Skip to main content
Image coming soon

The DORA Vendor Contract Playbook for Legal Counsel

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The DORA Vendor Contract Playbook for Legal Counsel

Draft Article 30-compliant ICT contracts that pass regulatory examination.

Your Article 30 audit clause arrives back redlined to an annual summary report right. Your exit provision has lost its transition timeline. Your incident reporting obligation is a vague 'prompt notification' with no threshold cited. Each contract needed individual attention, but without a systematic framework, you are negotiating the same provisions from scratch on every deal.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Every regulated financial institution in the EU had to renegotiate or supplement its ICT provider contracts to meet Article 30's minimum provisions. For legal teams, this created an unfamiliar problem: the regulatory requirements were highly specific (15 mandatory provisions, defined audit access, RTS-aligned incident reporting thresholds), but the negotiating context was commercial, fast-moving, and vendor-driven. Standard vendor templates did not include the required provisions. Internal guidance on what satisfactory audit language looked like was often unavailable or untested. The result: contracts that carry Article 30 headings but substantively compromised provisions, creating regulatory exposure that surfaces in the next examination cycle.

What you walk away with

  • Map every ICT provider agreement to the correct Article 30 tier and know which provisions are mandatory for each.
  • Draft all 15 Article 30(2) minimum provisions in language that holds up under regulatory examination.
  • Negotiate audit access, exit provisions, and incident reporting obligations confidently against vendor pushback.
  • Build a due diligence and ongoing monitoring regime that produces the documentation regulators ask for.
  • Run an annual contract review cycle that keeps the register current as provider relationships and regulatory standards evolve.

The 12 modules

Module 1. DORA Article 30 Scope and Tiers
DORA Article 30 applies to all ICT provider agreements, but the depth of required provisions scales with the provider's criticality classification. This module maps the scope: which providers require the full set of 15 minimum contractual provisions, which require a lighter framework, and which are excluded. You leave with a decision matrix legal teams use to route each new vendor agreement to the correct template before drafting begins.
Module 2. Building the ICT Provider Register
The provider register is the foundation of every Article 30 analysis and the first document a regulator requests. This module covers the classification criteria under Article 28: what makes a provider critical, how to document the systemic and concentration risk assessment, and what each register entry must show. The output is a defensible classification methodology your business units can apply consistently across new and existing agreements.
Module 3. The 15 Mandatory Provisions: Clause by Clause
Article 30(2) lists the mandatory provisions that must appear in every critical ICT provider agreement. This module walks through each provision: the regulatory text, what the provision requires in practice, drafting approaches that satisfy examination, and language that appears compliant but fails under scrutiny. You finish with annotated template clauses your team can adapt and use as the starting position in every vendor negotiation.
Module 4. Audit Rights: Drafting and Defending the Clause
Audit rights are the most frequently negotiated Article 30 provision and the most frequently compromised. This module distinguishes between audit access that satisfies the regulation and waivers that look similar but do not. Covered: how to scope audit rights against the vendor's subcontractors, what annual summary reports are and are not permitted to replace, and escalation language when a vendor refuses to accept an adequate clause.
Module 5. Exit Strategy and Transition Provisions
Exit and transition provisions under Article 28(8) are among the hardest to negotiate and the easiest to get wrong. This module covers what the exit clause must enable: data retrieval, service continuity during transition, knowledge transfer, and minimum transition periods. Included: how to structure phased exit commitments vendors will accept, and what missing exit provisions look like when a regulator reviews a contract portfolio.
Module 6. Incident Reporting Obligations in Contracts
DORA's regulatory technical standards set specific notification timeframes: initial notification within 4 hours, intermediate report within 24 hours, final report within 72 hours. These thresholds must appear in your ICT vendor contracts. This module covers how to draft vendor notification obligations that meet the cascade timeline, what happens when the vendor is also notifying its own regulator, and how to handle conflicting reporting requirements across jurisdictions.
Module 7. Subcontracting Chains and Third-Party Oversight
When your ICT provider subcontracts material functions, Article 30(2)(b) requires your contract to reach through to those subcontractors. This module covers how to structure the flow-down obligation: what subcontracting disclosure requires as a contractual clause, how to require prior consent for changes in subcontracting arrangements, and how audit rights must extend through the entire subcontracting chain to satisfy examination.
Module 8. ICT Risk Management Specifications in Contracts
DORA Chapter II defines an ICT risk management framework that financial entities must implement internally. The same standards apply to what you contractually require of your ICT providers. This module translates Chapter II obligations into specific contract specifications: business continuity and recovery requirements, information security standards, testing obligations, and how to write them as contractual minimums rather than aspirational targets.
Module 9. Pre-Contractual Due Diligence and Ongoing Monitoring
Before signing any critical ICT provider agreement, regulators expect documented pre-contractual due diligence. This module builds the legal due diligence pack: what information to request from the vendor, how to structure the assessment against Article 28 criteria, what constitutes an adequate risk assessment record for examination, and how to set up the ongoing monitoring regime that keeps the record current after the agreement is signed.
Module 10. Building the Examination Evidence Pack
When regulators examine an ICT third-party risk program, they ask for the contract register, the due diligence records, and the contracts themselves. This module builds the examination evidence pack: how to organize the file, which cross-references regulators follow, which provisions receive the most scrutiny, and how to prepare a narrative response when a provision was negotiated below the regulatory minimum with documented justification.
Module 11. Negotiating with Resistant Large Vendors
Large ICT vendors often present their own standard terms and resist negotiation on audit access, exit provisions, and reporting obligations. This module covers tactics that move resistant vendors: how to use the regulatory obligation as leverage without creating commercial confrontation, how to escalate internally when a vendor position cannot be resolved at counsel level, and which concessions are permissible versus which are not negotiable under any circumstance.
Module 12. Annual Review and Contract Maintenance Cycle
Article 30 is not a one-time exercise. Provider classifications change, subcontracting arrangements change, and the regulatory technical standards are updated. This module builds the annual contract review cycle: what triggers a renegotiation, how to structure the review process, how to document decisions not to renegotiate, and how to maintain the register so it accurately reflects the current contractual position across all active providers.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Vendor returns your audit clause redlined to an annual summary report right: Module 4 (Audit Rights) and Module 11 (Negotiating with Resistant Vendors).
A business unit asks whether a new cloud service needs a full Article 30 agreement or lighter treatment: Modules 1 and 2 (Scope, Tiers, and Register).
An ICT provider announces it is subcontracting a critical function to a third party: Module 7 (Subcontracting Chains and Third-Party Oversight).
A regulator requests your ICT provider contract register and sample agreements during an examination: Modules 2 and 10 (Register and Examination Evidence Pack).

What you get with this course

  • 12 text-based modules in the Art of Service learning environment
  • Downloadable template clause library covering all 15 Article 30(2) mandatory provisions
  • Pre-contractual due diligence request template for ICT provider assessments
  • Annual contract review checklist and register maintenance guide
  • Hand-built implementation playbook tailored to your vendor tier structure and negotiation context

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

ICT provider contracts have the right Article 30 section headings but the substance has been negotiated away. Audit access is a summary report right. Exit provisions have no transition timeline. Incident reporting thresholds do not match the regulatory technical standards. Each agreement required individual attention with no systematic approach to build from.

After

Every new ICT provider agreement starts from a clause library tested against the regulatory requirements. Negotiation positions are documented. The register is current. Examination requests are answered with a pre-organized evidence pack rather than a document search under pressure.

What happens if you do not address this

Each cycle without a systematic review leaves existing contracts unexamined. Concentration risk accumulates as providers deepen their integration without updated contractual protections. When a regulator examines the program, gaps in the contract portfolio are the first finding cited.

Who it is for

Legal counsel at EU-regulated financial institutions responsible for drafting or reviewing ICT provider agreements. Typically working at a bank, insurer, asset manager, or investment firm where the legal team handles both the commercial negotiation and the regulatory compliance sign-off. Often the only person in the negotiation room who understands both what the regulation requires and what the vendor will actually accept.

Who this is NOT for. Compliance officers not directly involved in contract drafting. Legal teams at non-EU financial institutions where DORA does not apply. Procurement specialists who refer contract terms to legal for review rather than drafting them.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Six to eight hours across the 12 modules. Can be completed in one working week or spread over two.

Why $199 is the right number

Most DORA guidance available to legal teams is written by consultancies for compliance officers, not for counsel doing the actual contract drafting. This course covers the regulatory text and the practical clause language side by side, in the context of a negotiation rather than a policy review.

FAQ

Does this course cover the regulatory technical standards on subcontracting under DORA?
Yes. Modules 7 and 8 cover the subcontracting RTS and ICT risk management standards in full, including how to structure the flow-down obligation and how to write contractual specifications that match the regulatory requirements.
My firm has existing ICT vendor contracts that predate DORA. Does this course help with remediation?
Yes. The register and classification methodology in Modules 1 and 2 is designed to work on existing agreements. Module 12 covers the prioritized remediation approach when you have a large portfolio to work through systematically.
What if a vendor is based outside the EU and resists accepting DORA obligations?
Module 11 covers this scenario specifically, including escalation paths and the limited circumstances where a variation from the minimum standards is documented and defensible under a risk-based approach.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!