RoutineMetric

DORA ICT Vendor Criticality Evaluator

Determine whether an Information and Communication Technology (ICT) third-party provider qualifies as supporting a Critical or Important Function (CIF) under the EU Digital Operational Resilience Act (DORA). Assess potential Critical ICT Third-Party Provider (CTPP) designation risk, and generate a customized Article 30 contractual compliance checklist.

Vendor & Service Details

DORA Criticality Criteria

ESA Systemic Factors

Assessment Report

Generated in compliance with DORA Articles 30 & 31

DORA Service Classification

Critical or Important Function (CIF)

The disruption of this service would immediately prevent the entity from performing core services or critical operational functions.

Vendor: The Vendor / ICT ServiceDORA Art. 30(3) Standard Applies

Systemic Designation Indicator (CTPP Risk)

Low Potential ESA Designation Risk

Measures whether European Supervisory Authorities (ESAs) could flag this vendor as a critical backbone provider under DORA Article 31, introducing direct supervisory oversight.

25/100Designation Score

DORA Article 30 Compliance Checklist

Ensure your legal contractual terms contain these mandated clauses.

0 / 11 Verified
Mandatory Core Clauses — Article 30(2) (All ICT Services)
Clear Service DescriptionArt 30(2)

A clear and complete description of all functions and ICT services to be provided, specifying whether subcontracting is permitted.

Locations of Data ProcessingArt 30(2)

Specific regions or countries where the ICT services are provided, data is processed, or stored.

Data Protection & Access RightsArt 30(2)

Provisions on access, recovery, and return of personal and non-personal data in an easily accessible format.

Service Level Agreements (SLAs)Art 30(2)

Precise service level descriptions including quantitative and qualitative performance targets.

Assistance ObligationsArt 30(2)

Obligations of the ICT provider to provide assistance at no additional cost or pre-agreed cost in case of security incidents.

Termination Rights & Exit StrategiesArt 30(2)

Clear notice periods and termination rights, including transition assistance and mandatory data deletion/return.

Additional Mandatory Clauses for CIFs — Article 30(3)
Full Audit & Inspection RightsArt 30(3) Mandatory

Unrestricted rights of access, inspection, and audit by the financial entity and supervisory authorities (ESAs).

Strict Performance Metrics & KPI TrackingArt 30(3) Mandatory

Detailed monitoring of service levels and immediate reporting of failure to meet service level agreements.

Comprehensive Security Awareness & Threat Led TestingArt 30(3) Mandatory

Requirement to participate in the financial entity's threat-led penetration testing (TLPT) if designated.

Detailed Subcontracting ConstraintsArt 30(3) Mandatory

Requirements to obtain explicit written consent before subcontracting any critical sub-functions, with strict oversight chains.

Mandatory Exit Plans & Transition PeriodsArt 30(3) Mandatory

Fully fledged alternative provider transition plans, business continuity assurances, and standard migration paths.

Disclaimer: This evaluator is built as a self-guided logical tool based on standard interpretations of DORA Article 30 and 31. Under DORA, ultimate compliance responsibility remains with the financial entity’s management body. Consult with legal counsel to ratify any complex SLA or contractual exit program.

Understanding ICT Vendor Criticality & Article 30 Compliance Under DORA

The EU Digital Operational Resilience Act (DORA) enters into force to establish consolidated cybersecurity, operational resilience, and third-party risk management standards for the European financial system. A vital pillar of this framework is third-party ICT risk oversight. Financial entities are legally obligated to review and systematically categorize all their Information and Communication Technology (ICT) arrangements to guarantee high-level security controls and operational business continuity.

What is a Critical or Important Function (CIF)?

Under DORA Article 3(22), a Critical or Important Function (CIF) is defined as any system, platform, or service, the operational failure or disruption of which would materially affect:

  • A financial entity’s continuous financial performance, stability, or soundness.
  • The continuity of core banking, insurance, transaction systems, or investment products.
  • The safety, robustness, and regulatory compliance of the firm's core licensing conditions.

If an ICT vendor supports a CIF, the financial entity must negotiate more stringent contract terms, actively monitor service metrics, design robust exit protocols, and coordinate regular business continuity test drills.

Key Contractual Requirements Under Article 30

DORA mandates a tier-based system for ICT contracts. For *all* ICT service providers (Article 30(2)), baseline legal clauses must exist:

  • Clear descriptions: Every service level, delivery parameter, and subcontracting possibility must be transparently declared.
  • Data locations: Precise definitions of data transit paths and geographic storage limits are required.
  • SLA standards: Robust key performance metrics to benchmark availability and response timelines.

However, when a vendor supports a **CIF** (Article 30(3)), additional legal rights are absolute requirements. The most notable is the **unrestricted right of access, inspection, and physical audit** by internal legal compliance teams, regulatory bodies, or designated third parties. Contracts must also specify custom exit strategies and transition processes to enable seamless migration of critical financial infrastructure during service failures.

What is a Critical ICT Third-Party Provider (CTPP)?

Under DORA Article 31, European Supervisory Authorities (ESAs) possess the power to designate certain dominant ICT providers as Critical ICT Third-Party Providers (CTPPs). Providers classified as CTPPs are subject to direct supervisory oversight by major European regulators (e.g., EBA, EIOPA, or ESMA).

The metrics for this designation depend on systemic importance: the scale of industry concentration, the volume of tier-1 financial institutions reliant on the service, and the substitutability profile. This tool evaluates systemic indicators to warn firms whether a prospective partner may fall within scope of this direct supervisory gaze.