Skip to content
RPResiliencePilot
← All resources
DORA6 min read·15 June 2026

DORA Article 30 explained: the contractual provisions you actually need

A plain-English guide to DORA Article 30 — the mandatory contractual provisions for ICT third-party arrangements, and the enhanced set for those supporting critical or important functions.

Article 30 of the Digital Operational Resilience Act (DORA) is where a lot of financial entities feel the regulation most directly: it governs what must be in your contracts with ICT third-party service providers. If you outsource anything that touches your operational resilience, this is the article your procurement, legal and compliance teams will be living in.

Why Article 30 matters

DORA treats ICT third-party risk as a first-class part of operational resilience. Rather than leaving supplier terms to chance, Article 30 sets out the provisions a contract must contain — and a stricter set for arrangements that support critical or important functions.

The practical effect: you can no longer sign a standard vendor agreement and assume you're covered. Each in-scope arrangement has to demonstrably contain the required provisions.

The standard provisions

For all ICT third-party arrangements, the contract should clearly set out matters such as:

  • A clear description of the services and the locations where they're provided
  • Provisions on availability, integrity and security of data
  • Service level descriptions and reporting obligations
  • Assistance during ICT incidents, and cooperation with authorities
  • Rights of access, inspection and audit
  • Termination rights and exit arrangements

The enhanced provisions for critical or important functions

Where the arrangement supports a critical or important function, DORA expects more — including stronger requirements around monitoring, full audit and access rights, exit strategies, and participation in your testing and training. The bar is higher because the consequences of failure are higher.

This is why declaring which functions are critical or important matters so much: that classification drives which provisions apply.

How to operationalise it

Article 30 isn't a one-time contract review — it's an ongoing register of evidence. A workable approach:

  1. Inventory your ICT third-party arrangements.
  2. Classify each against the functions it supports (critical/important vs the rest).
  3. Map the required provisions to each contract and record status and evidence.
  4. Review on a cadence, with sign-off, so the picture stays current for a supervisor.

In ResiliencePilot, each supplier arrangement tracks its provisions — the standard set, or the enhanced set for critical suppliers — with status and supporting evidence, and feeds the Register of Information. See the DORA solution for how the pieces fit together.

In short: Article 30 turns supplier contracts into a maintained, evidenced control — not a filing-cabinet formality.

See ResiliencePilot in action.

A 30-minute walkthrough mapped to your framework and your team. Pricing is tailored — talk to us about what you need.

Book a demoContact sales