§ DORA · Article 30

DORA Article 30: Obligations, Deadlines & Penalties

Regulation (EU) 2022/2554, Article 30 · All obligations · DORA
At a glance
Article 30 of the DORA imposes 18 obligations on ICT third-party service provider, financial entity. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 30

Obligation 1
The rights and obligations of the financial entity and the ICT third-party service provider shall be clearly allocated and set out in writing, including service level agreements in one documented format. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
financial entity
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 2
The rights and obligations of the financial entity and the ICT third-party service provider shall be clearly allocated and set out in writing, including service level agreements in one documented format. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 3
Contractual arrangements shall include a clear and complete description of all functions and ICT services, indicating whether subcontracting of critical or important functions is permitted and the conditions applying. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
financial entity
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 4
Contractual arrangements shall include a clear and complete description of all functions and ICT services, indicating whether subcontracting of critical or important functions is permitted and the conditions applying. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 5
Contractual arrangements shall specify the locations where services are provided and data is processed, and require the provider to notify the financial entity in advance of any envisaged changes. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
notify
Deadline
in advance
Penalty
Obligation 6
Contractual arrangements shall include provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
financial entity
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 7
Contractual arrangements shall include provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 8
Contractual arrangements shall include provisions on ensuring access, recovery and return of data in an easily accessible format in the event of insolvency, resolution, discontinuation, or termination. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
ensure
Deadline
Penalty
Obligation 9
Contractual arrangements shall include service level descriptions, including updates and revisions thereof. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
financial entity
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 10
Contractual arrangements shall include service level descriptions, including updates and revisions thereof. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 11
The ICT third-party service provider shall provide assistance to the financial entity at no additional cost, or at a cost determined ex-ante, when an ICT incident related to the service occurs. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
assist
Deadline
Penalty
Obligation 12
The ICT third-party service provider shall fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
cooperate
Deadline
Penalty
Obligation 13
Contractual arrangements shall include termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent and resolution authorities. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
financial entity
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 14
Contractual arrangements shall include termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent and resolution authorities. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 15
Contractual arrangements shall include conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
participate
Deadline
Penalty
Obligation 16
Contractual arrangements for critical or important functions shall include full service level descriptions with precise quantitative and qualitative performance targets to allow effective monitoring and corrective actions. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
financial entity
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 17
Contractual arrangements for critical or important functions shall include full service level descriptions with precise quantitative and qualitative performance targets to allow effective monitoring and corrective actions. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
document
Deadline
Penalty
Obligation 18
The ICT third-party service provider shall notify the financial entity of any development that might have a material impact on its ability to effectively provide ICT services supporting critical or important functions. Regulation (EU) 2022/2554, Article 30, Article 30
Obligated entity
ICT third-party service provider
Sector scope
financial sector
Action required
notify
Deadline
Penalty
§ Frequently asked

Questions about Article 30

Who must comply with Article 30 of the DORA? +
ICT third-party service provider, financial entity.
What does Article 30 of the DORA require? +
document notify ensure
What is the compliance deadline for DORA Article 30? +
in advance
Need a cross-border briefing on DORA Article 30?
Search Fontvera ↵
All EU obligation pages  ·  All DORA articles