DORA-Art30-P1

Article
30 (1)
Pillar
Third-Party ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 30(1)
Last Reviewed
2026-01-15

Contractual arrangements on the use of ICT services shall include at least the following elements: a clear and complete description of all functions and ICT services to be provided, the locations where such functions are provided and where data is to be processed, provisions on availability, authenticity, integrity and confidentiality of data, provisions on ensuring access, recovery and return of data, service level descriptions, assistance obligations, termination rights and related transition periods.

Evidence Profiles

ICT Contract Compliance Review PARTIAL

Document reviewing ICT third-party contracts against DORA Article 30 requirements, including assessment of required contractual clauses, SLA provisions, audit rights, and exit strategy provisions.

Formats
DOCX PDF
Evidence Class
ict-contract-review
Availability
PARTIAL
Update Frequency
annual
Typical Author
Legal Counsel
Approval Chain
Legal Counsel → Vendor Management Officer → CRO

Content Sections

Expected Fields

Common Quality Issues

ICT Service Level Agreement Documentation COMMON

SLA documentation for ICT third-party services including performance metrics, availability targets, incident response times, and penalty provisions.

Formats
PDF
Evidence Class
sla-documentation
Availability
COMMON
Update Frequency
annual
Typical Author
Vendor Management Officer
Approval Chain
Vendor Management Officer → CIO

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

contract_compliance_status

Schema ID
fs-contract-compliance-status
Control
DORA-Art30-P1

Valid Ranges

review_date
within last 12 months
compliance_gaps_count
should be 0 for full DORA compliance
contract_expiry_date
future date for active contracts

Related Schemas

JSON Schema

{
  "properties": {
    "compliance_gaps_count": {
      "minimum": 0,
      "type": "integer"
    },
    "contract_expiry_date": {
      "format": "date",
      "type": "string"
    },
    "contract_id": {
      "minLength": 1,
      "type": "string"
    },
    "has_audit_rights": {
      "type": "boolean"
    },
    "has_availability_provisions": {
      "type": "boolean"
    },
    "has_data_location": {
      "type": "boolean"
    },
    "has_exit_strategy": {
      "type": "boolean"
    },
    "has_integrity_provisions": {
      "type": "boolean"
    },
    "has_service_description": {
      "type": "boolean"
    },
    "has_termination_rights": {
      "type": "boolean"
    },
    "review_date": {
      "format": "date",
      "type": "string"
    }
  },
  "required": [
    "contract_id",
    "review_date",
    "has_service_description",
    "has_data_location",
    "has_availability_provisions",
    "has_audit_rights",
    "has_exit_strategy"
  ],
  "type": "object"
}

sla_monitoring_status

Schema ID
fs-sla-monitoring-status
Control
DORA-Art30-P1

Valid Ranges

monitoring_date
within last 3 months
availability_achieved_percent
should meet or exceed availability_target_percent

Related Schemas

JSON Schema

{
  "properties": {
    "availability_achieved_percent": {
      "maximum": 100,
      "minimum": 0,
      "type": "number"
    },
    "availability_target_percent": {
      "maximum": 100,
      "minimum": 0,
      "type": "number"
    },
    "incident_response_sla_met": {
      "type": "boolean"
    },
    "monitoring_date": {
      "format": "date",
      "type": "string"
    },
    "penalties_applied": {
      "type": "boolean"
    },
    "reporting_sla_met": {
      "type": "boolean"
    },
    "sla_breaches_count": {
      "minimum": 0,
      "type": "integer"
    },
    "sla_expired": {
      "type": "boolean"
    },
    "sla_id": {
      "minLength": 1,
      "type": "string"
    }
  },
  "required": [
    "sla_id",
    "monitoring_date",
    "availability_target_percent",
    "availability_achieved_percent",
    "sla_breaches_count"
  ],
  "type": "object"
}