BondGovernance — Infrastructure for Secured Bonds

§ 07.2 — DORA, ICT third-party

DORA and ICT third-party risk: what a bond trustee's technology provider must satisfy.

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, entered into application on 17 January 2025. It treats a bond trustee's governance platform as an ICT third-party service supporting a critical or important function. The contractual, exit, testing and reporting obligations are prescribed, not principles-based.

BondGovernance, Regulatory desk · Editorial standard

Reviewed 2026-07-01 · Primary-source cited below

01

Scope: financial entities and their ICT providers

DORA applies directly to financial entities listed in Article 2, including credit institutions, investment firms, central securities depositories, and, through Article 3(3), to trustees and agents where they support the operation of financial market infrastructure. It reaches ICT third-party service providers through the mandatory contract terms in Article 30 and the register in Article 28.

02

The Article 30 contract, minimum terms

Article 30(2) and 30(3) prescribe minimum clauses for any ICT third-party contract supporting a critical or important function: description of services, locations of data processing, service-level targets with quantitative and qualitative performance indicators, cooperation with competent authorities and the resolution authority, exit strategies with adequate transition periods, participation in the financial entity's Threat-Led Penetration Testing programme, and unrestricted rights of access, inspection and audit.

03

Subcontracting: the RTS is the operative text

The Commission Delegated Regulation on subcontracting of ICT services (adopted under Article 30(5) DORA) constrains the chain. A provider supporting a critical or important function must obtain prior written approval for material subcontractors, notify changes, and demonstrate that the subcontractor meets equivalent security, resilience and audit standards. Concentration risk at the subcontractor level is explicitly in scope.

04

Exit strategy is not a document, it is a tested capability

Article 28(8) requires financial entities to have exit strategies for ICT services supporting critical or important functions. The strategy must be documented, sufficiently tested, and enable orderly transfer without disruption. For a bond governance platform, this means portable data schemas, documented extraction adapters, and rehearsed migration runbooks, not a contract clause in isolation.

05

Register of information

Article 28(3) obliges financial entities to maintain a register of all ICT third-party arrangements, distinguishing those supporting critical or important functions. The register is reported annually to the competent authority. Providers are expected to supply the fields listed in the ITS on the register (published July 2024) in a form the entity can ingest.

§ Key takeaways

  • K.01

    DORA has applied directly since 17 January 2025. There is no grandfathering for legacy ICT contracts.

  • K.02

    Article 30(2) and 30(3) prescribe minimum contract clauses, not suggestions. Absence is a supervisory finding.

  • K.03

    The subcontracting RTS constrains the whole delivery chain, including sub-providers of the ICT provider.

  • K.04

    Exit strategy is a tested capability with portable data, not a clause. Portability is architectural.

  • K.05

    The register of information is the annual supervisory artefact. Providers should ship the register fields as data.

§ Primary sources

  1. [01]

    Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)

    European Union · OJ L 333, 27.12.2022, p. 1

    Read at source ↗
  2. [02]

    Joint Final Report on the draft RTS on subcontracting of ICT services supporting critical or important functions under DORA

    European Supervisory Authorities · JC 2024 53

    Read at source ↗
  3. [03]

    Final Report on the draft ITS on the register of information under DORA

    European Supervisory Authorities · JC 2024 33

    Read at source ↗