Skip to content

DORA Articles 28 to 30: your vendors are now your problem, in writing

BaFin's own numbers said it: roughly half of major ICT incidents in 2025 originated at third parties. Chapter V is DORA's answer. Articles 28 to 30 make third-party ICT risk an explicit, contractual, documented discipline. Today, the principles, the register, and the contract clauses DORA now requires you to have in writing.

Article 28: manage the vendor risk as your own

Article 28 sets the general principles: entities "shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework". The vendor's risk is your risk. You cannot outsource a critical function and outsource the accountability with it.

Article 28 also carries the obligation that becomes its own post: entities must "maintain and update a register of information" of all contractual arrangements for ICT services. Before you sign, you assess. While you run, you monitor. This is the article that ends the era of a critical SaaS dependency nobody in risk had heard of.

Article 30: the contract, spelled out

Article 30 is unusually prescriptive for a regulation. "The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing", in "one written document" available to the parties. Then it lists what the contract must contain, and for arrangements supporting critical or important functions the list gets longer: service levels, locations of data and processing, access, inspection and audit rights, assistance on incidents, exit strategies, and termination rights.

The exit strategy requirement catches people. DORA wants you to have a documented, workable way to leave a provider, especially for critical functions, before you are forced to. If your answer to "what if this provider fails" is "we would be in serious trouble", that is precisely the gap Article 30 is written to close.

The detailed content of the policy governing these arrangements is set out further in RTS 2024/1773, which specifies what the policy on contractual arrangements for ICT services supporting critical or important functions must contain.

The artefact: third-party contract checklist

For any arrangement supporting a critical or important function, the contract should address each of these.

Clause area Basis
Clear allocation of rights and obligations, one written document Art. 30(1)
Service level descriptions Art. 30(2)
Data and processing locations Art. 30(2)
Access, inspection and audit rights Art. 30(2)
Incident assistance and cooperation Art. 30(2)
Exit strategy and orderly termination Art. 30(2)
Policy content behind it all RTS 2024/1773

The official texts, including RTS 2024/1773, are in the DORA resource library.

Next in this series: the register of information itself, Article 28(3), and the ITS template set that turns your vendor list into a regulated filing.