Scope: financial entities and their ICT providers
DORA applies directly to financial entities listed in Article 2, including credit institutions, investment firms, central securities depositories, and, through Article 3(3), to trustees and agents where they support the operation of financial market infrastructure. It reaches ICT third-party service providers through the mandatory contract terms in Article 30 and the register in Article 28.
The Article 30 contract, minimum terms
Article 30(2) and 30(3) prescribe minimum clauses for any ICT third-party contract supporting a critical or important function: description of services, locations of data processing, service-level targets with quantitative and qualitative performance indicators, cooperation with competent authorities and the resolution authority, exit strategies with adequate transition periods, participation in the financial entity's Threat-Led Penetration Testing programme, and unrestricted rights of access, inspection and audit.
Subcontracting: the RTS is the operative text
The Commission Delegated Regulation on subcontracting of ICT services (adopted under Article 30(5) DORA) constrains the chain. A provider supporting a critical or important function must obtain prior written approval for material subcontractors, notify changes, and demonstrate that the subcontractor meets equivalent security, resilience and audit standards. Concentration risk at the subcontractor level is explicitly in scope.
Exit strategy is not a document, it is a tested capability
Article 28(8) requires financial entities to have exit strategies for ICT services supporting critical or important functions. The strategy must be documented, sufficiently tested, and enable orderly transfer without disruption. For a bond governance platform, this means portable data schemas, documented extraction adapters, and rehearsed migration runbooks, not a contract clause in isolation.
Register of information
Article 28(3) obliges financial entities to maintain a register of all ICT third-party arrangements, distinguishing those supporting critical or important functions. The register is reported annually to the competent authority. Providers are expected to supply the fields listed in the ITS on the register (published July 2024) in a form the entity can ingest.
™