ICT Service Arrangements under DORA: Contractual Requirements

12 December 2025

Corporate Clients Insights, Licences, AML, Blockchain & Cryptocurrency

In today’s financial sector, technology underpins almost everything. Whether managing customer data, processing transactions, or safeguarding critical systems, financial institutions rely on ICT service providers as trusted partners. For that partnership to work, the contract at its heart must be clear, comprehensive, and robust. It should leave no room for doubt about who is responsible for what, and how risks are managed.

DORA and the Regulatory Context

The requirements discussed in this guide arise under the Digital Operational Resilience Act (DORA), the European Union’s framework designed to strengthen the digital resilience of the financial sector. DORA establishes harmonised rules across all Member States to ensure that banks, insurers, investment firms, and other financial entities can withstand, respond to, and recover from ICT-related disruptions. As a directly applicable Regulation, it applies uniformly across the Union without the need for national transposition and is supported by detailed technical standards developed by the European Supervisory Authorities. In this way, DORA creates a coherent rulebook for operational resilience, elevating ICT risk management to the same level of regulatory importance as prudential and market conduct requirements.

Under DORA, financial entities are required to ensure that all arrangements with ICT third-party service providers are supported by clear, enforceable contracts that reflect these regulatory expectations. Before any services are outsourced, the agreement must not only comply with DORA’s standards for operational resilience but also provide a practical and transparent framework for delivery, monitoring, and governance of the services.

While the contract itself is not automatically submitted to supervisory authorities as part of routine reporting obligations, financial entities must maintain detailed records of all contractual arrangements and provide these records or specified sections of them to the competent authority upon request. Entities must also report annually on the number of new ICT service arrangements, the categories of providers engaged, the types of services provided, and the functions supported. Additionally, they must inform the competent authority in a timely manner of planned arrangements for services supporting critical or important functions.

Form

All ICT service contracts ought to be concluded in writing and documented in a format that is durable, accessible, and retrievable by both parties. 

Services

At a minimum, the contract should paint a complete picture of the services being provided. It must include every ICT function outsourced to the third party and clearly indicate whether any portion of that work may be subcontracted. If subcontracting is allowed, the contract must set the rules of the game: under what conditions it can occur, and how the financial entity will remain in control.

Financial entities must also consider the risk of long or complex subcontracting chains, particularly for services supporting critical or important functions, including those subcontracted to providers in third countries.

Location

Equally important is knowing where the work is being done. The contract must identify the regions or countries in which services will be carried out and where data, sometimes extremely sensitive, is stored or processed. Should the provider ever wish to shift operations elsewhere, they must warn the financial entity ahead of time.

Personal Data and Confidentiality

Because these services often involve the handling of personal and confidential data, strong protections are non-negotiable. The agreement must address how the provider will maintain the integrity, availability, authenticity and confidentiality of that information.

Further, it must stipulate measures to ensure the financial entity retains access to, and can recover or retrieve in a readily accessible format, both personal and non-personal data in circumstances such as the provider’s insolvency, resolution, discontinuation of operations, or the termination of the contract.

Critical and Important Functions

For ICT services supporting critical or important functions, DORA requires additional safeguards:

  • Quantitative and qualitative service level targets, updated as the service evolves, enabling effective monitoring and corrective action.
  • Participation in Threat-Led Penetration Testing (TLPT), including cooperation with internal and external testers.
  • Exit strategies ensuring that the financial entity can migrate services or return operations in-house without disruption, maintaining continuity, compliance, and service quality.
  • Ongoing monitoring and reporting of performance, including notification of any developments affecting the provider’s ability to meet agreed service levels.

Predictability and Costs

Clarity around service levels is essential. These descriptions should evolve as the service evolves, with updates built into the contract. When difficulties arise, such as an ICT incident related to the outsourced service, the provider must support the financial entity without delay and without surprise costs.

Cooperation

Cooperation with regulators is another cornerstone of resilience. The provider must commit to working openly with competent and resolution authorities. Termination rights, including minimum notice periods consistent with supervisory expectations, must be clearly set out.

Training and Awareness

Finally, contractual terms should address the participation of ICT service providers in the financial entity’s ICT security awareness initiatives and digital operational resilience training programmes.

A well-constructed ICT services contract is more than a legal formality. It is the backbone of a resilient and secure partnership, protecting both the financial entity and the provider. By addressing services, locations, subcontracting, data protection, service levels, exit strategies, regulatory cooperation, and training, such agreements ensure that technology partnerships are robust, transparent, and aligned with the highest EU standards under DORA.

© New Balkans Law Office 2026

The Bulgarian and dual-qualified lawyers of New Balkans Law Office are regulated by the respective Bar of their registration. New Balkans Law Office is a brand name of Legal Services EOOD, a company registered under Bulgarian law. Reg’d No. 202331677. Further details are available here.

© New Balkans Law Office 2026