DORA-Compliant Contracts: Clauses That Must Not Be Missing

With the enforcement of the DORA Regulation (EU 2022/2554), the expectations for contractual frameworks between financial institutions and their IT service providers have risen. Those involved in drafting or reviewing such contracts—especially procurement and legal teams—must ensure certain provisions are explicitly included. Otherwise, reputation and compliance risks may arise.

This article outlines the most important DORA-relevant contract clauses, their content, and their ideal location within the contract—each accompanied by a sample legal formulation.

1. Incident Notification Obligations

Content:

• Immediate notification obligation in case of severe IT disruptions or security incidents
• Timelines: Initial report within 4 hours, follow-up after 3 days, final report within 1 month

Suggested Placement:
Section “Incident Management / Reporting”

Sample Clause:
“The Contractor shall notify the Client in writing of any impairment to information and communication technologies that may significantly impact business operations without delay and no later than four (4) hours after becoming aware of the issue. Follow-up reports shall be submitted within three (3) calendar days and no later than one (1) month after the incident.”

2. Audit and Inspection Rights

Content:

• Enablement of on-site and remote audits
• Provision of necessary documentation

Suggested Placement:
Section “Governance / Collaboration”

Sample Clause:
“The Client and competent supervisory authorities shall be entitled to conduct audits at the Contractor’s premises upon prior notice, if necessary to meet regulatory requirements. The Contractor shall provide all required information and reasonably support the audit process.”

3. Exit Strategy / Offboarding

Content:

• Data return, migration, deletion

Suggested Placement:
Section “Exit Management”

Sample Clause:
“Upon termination of the agreement, the Contractor shall deliver all data provided by or collected on behalf of the Client in a complete, traceable, and machine-readable format within 30 calendar days, and shall confirm its deletion unless statutory retention obligations apply.”

4. Subcontractors / Cascade Obligations

Content:

• Disclosure obligation, flow-down of contract terms

Suggested Placement:
Section “Subcontracting”

Sample Clause:
“The involvement of subcontractors by the Contractor requires prior written consent of the Client. The Contractor shall ensure that all subcontractors are bound by equivalent obligations as set forth in this agreement.”

5. Business Continuity & Resilience

Content:

• BCP, RTO/RPO, testing obligations

Suggested Placement:
Section “Availability Requirements”

Sample Clause:
“The Contractor ensures the implementation of effective business continuity management. Recovery objectives (RTO/RPO) defined by the Client shall be adhered to and tested at least annually, with documented results reported to the Client.”

6. Reporting & Documentation

Content:

• Quarterly reporting, proof of compliance

Suggested Placement:
Section “Reporting & Communication”

Sample Clause:
“The Contractor shall submit quarterly reports on services rendered, identified risks, and relevant security incidents. Reports must be submitted in written and electronic form and explained upon request.”

7. Access to Systems & Data

Content:

• Read-only access, confidentiality protection

Suggested Placement:
Section “Data Protection & Confidentiality”

Sample Clause:
“In the event of security-relevant incidents, the Contractor shall grant the Client access to affected systems, as required for root cause analysis or regulatory reporting. Access shall be provided in a manner that maintains data integrity and confidentiality.”

8. Sanctions for Non-Compliance

Content:

• Contractual penalties, termination rights

Suggested Placement:
Section “Liability / Breach of Duty”

Sample Clause:
“In the event of culpable breach of contractual obligations, particularly regarding reporting, audit, or security requirements, the Client shall be entitled to demand a contractual penalty of up to five percent (5%) of the annual contract value. This shall not limit further legal remedies.”

9. Escalation & Communication Process

Content:

• Points of contact, response times

Suggested Placement:
Section “Escalation Procedure”

Sample Clause:
“Both parties shall appoint a primary contact person available during business hours for incident coordination. In the event of a major incident, an initial response must be provided within two (2) hours. A structured communication plan shall be included as an annex.”

10. Obligation to Update

Content:

• Adapting contract terms due to regulatory changes

Suggested Placement:
Section “Compliance & Change Management”

Sample Clause:
“The Contractor agrees to review regulatory changes, in particular regarding DORA, without undue delay and to implement required contractual or organizational adjustments in coordination with the Client.”

References

• Regulation (EU) 2022/2554 – EUR-Lex
• EBA – European Banking Authority
• BaFin – German Financial Supervisory Authority
• ENISA – EU Agency for Cybersecurity