Commission Delegated Regulation (EU) 2024/1773 & 2025/532
Digital Operational Resilience Act (DORA)
Objective: These two RTS establish the complete framework for managing risks related to third-party ICT service providers, covering:
Fundamental Principle: Financial entities ALWAYS remain responsible for regulatory compliance, even when they outsource ICT functions to third parties.
DORA Definition: Any company providing ICT services, including:
| Service Type | Subject to DORA? | Examples |
|---|---|---|
| ICT Services | YES - DORA applicable |
β’ Cloud computing β’ Software licensing β’ Infrastructure management β’ Cybersecurity services |
| Business services with ICT component | PARTIAL - Analysis required |
β’ Business Process Outsourcing (BPO) with IT support β’ Consulting with IT deliverables β’ Audit with software tools |
| Pure business services | NO - Out of scope |
β’ Strategic consulting β’ Legal services β’ Cleaning, physical security β’ Non-IT training |
β οΈ ABSOLUTE OBLIGATION: All contracts with ICT providers supporting critical or important functions MUST include the following clauses. Their absence renders the contract non-compliant with DORA.
Mandatory clause:
π‘ Practical example (Cloud Computing):
"The Provider supplies cloud infrastructure services (IaaS) to host the Bank's core banking application. Virtual servers are located in the Provider's datacenters in Paris (France) and Frankfurt (Germany). The guaranteed SLA is 99.95% monthly availability, with API response time <100ms for 95% of requests. This service supports the Bank's critical function 'Banking Transaction Processing'."
Mandatory clause:
β οΈ WARNING - Audit refusal: If a provider refuses to include these clauses, the contract CANNOT be signed for critical or important functions.
Example contractual wording:
"The Provider grants the Client and any third party appointed by the Client (including external auditors and supervisory authorities), full access to the Provider's premises, systems, data and personnel, upon 30 calendar days' notice, to conduct compliance, security and operational audits. In case of major security incident or suspected non-compliance, the Client may demand immediate audit without notice. The Provider commits to cooperate fully and provide all required documents, logs and information within 48 hours."
Mandatory clause:
π‘ Special case: Sovereign Cloud vs. Cloud Hyperscalers
| Cloud Type | Advantages | Constraints |
|---|---|---|
| EU Sovereign Cloud (OVH, Scaleway, T-Systems) |
β’ 100% data in EU β’ EU law applicable β’ Native DORA compliance |
β’ Sometimes limited features β’ Often higher cost |
| Hyperscalers (AWS, Azure, GCP) |
β’ Advanced services β’ Global network β’ Economies of scale |
β’ Complex DORA clause negotiation β’ Risk of law conflicts (US CLOUD Act) β’ Possible direct ESA supervision |
Mandatory clause:
π Certifications to require from provider:
Mandatory clause:
β οΈ IMPORTANT: Provider-to-client notification timelines (2h) are SHORTER than DORA client-to-supervisor timelines (4h), allowing the client to analyze and classify the incident before regulatory notification.
Mandatory clause:
π‘ Exit Plan checklist:
| Element | Required Details |
|---|---|
| Data inventory | Exhaustive list of all stored data, format, volume |
| Extraction procedure | Technical export method (API, DB dumps, file transfer) |
| Export format | Open and documented formats (CSV, JSON, XML, SQL) |
| Timeline | Detailed transition schedule over X weeks/months |
| Migration tests | Export testing procedure before production |
| Support | Provider resources dedicated to transition |
| Data destruction | GDPR-compliant secure destruction certificate |
Mandatory clause:
β οΈ See RTS 2025/532 below for complete subcontracting details
Mandatory clause:
π‘ Managing concentration risk:
Objective: Strictly regulate cascading subcontracting to avoid loss of control and ensure ICT supply chain traceability.
| Assessment Criterion | Questions to Ask | Risk Level |
|---|---|---|
| 1. Subcontractor competencies |
β’ Does it have required technical expertise? β’ Does it hold certifications (ISO, SOC2)? β’ Similar client references? |
β
Valid certifications β οΈ Limited experience π« No references |
| 2. Financial stability |
β’ Healthy financial situation? β’ Profitability history? β’ Bankruptcy risk? |
β
Strong finances β οΈ Recent losses π« Financial difficulties |
| 3. Security and compliance |
β’ Adequate security measures? β’ GDPR compliance? β’ Incident history? |
β
ISO 27001 + SOC2 β οΈ Minor past incidents π« Recent breaches |
| 4. Geographic location |
β’ Data remains in EU/EEA? β’ Compatible applicable laws? β’ Geopolitical stability? |
β
EU/EEA only β οΈ Country with Adequacy Decision π« High-risk jurisdictions |
| 5. Subcontracted service criticality |
β’ Impact if subcontractor fails? β’ Alternatives available? β’ Replacement time? |
β
Non-critical service β οΈ Important service π« Critical service without plan B |
| 6. Risk concentration |
β’ What % of our activity via this subcontractor? β’ How many financial entities use it? β’ Systemic risk? |
β
Sufficient diversification β οΈ Moderate dependency π« Critical dependency |
β οΈ PROHIBITIONS:
Example subcontracting chain:
DORA Obligation: All financial entities must maintain an exhaustive register of all their third-party ICT providers.
| Category | Required Data |
|---|---|
| Identification |
β’ Full legal name β’ LEI code (if applicable) β’ Registered office address β’ Country of registration |
| Service Provided |
β’ Detailed ICT service description β’ Supported business function(s) β’ Classification: critical / important / standard β’ Contract start date β’ End / renewal date |
| Data Location |
β’ Countries where data is stored β’ Countries where data is processed β’ Datacenter locations β’ Backup locations |
| Subcontracting |
β’ List of authorized subcontractors β’ Subcontracted services β’ Subcontracting level (1, 2) |
| Compliance |
β’ Certifications (ISO 27001, SOC2, etc.) β’ Last audit date β’ Last audit result β’ Incidents occurred (last 12 months) |
| Phase | Actions | Priority | Deadline |
|---|---|---|---|
| Phase 1: Inventory |
β Inventory ALL current ICT providers β Classify by criticality (critical/important/standard) β Identify non-DORA compliant contracts |
URGENT | Immediate |
| Phase 2: Contract Analysis |
β Legal review of each contract β Gap analysis vs. RTS 2024/1773 clauses β Prioritize renegotiations (critical functions first) |
URGENT | Q1 2025 |
| Phase 3: Renegotiation |
β Contact each provider β Negotiate contract amendments β Obtain signatures on compliant contracts β Plan B if refusal (change provider) |
HIGH | Q2-Q3 2025 |
| Phase 4: Register |
β Create computerized register β Fill all required data β Validate with Compliance/Risk β Submit to authorities (April 30, 2025) |
URGENT | April 30, 2025 |
| Phase 5: Continuous Monitoring |
β Due diligence process for new providers β Annual review of each provider β Subcontracting notification management β Register update (quarterly) |
ONGOING | Permanent |
Challenge: Standardized contracts, limited flexibility
Strategies:
Challenge: Lack of resources for complex compliance
Strategies: