DORA Article 30 contract addendum template

What's inside

The template covers the full scope of Article 30, divided into the two tiers DORA defines:

Tier 1 — applies to every ICT contract (Art. 30(2))

• Service description and locations (Art. 30(2)(a))
• Data protection / DPA reference (Art. 30(2)(b))
• Service levels with measurable targets (Art. 30(2)(c))
• Incident assistance at no extra cost (Art. 30(2)(d))
• Cooperation with competent authorities (Art. 30(2)(e))
• Termination triggers (Art. 30(2)(f))
• Exit and transition cooperation (Art. 30(2)(g))

Tier 2 — additional, for critical or important functions (Art. 30(3))

• Detailed scope and substitutability (Art. 30(3)(a))
• Sub-outsourcing notice and right to object (Art. 30(3)(b))
• Quarterly performance reporting (Art. 30(3)(c))
• Right of audit including on-site (Art. 30(3)(e))
• TLPT participation rules (Art. 30(3)(f))
• Documented exit strategy (Art. 30(3)(g))

How to use it

1. Download the Markdown file. Open it in your editor (VS Code, Obsidian) or paste into Word — it renders cleanly anywhere.
2. Replace every bracketed [ITEM]with values specific to your service. The bracketed items are also where you'll need to coordinate with your customer.
3. Confirm with the customer whether the Services are classified as supporting a Critical or Important Function. If yes, keep sections 9-13. If no, delete them.
4. Read the "Template notes" section at the bottom — it flags the items that are commercially negotiable (audit cadence, SLA tightness, notice periods).
5. Have your counsel review before signing. This template is not legal advice.

Common questions

Is this the only template I need?

For the Article 30 contract clauses, yes. You may also need separately:

• A Data Processing Agreement (GDPR Art. 28) — referenced from this template. See our DPA model.
• An Information Security Annex describing your controls (typically your SOC 2 Type II report under NDA, or a plain-English summary).
• Updated Sub-processor list — see our sub-processors page as an example structure.

Can I sign this directly?

You can use this template as the basis for what you sign, but every bracketed value needs to be filled in and the text reviewed by counsel for your specific situation. Don't just rename it and sign.

What if the bank sends their own template?

Read it against this one. If their template covers the same Article 30 ground, the substance is fine. If their version omits exit cooperation, sub-processor notice, or audit limits, those are the items to push back on. Our Article 30 cheat sheet walks through where you can legitimately negotiate.

What does the licence say?

CC BY 4.0. You can copy, adapt, redistribute, and use commercially. The only requirement is attribution — keep the "Prepared by DoraPilot" note in the footer, or replace it with your own attribution.

Why we're giving this away

The hours we save you with this template are not the product. The product is the audit trail, the questionnaire engine, the Register of Information generator. A template is a starting point — for the work that takes weeks (your full DORA response across multiple bank clients), you'll eventually need the platform.

If you want to be told when other DORA artefacts become available — exit plan template, RoI xBRL-CSV exporter, policy pack — join the early access list below.