UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Compliance · DORA · Financial Services

DORA Article 30: what UK financial services firms need in their ICT third-party contracts

Servnet Editorial · Financial Services Practice9 min read

The Digital Operational Resilience Act (DORA) came into force across the EU in January 2025. UK-headquartered firms with EU subsidiaries, EU-licensed entities or EU client-facing services are in scope — and the UK regulators (FCA, PRA) are aligning Operational Resilience to a substantially similar standard. Article 30 — the contractual provisions for ICT third-party services — is where many firms have the most work to do.

DORA Article 30 — required contract clauses
DORA · ICT third-party — control mapA30.1Service description + SLAsCOREA30.2Data processing locationsCOREA30.3Sub-contracting rules + chain mappingCOREA30.4Incident reporting timelinesCOREA30.5Audit + access rightsCOREA30.6Exit + transition assistanceCOREA30.7Resilience testing (TLPT)PLUSA30.8Concentration risk disclosurePLUS

Who is in scope

DORA applies to "financial entities" — banks, investment firms, asset managers, payment institutions, e-money issuers, central counterparties, central securities depositories, trading venues and a long list of others. It also applies to "critical ICT third-party service providers" — the cloud hyperscalers and a small number of others designated by ESMA.

Even if you are a UK-only firm with no EU operations, the FCA's Operational Resilience regime (PS21/3) substantially mirrors DORA in intent. The contractual standards Article 30 sets out are increasingly being applied across the UK market regardless.

What Article 30 actually requires

Article 30 sets minimum contractual provisions for any ICT service contract. Some apply to all contracts. The fuller list applies to contracts supporting "critical or important" functions — and most firms find that the majority of their material ICT contracts fall into this bucket.

  • Clear description of services + service levels
  • Locations where services are performed + data processed/stored
  • Provisions for subcontracting (with proper oversight)
  • Service availability + accessibility of data
  • Personal data protection (alignment with GDPR Article 28)
  • Assistance with ICT incidents at no additional cost
  • Full cooperation with the financial entity's competent authorities
  • Termination rights + transition assistance + reasonable exit notice
  • Access, inspection and audit rights — for the financial entity AND for competent authorities
  • Service location restrictions + data location commitments
  • Reporting on the provider's ICT business continuity arrangements
  • Participation in the financial entity's threat-led penetration testing (TLPT) — for critical contracts

Where most UK firms have gaps

Almost every ICT contract written before 2024 lacks the TLPT cooperation clause. Many SaaS contracts have explicit audit-rights restrictions that conflict with Article 30. The big hyperscalers have updated their DORA addenda — but the long tail of niche SaaS suppliers has not.

Subcontracting oversight is the second biggest gap. Most contracts allow the supplier to subcontract freely. Article 30 requires the financial entity to have visibility of material subcontractors and (in some cases) consent rights.

Termination + exit assistance is the third. Many SaaS contracts permit termination but provide minimal assistance with data extraction or transition to a successor supplier. Article 30 explicitly requires "reasonable" assistance.

Is this provider in DORA Article 30 scope?
Does the provider support a critical or important function?
YES — critical
Full Article 30 contract + register entry
YES — important
Standard Article 30 clauses + register
NO
Light-touch contract + monitor only

Building the third-party register

Article 28 requires every financial entity to maintain a "Register of Information" — a structured inventory of every ICT third-party arrangement. The technical standards (ITS / RTS) define ~80 data fields per arrangement.

Most firms have a partial register today (typically rolled up from procurement, vendor management and the IT asset database). Pulling these into a single DORA-compliant register, with criticality classification, contract location, subcontracting chains and data residency, is one of the biggest one-off DORA implementation costs.

How Servnet helps

We support FCA-regulated financial services firms across three areas of DORA work: contract review and remediation against Article 30, third-party register build / maintenance, and the technical TLPT preparation and execution that critical-contract holders need.

A typical DORA programme runs: 1) gap analysis across existing ICT contracts (3–4 weeks), 2) prioritised remediation plan (1 week), 3) supplier negotiation support and addenda drafting alongside your legal team (8–12 weeks for the material 20% of suppliers), 4) Register of Information build + ongoing maintenance tooling, 5) TLPT scoping if appropriate.

Key takeaways
  • DORA Article 30 sets minimum contractual provisions for ICT third-party services — most pre-2024 contracts have gaps.
  • TLPT cooperation, subcontracting oversight, and exit assistance are the most common gap areas.
  • Article 28 Register of Information requires ~80 structured fields per arrangement.
  • UK FCA Operational Resilience (PS21/3) substantially aligns with DORA intent — even UK-only firms should treat Article 30 as best practice.
  • Servnet supports DORA across contract remediation, register build, and TLPT preparation.
Frequently asked

FAQs — DORA Article 30

Scope & timing

Does DORA apply to UK financial services firms?

DORA directly applies to EU financial entities since 17 January 2025. UK firms are caught indirectly via three routes: EU subsidiaries / branches, EU clients' supply chain due-diligence, and FCA Operational Resilience PS21/3 which substantially aligns. See our financial services IT compliance overview.

What is an ICT third-party service provider under Article 30?

Any external supplier providing ICT services that support the firm's business functions — cloud (AWS, Azure), SaaS (M365, Salesforce), MSPs, MSSPs, colocation, and resellers managing infrastructure. Reseller relationships like Servnet's IT procurement service are in scope.

Which providers must be in the Register of Information?

All ICT third-party providers, classified by criticality. "Critical or important" providers (those supporting critical business functions) carry the full Article 30 contract requirements; non-critical providers carry a lighter set. Our compliance practice helps with the classification call.

Contract requirements

What must DORA Article 30 contracts include?

Mandatory clauses: service description + SLAs, locations of data processing, sub-contracting rules, incident reporting timelines, audit and access rights, exit + transition assistance, termination triggers. Critical-provider contracts add resilience testing, security standards, and concentration-risk disclosures. Servnet contracts include all of these.

Do existing supplier contracts need re-papering?

Yes — material gaps in existing contracts need formal addenda or full renegotiation before the firm can credibly claim Article 30 compliance. Most UK firms ran a contract-remediation programme through 2024-2025; if yours didn't, prioritise the critical-provider tier first.

Evidence & testing

What is Threat-Led Penetration Testing (TLPT) under DORA?

TLPT is a red-team test of live production systems including third-party-provided services, aligned to TIBER-EU methodology. Required at least every 3 years for the largest entities. Coordinate with your pen-testing partner and ICT third-parties at least 12 months ahead.

How do we evidence ICT third-party oversight to the regulator?

Maintain: the Register of Information (annual report to competent authority), executed contracts with all Article 30 clauses, incident logs filed within mandated timelines, annual concentration risk review, and exit plan tests. Servnet's managed services include this evidence pack as standard.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →