Article 30: Key contractual provisions

9 min readLast verified: February 2026By

To meet the article 30: key contractual provisions requirement, you must ensure every ICT third-party contract clearly allocates rights and obligations in writing, includes the applicable service level agreements, and is kept as a single written contract available in a durable, downloadable, accessible format (Regulation (EU) 2022/2554, Article 30). Operationalize this by standardizing contract language, running a contract gap assessment, and retaining evidence that the signed “one-document” agreement includes the SLA pack.

Key takeaways:

  • Keep ICT third-party arrangements in one written contract that includes SLAs and is durable/downloadable/accessibile (Regulation (EU) 2022/2554, Article 30).
  • Build a contract controls matrix so each DORA obligation has an owner, clause reference, and evidence artifact.
  • Prioritize remediation for material ICT services and renewals; don’t wait for a full re-papering cycle.

Article 30 is a contract hygiene requirement with real supervisory consequences: you need written ICT third-party contracts that are complete, internally consistent, and retrievable on demand. The text is short, but the operational lift is not. Most gaps show up in two places: (1) rights and obligations are scattered across a master agreement, order forms, online terms, and a security addendum that do not line up; (2) SLAs exist in practice but are not formally incorporated into the contract package you can produce quickly.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat Article 30 as a documentation and traceability problem. Your goal is a contract package that a supervisor (or internal audit) can pick up and use without interpretation: it should show who must do what, when, and to what standard, and it should be stored in a durable format with clear version control. This page gives you requirement-level steps, the artifacts to retain, and the audit questions you should pre-answer so you can operationalize the article 30: key contractual provisions requirement quickly and defensibly.

Regulatory text

Requirement (excerpt): “The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.” (Regulation (EU) 2022/2554, Article 30)

What the operator must do

Translate the excerpt into three non-negotiables you can test across your third-party population:

  1. Clear allocation of rights and obligations (in writing).

    • Your contract must explicitly assign responsibilities between your firm and the ICT third party (e.g., incident notification responsibilities, change management responsibilities, security control responsibilities, access and cooperation responsibilities).
    • “Clear” means a reviewer can identify ownership without chasing cross-references or implied practices.

  2. The full contract includes SLAs.

    • SLAs must be part of the contract package, not “handled operationally” or posted on a portal without incorporation.
    • If SLAs are in an exhibit, order form, or statement of work, they still must be included in the full contract set.

  3. One written document in a durable, downloadable, accessible format.

    • Treat this as a “single contract package” requirement: one compiled document (or a single compiled file) that contains the executed agreement plus incorporated schedules/exhibits/SLAs.
    • You must be able to produce it quickly in a durable format (for example, a finalized PDF with signatures and incorporated attachments) (Regulation (EU) 2022/2554, Article 30).

Plain-English interpretation

Article 30 expects that ICT outsourcing is not governed by a collage of inconsistent artifacts. If you cannot hand a regulator a single, complete contract package that shows responsibilities and SLAs, you are exposed. The rule is less about negotiating “stronger” terms and more about making the obligations explicit, written, and retrievable.

A practical way to read it: if your operational team needs to guess who owns incident response steps or where the uptime metric lives, you are already behind the standard.

Who it applies to

Entity scope

  • Financial entities in scope of DORA that procure ICT services from ICT third-party service providers (Regulation (EU) 2022/2554, Article 30; Regulation (EU) 2022/2554).

Operational scope (where this shows up)

  • Cloud hosting and managed infrastructure
  • SaaS platforms supporting regulated processes (customer onboarding, payments, trading support, risk, finance)
  • Managed security services
  • Data processing, analytics, and reporting platforms
  • Any arrangement where service performance is governed by SLAs and failures could affect availability, integrity, or continuity of ICT services

What you actually need to do (step-by-step)

Step 1: Define your “Article 30 contract package” standard

Create a short internal standard that contract owners and Legal must follow. Include:

  • What counts as “the full contract” (master + order form + DPA + security addendum + SLA exhibit).
  • What “one written document” means in your tooling (a compiled PDF package with a table of contents and version label).
  • Minimum metadata required (third party name, service name, business owner, effective date, term, renewal date, contract repository location).

Tip: Write the standard so it can be tested with a yes/no checklist.

Step 2: Build a clause-to-obligation mapping (contract controls matrix)

Create a register that maps:

  • Article 30 obligation → contract section(s) that satisfy it → contract owner → evidence location.
  • Track “SLA included” as an explicit field (yes/no + where).

This is where Daydream typically fits naturally: teams use it to keep a single register that ties the legal obligation to accountable owners and the evidence artifacts supervisors ask for, without relying on tribal knowledge.

Step 3: Inventory your ICT third parties and prioritize review

You need a review queue. Don’t boil the ocean.

  • Start with ICT third parties that support important business services, sensitive data processing, or core infrastructure.
  • Include contracts up for renewal or renegotiation first, because remediation is cheaper at those moments.

Step 4: Run a contract package gap assessment

For each prioritized third party, answer:

  • Can we produce a single compiled contract package (one file) with signatures?
  • Are SLAs included in that package and explicitly incorporated?
  • Are rights/obligations clearly allocated, or are they implied and scattered?

Output: a gap log with remediation actions and owners.

Step 5: Remediate using controlled patterns

Common remediation patterns that work in practice:

  • Add an SLA exhibit (or incorporate the provider’s SLA by attaching the exact version and date).
  • Execute an amendment that consolidates documents and resolves conflicts.
  • Create an order form addendum that incorporates the full list of exhibits and overrides online terms.

Avoid “we can download it from the portal” unless the contract explicitly treats that SLA version as incorporated and you can preserve it as durable evidence (Regulation (EU) 2022/2554, Article 30).

Step 6: Implement a regulatory-response workflow

Supervisors may ask for the contract quickly. Operationalize a workflow:

  • Intake: request received (regulator, auditor, internal risk).
  • Assignment: Legal + third-party owner + ICT risk review.
  • Production: export “one-document” contract package.
  • Approval: Compliance sign-off that the package includes SLAs and clear allocations.
  • Logging: store what was produced, when, and by whom.

Step 7: Bake Article 30 into contracting and procurement controls

Add gates to prevent reintroducing the gap:

  • Procurement checklist item: “SLA incorporated into contract package.”
  • Legal playbook clause: “single written document / compiled package required.”
  • Repository rule: no “active” status unless the compiled package is stored and tagged.

Required evidence and artifacts to retain

Keep artifacts in a way that lets you answer “show me” without a scramble:

  1. Executed contract package (single compiled durable file) that includes:

    • Master agreement and all incorporated exhibits/schedules
    • SLA(s), including service credits/performance measures if applicable
    • Any amendments or change orders
      (Regulation (EU) 2022/2554, Article 30)

  2. Contract controls matrix (Article 30 mapping):

    • Obligation → clause reference → owner → repository link

  3. SLA version control evidence

    • The exact SLA text/version that applies, preserved as a durable artifact
    • If the SLA is updated, evidence of the update path (amendment or formally incorporated change)

  4. Gap assessment and remediation log

    • Findings, actions, approvals, completion evidence

  5. Regulatory-response workflow records

    • Request ticket, exported package, timestamps, approvals

Common exam/audit questions and hangups

Expect auditors and supervisors to press on production speed, completeness, and clarity:

  • “Show me the full contract for this ICT third party, including SLAs, as one document.” (Regulation (EU) 2022/2554, Article 30)
  • “Where are responsibilities allocated for availability, incident handling, and change control? Point to the clause.”
  • “How do you ensure the SLA in the contract matches what operations monitors?”
  • “If the provider updates online terms, how do you know what applies to you, and how do you preserve it?”
  • “Who owns the contract and who validates the evidence package is complete?”

Hangup to preempt: teams often store pieces across systems (CLM, shared drives, ticketing systems) without a compiled authoritative copy.

Frequent implementation mistakes and how to avoid them

Mistake Why it fails Article 30 How to avoid it
SLAs “exist” but are not incorporated The full contract must include SLAs (Regulation (EU) 2022/2554, Article 30) Attach SLAs as exhibits or incorporate by reference with preserved version text
Contract is split across links/portal terms “One written document” and durable format expectation (Regulation (EU) 2022/2554, Article 30) Produce a compiled, signed package; archive portal terms as an exhibit if used
Responsibilities are implied, not assigned “Clearly allocated” requirement (Regulation (EU) 2022/2554, Article 30) Add a responsibilities schedule (RACI-style) or tighten operative clauses
No owner for contract evidence Evidence becomes fragmented Assign a single accountable owner per third party and require periodic validation
Remediation only at renewal Long tail of nonconforming contracts Start with top-risk ICT third parties; amend where necessary

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, the risk is supervisory findings that your third-party risk management and ICT governance are not demonstrably controlled. The most common impact is operational: delays in providing contract evidence, inconsistent obligations across documents, and disputes with third parties during incidents because responsibilities were not explicitly set out in writing (Regulation (EU) 2022/2554, Article 30).

A practical 30/60/90-day execution plan

Use phased milestones instead of a “big bang” rewrite.

First 30 days (stabilize and triage)

  • Publish the internal “Article 30 contract package” standard (definition + checklist).
  • Stand up the contract controls matrix template and assign ownership.
  • Identify the highest-impact ICT third parties and pull their current contract artifacts into one workspace for review.
  • Test retrieval: attempt to produce one compiled package for a sample and log failures.

Next 60 days (remediate and operationalize)

  • Complete gap assessments for prioritized third parties.
  • Execute amendments or addenda to incorporate SLAs and consolidate documents where gaps exist (Regulation (EU) 2022/2554, Article 30).
  • Implement the regulatory-response workflow with Legal and Compliance sign-off.
  • Train procurement and contract owners on the new intake checklist.

Next 90 days (embed and prove)

  • Expand coverage to the broader ICT third-party population using a risk-based queue.
  • Add repository controls: “active contract” requires a compiled package and mapped obligations.
  • Run a readiness drill: simulate an evidence request and measure whether you can produce the one-document package and mapping without rework.
  • Track corrective actions to closure and keep validation evidence.

Frequently Asked Questions

Do we really need a single PDF if the contract is stored in a CLM with multiple attachments?

Article 30 requires the full contract to be documented in one written document and available in a downloadable, durable, accessible format (Regulation (EU) 2022/2554, Article 30). In practice, generate a compiled export from the CLM that includes all incorporated exhibits and SLAs, then store that export as the authoritative evidence artifact.

Can we incorporate the provider’s SLA “as published on their website”?

You can only defend this if the contract clearly incorporates a specific, identifiable SLA version and you preserve that exact text as part of the durable contract package (Regulation (EU) 2022/2554, Article 30). Otherwise, you risk not being able to prove what SLA applied at a point in time.

What if different documents conflict (master agreement vs. order form vs. security addendum)?

Conflicts undermine “clearly allocated” obligations because the reviewer cannot reliably determine responsibilities (Regulation (EU) 2022/2554, Article 30). Fix this with an amendment that sets precedence and consolidates the incorporated documents into a single package.

Does Article 30 require specific SLA targets (like uptime numbers)?

Article 30, as provided here, requires that SLAs are included in the full written contract and that obligations are clearly allocated (Regulation (EU) 2022/2554, Article 30). It does not specify SLA performance levels in the excerpt, so treat targets as a business and risk decision, then ensure they are contractually captured.

Who should own compliance for Article 30, Legal or Third-Party Risk?

Assign accountability to a single control owner (often Third-Party Risk or ICT risk) with Legal responsible for contract language and Compliance responsible for oversight and evidence standards. Article 30’s operational failure mode is fragmented ownership, so make the RACI explicit and keep it in the contract controls matrix.

How do we show “clear allocation” without rewriting every contract?

For many providers, an addendum that assigns responsibilities in a schedule and references the relevant clauses is enough, as long as it is executed and included in the single contract package (Regulation (EU) 2022/2554, Article 30). Focus first on critical ICT third parties and contracts with known incident/availability dependencies.

Frequently Asked Questions

Do we really need a single PDF if the contract is stored in a CLM with multiple attachments?

Article 30 requires the full contract to be documented in one written document and available in a downloadable, durable, accessible format (Regulation (EU) 2022/2554, Article 30). In practice, generate a compiled export from the CLM that includes all incorporated exhibits and SLAs, then store that export as the authoritative evidence artifact.

Can we incorporate the provider’s SLA “as published on their website”?

You can only defend this if the contract clearly incorporates a specific, identifiable SLA version and you preserve that exact text as part of the durable contract package (Regulation (EU) 2022/2554, Article 30). Otherwise, you risk not being able to prove what SLA applied at a point in time.

What if different documents conflict (master agreement vs. order form vs. security addendum)?

Conflicts undermine “clearly allocated” obligations because the reviewer cannot reliably determine responsibilities (Regulation (EU) 2022/2554, Article 30). Fix this with an amendment that sets precedence and consolidates the incorporated documents into a single package.

Does Article 30 require specific SLA targets (like uptime numbers)?

Article 30, as provided here, requires that SLAs are included in the full written contract and that obligations are clearly allocated (Regulation (EU) 2022/2554, Article 30). It does not specify SLA performance levels in the excerpt, so treat targets as a business and risk decision, then ensure they are contractually captured.

Who should own compliance for Article 30, Legal or Third-Party Risk?

Assign accountability to a single control owner (often Third-Party Risk or ICT risk) with Legal responsible for contract language and Compliance responsible for oversight and evidence standards. Article 30’s operational failure mode is fragmented ownership, so make the RACI explicit and keep it in the contract controls matrix.

How do we show “clear allocation” without rewriting every contract?

For many providers, an addendum that assigns responsibilities in a schedule and references the relevant clauses is enough, as long as it is executed and included in the single contract package (Regulation (EU) 2022/2554, Article 30). Focus first on critical ICT third parties and contracts with known incident/availability dependencies.

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream