Dowiedz się więcej na temat naszych produktów. Zobacz nasz blog
  • EN
  • PL
  • Audit and Oversight of ICT Providers under DORA: How to Effectively Enforce the Right to Supervision

    With the DORA regulation coming into force in January 2025, financial institutions must carefully review their relationships with ICT providers. Until now, many banks have struggled to enforce audit rights, even when such clauses were formally included. DORA requires full, unrestricted rights of access, control and audit, as well as cooperation between the provider and the regulator. Below, we outline the obligations, challenges, model contract clauses, and alternative supervision methods in line with the regulation.

    Audit as a Regulatory Obligation – What Does DORA Say?

    DORA introduces harmonised requirements for ICT risk management and supplier oversight across the EU. Each ICT agreement must include the right to unlimited control, exercised by the institution or an appointed third party. This includes access to documentation, systems, on-site visits, and the right to copy necessary data. The provider must also fully cooperate with the competent supervisory authority.

    Challenges with Global Providers (AWS, Azure, Google)

    Hyperscalers use standard terms, making negotiation of detailed audit clauses difficult. Smaller institutions have limited bargaining power and often receive only SOC reports or certificates.
    DORA introduces a Lead Overseer, who may supervise critical ICT providers directly at the EU level. However, institutions must still actively enforce agreed provisions and monitor associated risks.

    Contractual Clauses: Examples and Best Practices

    An outsourcing agreement should include the full scope of services, locations, SLAs, security measures, and a contingency plan. A key clause grants the institution the right to perform remote and on-site audits, either periodically or ad hoc. The regulator must have the same rights of access and control at the provider. The contract should limit sub-outsourcing or require institutional consent for key subcontractors. It is important to specify data locations and the procedure for jurisdictional changes.
    The contract must include incident response support, response time definitions, and security standards (e.g. ISO 27001). Termination clauses should cover serious breaches, weak ICT risk governance, or obstructed oversight.

    ICT

    Alternatives: Third-Party Assurance, ISO Certificates, SOC Reports

    Institutions may rely on joint audits or independent auditor reports, sharing both costs and outcomes. ISO 27001 certificates or SOC 2 reports offer a basic level of oversight for less critical services.
    The institution should verify the validity of such attestations annually and request details on any non-conformities. For high-risk services, a certificate cannot replace a full on-site audit.

    Cooperation with Regulators in Disputed Situations

    The regulator may organise a tripartite meeting, often motivating the provider to cooperate. The institution should document requests, audits, and corrective actions, keeping the regulator informed of progress. If a non-EU provider refuses to share data, the regulator may invoke international cooperation mechanisms.

    Summary

    DORA requires enhanced oversight of ICT providers and the update of critical outsourcing agreements. Success depends on clear clauses, their daily enforcement, and proactive collaboration with regulators.
    Strategies based on certifications and external audits may reduce costs but do not replace risk accountability. The new rules provide institutions with stronger tools to maintain operational resilience.