICT Service Agreements

What is DORA Article 30?

Article 30 lists important contractual terms that must be included in agreements between financial entities and ICT Providers to comply with DORA. The adoption of clear, detailed contract clauses is essential for effective risk management.

The list is divided into two parts, contractual clauses in Article 30.2 are applicable as a standard basis, such as including clear descriptions of services, and data protection measures. Article 30.3 details the additional requirements for contractual clauses supporting critical or important functions, such as full-service level descriptions, business contingency plans, audit rights and exit strategies.

Some of the mandatory elements to be addressed in all ICT services contracts include:

• A clear and complete description of the ICT service.
• Location from which the ICT service is to be provided and where the data will be processed.
• Provisions around the protection of data, including personal data.
• Access, recovery and return of data in the event of insolvency or discontinuation of the ICT service provider’s business operations.
•  Service level descriptions
• Provision of incident support to the financial entity at no additional cost or at a cost determined ex ante.
• Co-operation with the financial entity’s competent authorities and resolution authorities.
• Termination rights and minimum notice periods.
• Conditions for the third party service provider’s participation in the financial entities’ security awareness programmes and digital operational resilience training.

The benefit to your business

By embracing DORA your EU/ non-EU business benefits from streamlined contracts, improved risk management, and increased trust with financial clients. Also, as a result of building trust, both financial entities and ICT providers subsequently benefit from a strengthening their market position. With the financial industry constantly evolving, compliance with DORA will serve your business with a strategic opportunity to create a secure, and competitive digital financial environment.

How can we help?

1. Drafting and reviewing ICT contracts: Ensuring contracts compliance with Article 30.
2. Risk assessments: Identifying gaps in existing contractual agreements.
3. Regulatory updates: Keeping your business up to date with evolving EU regulations.

Want advice on this topic? Reach out to Andrew Gordon.