§ DORA · Article 30
DORA Article 30: Obligations, Deadlines & Penalties
At a glance
Article 30 of the DORA imposes 18 obligations on ICT third-party service provider, financial entity. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 30
Obligation 1
The rights and obligations of the financial entity and the ICT third-party service provider shall be clearly allocated and set out in writing, including service level agreements in one documented format.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
financial entity
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 2
The rights and obligations of the financial entity and the ICT third-party service provider shall be clearly allocated and set out in writing, including service level agreements in one documented format.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 3
Contractual arrangements shall include a clear and complete description of all functions and ICT services, indicating whether subcontracting of critical or important functions is permitted and the conditions applying.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
financial entity
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 4
Contractual arrangements shall include a clear and complete description of all functions and ICT services, indicating whether subcontracting of critical or important functions is permitted and the conditions applying.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 5
Contractual arrangements shall specify the locations where services are provided and data is processed, and require the provider to notify the financial entity in advance of any envisaged changes.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
notify
- Deadline
-
in advance
- Penalty
-
—
Obligation 6
Contractual arrangements shall include provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
financial entity
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 7
Contractual arrangements shall include provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 8
Contractual arrangements shall include provisions on ensuring access, recovery and return of data in an easily accessible format in the event of insolvency, resolution, discontinuation, or termination.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 9
Contractual arrangements shall include service level descriptions, including updates and revisions thereof.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
financial entity
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 10
Contractual arrangements shall include service level descriptions, including updates and revisions thereof.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 11
The ICT third-party service provider shall provide assistance to the financial entity at no additional cost, or at a cost determined ex-ante, when an ICT incident related to the service occurs.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
assist
- Deadline
-
—
- Penalty
-
—
Obligation 12
The ICT third-party service provider shall fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
cooperate
- Deadline
-
—
- Penalty
-
—
Obligation 13
Contractual arrangements shall include termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent and resolution authorities.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
financial entity
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 14
Contractual arrangements shall include termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent and resolution authorities.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 15
Contractual arrangements shall include conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
participate
- Deadline
-
—
- Penalty
-
—
Obligation 16
Contractual arrangements for critical or important functions shall include full service level descriptions with precise quantitative and qualitative performance targets to allow effective monitoring and corrective actions.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
financial entity
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 17
Contractual arrangements for critical or important functions shall include full service level descriptions with precise quantitative and qualitative performance targets to allow effective monitoring and corrective actions.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 18
The ICT third-party service provider shall notify the financial entity of any development that might have a material impact on its ability to effectively provide ICT services supporting critical or important functions.
Regulation (EU) 2022/2554, Article 30, Article 30
- Obligated entity
-
ICT third-party service provider
- Sector scope
- financial sector
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 30
Who must comply with Article 30 of the DORA?
+
ICT third-party service provider, financial entity.
What does Article 30 of the DORA require?
+
document notify ensure
What is the compliance deadline for DORA Article 30?
+
in advance