DORA Article 30: the contract clauses your bank will demand

Article 30 is the part of DORA that lands in your inbox as a PDF. Every ICT contract with a regulated EU financial entity must contain a list of specific clauses — what they cover, what they hand to your customer, and where you have legitimate room to negotiate. Here's the line-by-line tour.

The structure: two tiers of contracts

Article 30 splits ICT contracts into two buckets. The bucket you're in determines how much paperwork you sign.

Tier 1 — every ICT contract. Even if you sell a €99/month observability tool to a small fintech, the contract must cover the items in Article 30(2): clear description of services, locations of processing, data protection terms, service level definitions, assistance to the entity at no extra cost during incidents, cooperation with supervisors, exit rights, and termination triggers.

Tier 2 — contracts supporting critical or important functions. If what you sell helps the entity perform a regulated activity (think: core banking, payments routing, KYC, customer authentication, claims handling), Article 30(3) adds a heavier layer: full service descriptions per location, notice periods for sub-outsourcing, audit rights including on-site inspections, participation in TLPT, detailed exit and transition plans.

You don't get to decide which tier you're in — the financial entity does, based on their internal classification. If a bank decides your tool supports a critical function, you are in Tier 2 whether you agree or not.

The eight clauses every contract needs (Art. 30(2))

1. Service description.What you do, who does it, from where. Vague "cloud services" won't fly — list the modules and the regions.
2. Locations of processing.Where the data sits at rest, where it's processed, where you back it up. If anything is outside the EEA, flag it and justify it.
3. Data protection. A GDPR-aligned data processing clause or annex — usually a separate DPA. Your DPA template goes here.
4. Service levels. Measurable SLA targets and what happens when you miss them. Credits are common; some banks insist on termination rights after repeated breach.
5. Assistance during incidents.When their customer is screaming and your service is the cause, you have to help "without additional cost or at a cost determined ex-ante." Translation: 24/7 incident support cannot be a separate paid SKU.
6. Cooperation with supervisors. If the Central Bank of Ireland, BaFin, AMF or another competent authority asks for information about the services, you cooperate. Refusing on commercial-confidentiality grounds is not available.
7. Termination triggers. The entity must be able to terminate for material breach, for repeated SLA failure, for changes in your security posture, and on instruction from a supervisor.
8. Exit cooperation. When they leave, you help them leave. Data export in a usable format, transition window, destruction certificate.

The extra clauses for critical/important services (Art. 30(3))

Six additional items, each of which extends one of the above:

1. Detailed scope per location. If you process in Frankfurt and back up in Dublin, both are described individually. Sub-processors per location are named.
2. Reporting and monitoring. Periodic reports on performance, security events, capacity. Format and cadence agreed upfront.
3. Sub-outsourcing notice. You must notify the entity in writing before adding, removing or replacing any sub-processor that supports a critical function. Notice periods of 30–90 days are typical. The entity can object.
4. Right of audit. The entity, its auditors and its competent authority can audit you. Includes on-site inspections, document reviews, interviews of staff. You can negotiate cadence (typically once per year), scope and notice — but you cannot deny the right itself.
5. TLPT participation.If the entity runs a threat-led penetration test under Art. 26, you participate. That means an authorised red team will, lawfully, attack systems that touch the entity's production environment.
6. Exit strategy.Not just "we'll help you leave." A documented exit plan: time to migrate, assistance available, format of data, who pays for what. The entity must be able to leave without significant disruption, even if you're uncooperative.

Where you can legitimately push back

Article 30 is mandatory, but the implementation isn't. You have room to negotiate on:

• Audit cadence and scope. Annual, with 30 days notice, scoped to relevant controls. Continuous on-site access for an unlimited team is not in the regulation.
• Audit cost-sharing. If the entity wants more than the standard annual audit, the contract can fairly allocate cost.
• Notification windows. The regulation requires timely notification of major incidents. Two hours is a common ask. Anything tighter than that should come with a service credit, because it shifts your engineering ops.
• Sub-processor list mechanics. Maintaining a public sub-processor page with an opt-in change-notification feed is industry standard and usually accepted in place of bespoke per-customer notice.

Where you cannot push back

• Cooperation with competent authorities. Non-negotiable.
• Exit assistance at reasonable cost. The regulation explicitly forbids lock-in via prohibitive exit pricing.
• Disclosure of sub-outsourcing chain for critical functions. The entity has a regulatory obligation to know.
• Termination rights on supervisor instruction. Even if your commercial argument is watertight, a supervisor's order wins.

The practical checklist

When your customer's procurement team sends the contract addendum, work through it in this order:

1. Confirm the tier. Are you in Tier 2 (critical/important function) or Tier 1?
2. Map each proposed clause to one of the eight (or fourteen) items above. If a clause has no Article 30 home, it's negotiable on commercial grounds — push back.
3. Identify the three or four clauses that would actually change your operating model (audit, notification, sub-processor notice). Negotiate those carefully.
4. Reuse. The addendum from Bank A becomes the template for Banks B, C and D — with maybe 10% local variation.

References to Article 30 are from Regulation (EU) 2022/2554. Read together with the EBA Final Report on the implementation of the Joint Oversight Framework and the national supervisor guidance for your customer's jurisdiction. Not legal advice — confirm contract language with counsel.