ICT suppliers in DORA - which contracts must be recorded?

recording ict supplier contracts is a fundamental dora requirement but there's significant confusion about which contracts are actually in scope this guide cuts through the complexity to give you clear, actionable answers about what needs to be in your dora information register 1\ which contracts are in scope? the simple answer every contract with a supplier that provides ict services to your organization this includes contracts with external ict third party service providers, any outside company (whether legal or natural persons) providing ict services ict intra group service providers, entities within your group that predominantly provide ict services to other group entities the key question does the supplier provide ict services? if yes, the contract must be recorded there's no minimum contract value, no exceptions for "small" suppliers, and no carve outs for "non critical" services if it's an ict service contract, it's in scope 2\ what counts as an ict service? dora deliberately uses a broad definition of ict services according to article 3(21), ict services are "digital and data services provided through ict systems to one or more internal or external users on an ongoing basis" simple test if the service involves technology, data, or digital delivery on an ongoing basis, it's likely an ict service important exception regulated financial services provided by regulated financial entities (like banking, insurance, etc ) are not considered ict services, even if they have a technology component 3\ recording at the service level here's where many organizations get it wrong you don't just record contracts, you must record each ict service provided under those contracts for every contract, you must identify all ict services delivered classify each service using one of 19 predefined types (s01 s19) record all service types delivered under a contract example your microsoft enterprise agreement might include • office 365 (s19, cloud services saas) • azure cloud infrastructure (s17, cloud services iaas) • microsoft security services (s04, ict security management services) this single contract requires three separate records for your microsoft contract, one for each service type 4\ the 19 service types you must use every ict service must be classified into one of these categories s01 ict project management provision of services related to project management officer (pmo) s02 ict development provision of services related to business analysis, software design and development, testing s03 ict help desk and first level support provision of services related to helpdesk support and first level support on ict incidents s04 ict security management services provision of services related to ict security (protection, detection, response and recovery), including security incident handling and forensics s05 provision of data subscription to the services of data providers (digital data service) s06 data analysis provision of services related to the support for data analysis (digital data service) s07 ict, facilities and hosting services (excluding cloud services) provision of ict infrastructure, facilities and hosting services, including the provision of utilities (energy, heat management etc ), telecom access and physical security (excluding cloud services), payment processing activities, or operating payment infrastructures s08 computation provision of digital processing capabilities (including data computation), excluding the computation services performed in the context of a cloud environment s09 non cloud data storage provision of data storage platform (excluding cloud services) s10 telecom carrier operations for telecommunication systems and flow management traditional analogue telephone services are explicitly excluded pursuant to article 3, point (21), of regulation (eu) 2022/2554 s11 network infrastructure provision of network infrastructure s12 hardware and physical devices provision of workstations, phones, servers, data storage devices, appliances, etc in a form of a service s13 software licencing (excluding saas) provision of software run on premises s14 ict operation management (including maintenance) provision of services related to infrastructure (systems and hardware except network) configuration, maintenance, installing, capacity management, business continuity management, etc including managed service providers (msp) s15 ict consulting provision of intellectual / ict expertise services s16 ict risk management verification of compliance with ict risk management requirements in accordance with article 6(10) of regulation (eu) 2022/2554 s17 cloud services iaas infrastructure as a service s18 cloud services paas platform as a service s19 cloud services saas software as a service you can't create your own categories or use generic descriptions pick the closest match from the official list 5\ common pitfalls to avoid don't make these mistakes recording only "important" contracts, all ict service contracts are in scope one entry (schema 02 02) per contract, you need one entry per service type within each contract using your own service categories, you must use the official s01 s19 classifications excluding intra group providers, internal ict service providers count too forgetting embedded ict services, even if ict isn't the main purpose, ict components must be recorded 6\ why this comprehensive approach? recording all ict suppliers isn't bureaucracy, it's essential risk management complete visibility, you can't manage risks in contracts you haven't identified concentration risk, understanding your full supplier landscape reveals dangerous dependencies regulatory compliance, supervisors need the complete picture, not just the "important" parts 7\ practical next steps start with these actions inventory all contracts, gather a list of all your contracted suppliers apply the ict service test, does this supplier provide digital or data services? identify service types, break down each contract into its component ict services classify using s01 s19, assign the appropriate category to each service build your dora proof inventory remember when in doubt, include it the regulatory expectation is comprehensive coverage it's better to over include initially and refine later than to miss contracts that should be in scope the dora supplier inventory isn't just about compliance, it's about knowing exactly who provides your technology services and understanding your complete ict supply chain that visibility is fundamental to managing digital operational resilience