Contract Management
Contractual Requirements (Art. 30)
All contracts with ICT third-party service providers must contain the 8 minimum contractual requirements. Additional requirements apply for critical/important functions.
Contract Module System for BAUER GROUP
Module A: Baseline (all financial sector clients)
- Service description with functional mapping
- Data processing locations
- SLA with measurable KPIs
- Data access and return
- Incident cooperation clause
- Audit rights
- Termination rights
- Exit strategy
Module B: Extended (critical/important functions)
In addition to Module A:
- Disclose complete subcontracting chain
- Location changes only with prior approval
- Business impact analysis
- Specific emergency and continuity planning
- TLPT cooperation clause
- Regular compliance evidence
Contract Review Checklist
markdown
## DORA Contract Review – Checklist
**Contract:** ___________________
**Client:** ___________________
**Date:** ___________________
**Reviewer:** ___________________
### Art. 30(2) – Minimum Requirements
- [ ] (a) Clear and complete description of all functions/services
- [ ] (a) Statement whether critical/important function is supported
- [ ] (b) Data processing and storage locations
- [ ] (b) Prior notification obligation for location changes
- [ ] (c) Availability, authenticity, integrity, confidentiality provisions
- [ ] (d) Data access, return, and deletion upon contract termination
- [ ] (e) SLAs with quantitative and qualitative KPIs
- [ ] (f) Cooperation obligation for ICT incidents
- [ ] (g) Termination rights and minimum notice periods
### Art. 30(3) – Additional for Critical Functions
- [ ] (a) Complete service description with SLAs
- [ ] (b) Notification obligations and reporting deadlines
- [ ] (c) Business continuity and emergency plans
- [ ] (d) Participation in TLPT
- [ ] (e) Unrestricted audit rights (incl. supervisory authority)
- [ ] (f) Exit strategies with transition periods
- [ ] (g) Subcontracting transparency and approval
### RTS 2025/532 – Subcontracting
- [ ] Due diligence for subcontractors documented
- [ ] Risk assessment of subcontracting chain
- [ ] Contractual pass-through rights
- [ ] Change/approval process defined
### Result
- [ ] ✅ Fully DORA-compliant
- [ ] ⚠️ Adjustment needed (see appendix)
- [ ] ❌ Material gaps (contract amendment required)Legacy Contract Migration
- Inventory: Export all active contracts with financial sector clients aus dem CRM
- Gap check: Review each contract against checklist
- Prioritisation: Critical functions first
- Adjustment: Contract amendment or new contract
- Tracking: Status in CRM-Pipeline as custom property