Free Tool

DORA Article 30 Clause Gap Tool

Check each ICT third-party contract against DORA Article 30 — the mandatory 30(2) baseline provisions and the augmented 30(3) clauses for critical or important functions — and export a scored coverage report with the gaps to fix.

Governing AI vendors under DORA? Read governing AML and payments agents.

Clause coverage: 0%

Assessed 0/18 · 0 gaps

Baseline provisions — every ICT third-party contract (Article 30(2))

These clauses are mandatory in all ICT third-party arrangements, regardless of criticality.

Clear, complete description of all functions and ICT services, including subcontracting conditions

DORA Art 30(2)(a)

Locations (regions/countries) where services are provided and data is processed, with change notification

DORA Art 30(2)(b)

Provisions on availability, authenticity, integrity and confidentiality of data

DORA Art 30(2)(c)

Access, recovery and return of data on insolvency, resolution or termination

DORA Art 30(2)(d)

Service level descriptions, including updates and revisions

DORA Art 30(2)(e)

Provider assistance on ICT incidents at no additional or agreed cost

DORA Art 30(2)(f)

Obligation to fully cooperate with competent and resolution authorities

DORA Art 30(2)(g)

Termination rights and minimum notice periods

DORA Art 30(2)(h)

Conditions for participation in ICT security awareness programmes and training

DORA Art 30(2)(i)

Augmented provisions — critical or important functions (Article 30(3))

Where the arrangement supports a critical or important function, the contract must additionally contain these.

Full service level descriptions with precise quantitative and qualitative performance targets

DORA Art 30(3)(a)

Notice periods and provider reporting obligations, including developments that materially impact

DORA Art 30(3)(b)

Requirement to implement and test business contingency plans and ICT security measures

DORA Art 30(3)(c)

Participation and full cooperation in the financial entity’s threat-led penetration testing (TLPT)

DORA Art 30(3)(d)

Unrestricted rights of access, inspection and audit (entity, appointee, competent authority)

DORA Art 30(3)(e)

Exit strategies with mandatory adequate transition periods

DORA Art 30(3)(f)

Register and AI-vendor linkage

Arrangement recorded in the Register of Information

DORA Art 28(3)

Critical-or-important determination documented per ICT service

DORA Art 28

GenAI / LLM providers assessed and contracted as ICT third parties

Cloud-hosted model providers (e.g. OpenAI, Anthropic, Azure OpenAI) are ICT third parties; AML, fraud and chatbot use cases can be critical or important functions.

DORA Art 3(19)-(22)

Prioritised gaps

18 item(s) to address

Clear, complete description of all functions and ICT services, including subcontracting conditions — Not assessed
Locations (regions/countries) where services are provided and data is processed, with change notification — Not assessed
Provisions on availability, authenticity, integrity and confidentiality of data — Not assessed
Access, recovery and return of data on insolvency, resolution or termination — Not assessed
Service level descriptions, including updates and revisions — Not assessed
Provider assistance on ICT incidents at no additional or agreed cost — Not assessed
Obligation to fully cooperate with competent and resolution authorities — Not assessed
Termination rights and minimum notice periods — Not assessed
Conditions for participation in ICT security awareness programmes and training — Not assessed
Full service level descriptions with precise quantitative and qualitative performance targets — Not assessed
Notice periods and provider reporting obligations, including developments that materially impact — Not assessed
Requirement to implement and test business contingency plans and ICT security measures — Not assessed
+ 6 more in the export.

Export your scored assessment and prioritised gap list. Everything stays in your browser — nothing is uploaded.

No Grace Period

DORA has applied since 17 January 2025 with no phase-in for Article 30 — pre-2025 ICT contracts that miss these clauses are non-compliant today.

Baseline and Augmented

Separates the 30(2) clauses every contract needs from the 30(3) clauses required when the arrangement supports a critical or important function.

Your AI Vendor Is an ICT Third Party

Cloud-hosted model providers are ICT third parties under DORA; AML, fraud and chatbot use cases can be critical or important functions that trigger the augmented clauses.

Disclaimer: This tool helps you check ICT third-party contracts against DORA Article 30. It is not legal advice. Confirm your contractual obligations with qualified counsel familiar with your arrangements.