Since January 17, 2025, Regulation (EU) 2022/2554 – better known as DORA – has been binding for financial companies and third-party ICT service providers. The regulation not only sets high requirements for digital operational resilience, but also has a direct impact on contract drafting. A key question that arises in practice is: When is a service considered an ICT service within the meaning of DORA? This distinction is crucial because, according to Article 30 DORA, contracts for ICT services must contain certain minimum content. This includes, among other things, clear provisions on risk management, incident reporting, audit rights, and exit strategies. The classification of a service as an ICT service therefore has far-reaching consequences for contract negotiations between financial companies and their service providers. If services are incorrectly not classified as ICT services, this not only poses compliance risks, but also contractual gaps that can lead to liability issues in serious cases. At the same time, DORA shifts the balance of power in contract negotiations: financial companies are now obliged to impose strict requirements on their service providers – which redefines the scope for negotiation for both sides. But how can ICT services be clearly identified, and which contractual clauses are absolutely necessary to meet DORA requirements? These questions are the focus of current discussions and show that DORA represents not only a regulatory challenge, but also a contractual one.
What are ICT Services?
According to Article 3(21) of DORA, ICT services are digital services and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support provided by the hardware supplier by means of software or firmware updates, with the exception of traditional analog telephone services. The definition is very broad in order to cover as many ICT services as possible and effectively implement the objectives of DORA. A key limitation of the scope of application, as set out in the definition, is that only digital services and data services that are provided on a permanent basis are to be covered. This means that only continuing obligations are regularly covered, while one-off services are not. Annex III of Commission Implementing Regulation (EU) 2024/2956 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the information register (ITS on register of information). This contains a list of categories of ICT services, each with a brief description. This list can be used as an aid for initial classification. The services mentioned include: ICT project management, ICT development, ICT helpdesk and first-level support, ICT security management services, data provision, data analysis, ICT operating resources and hosting services (excluding cloud services), computing power, data storage outside the cloud, telecommunications providers, network infrastructure, hardware and physical devices, software licensing (excluding SaaS), ICT operations management (including maintenance), ICT consulting, ICT risk management, IaaS, PaaS and SaaS.
Article 30 DORA Defines Clear Minimum Standards for ICT Contracts – Both for Standard and Critical Services
Every contract for ICT services must first contain a precise description of the services, rights, and obligations, including the exact locations where data is processed and stored. Information security and data protection are key: Specific technical and organizational measures must be defined to ensure the availability, authenticity, integrity, and confidentiality of all data—regardless of whether it is personal data or not. In addition, regulations on data access in the event of insolvency or termination of the contract are essential to ensure continuity of service. Service level agreements (SLAs) with quantitative and qualitative performance targets are mandatory, as is the service provider’s obligation to provide support in the event of ICT incidents and to relieve the financial company of its reporting obligations. Cooperation with supervisory authorities must be contractually anchored, and the financial company’s termination rights – for example, in the event of violations of compliance requirements or deficiencies in risk management – must be explicitly defined. Finally, participation in digital resilience training should be agreed upon, unless the service provider already has its own qualifications. If critical or important functions are involved, the requirements become more stringent: in this case, extended reporting obligations, emergency plans, participation in penetration tests, and comprehensive audit rights for the financial company are mandatory. Exit management regulations that ensure an orderly transition at the end of the contract or when changing service providers are also particularly relevant. In addition, subcontracting must be strictly controlled and contractually secured in order to avoid unwanted risks.
Attorney Anton Schröder
subscribe to Newsletter-
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage. -
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
