Skip to main content
DORA Auditor

Article 30: Key contractual provisions

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Article 30 specifies the mandatory contractual provisions for ICT service arrangements, including clear service descriptions, data location, access and audit rights, security requirements, sub-outsourcing conditions, and exit strategies.

Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk

Key points

  • Lists mandatory ICT contract clauses
  • Covers access, audit, security, and data location
  • Requires exit strategies and sub-outsourcing controls

How this fits DORA

Article 30 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.

Read the official text

This is an editorial summary. Read the binding text of Article 30 in the consolidated regulation on EUR-Lex.

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex