ICT Service Provider Perspective
BAUER GROUP as ICT Third-Party Provider Under DORA
BAUER GROUP as an IT service provider with clients in the financial sector falls under Art. 2(1)(u) DORA – ICT third-party service providers. The obligations do not arise directly from DORA but indirectly through the contractual requirements of financial entities (Art. 28–30).
Obligations Matrix
Direct Obligations (if designated as CTPP)
| Obligation | Article | BAUER GROUP affected? |
|---|---|---|
| Direct supervision by Lead Overseer | Art. 33 | ❌ No (no CTPP designation) |
| Oversight fees | Art. 43 | ❌ No |
| JET inspections | Art. 40 | ❌ No |
Indirect Obligations (through client contracts)
| Obligation | Source | BAUER GROUP affected? |
|---|---|---|
| DORA-compliant contract structure | Art. 30 | ✅ Yes |
| Information provision for register | Art. 28(3) | ✅ Yes |
| Grant audit rights | Art. 30(3)(e) | ✅ Yes |
| Incident cooperation & reporting | Art. 30(3)(e) | ✅ Yes |
| TLPT cooperation | Art. 26(4) | ✅ Yes (upon request) |
| Provide exit strategy | Art. 30(3)(h) | ✅ Yes |
| Subcontracting transparency | RTS 2025/532 | ✅ Yes |
| Location transparency | Art. 30(2)(b) | ✅ Yes |
| SLA with measurable KPIs | Art. 30(2)(a) | ✅ Yes |
Compliance Status BAUER GROUP
Implemented Measures
- [x] DORA awareness in management
- [x] Inventory of financial sector clients
- [x] Identification of affected contracts
- [x] DORA-compliant contract clauses template created
- [x] Standard contract with all minimum requirements (Art. 30)
- [x] DORA fact sheet for clients (register information)
- [x] SLA definitions with DORA-compliant KPIs
- [x] Exit strategy template
- [x] Subcontracting disclosure
- [x] Incident response playbook with DORA deadlines
- [x] Asset inventory with DORA classification
- [x] Vulnerability management pipeline
- [x] Awareness training for all employees
- [x] BCP/DRP documented and tested
- [x] Annual review of ICT risk management framework established
- [ ] Annual baseline tests (vulnerability scan, pentest)
- [ ] Annual update of information register data
- [ ] Annual awareness training
- [ ] Compliance report for clients
DORA Fact Sheet (Template for Clients)
Standardised information sheet that BAUER GROUP provides to its financial sector clients:
# DORA ICT Third-Party Provider – Information Sheet
## Provider Identification
- **Company:** BAUER GROUP
- **LEI:** [insert LEI]
- **Registration number:** [insert HRx]
- **Address:** [address]
- **DORA contact person:** [name, email, phone]
## Services
- [List of ICT services provided to the client]
- Classification: [critical/important/other]
## Data Processing Locations
- **Primary:** Germany (location XY)
- **Backup/DR:** Germany (location YZ)
- **Cloud infrastructure:** [provider, region]
## Subcontracting
- **Subcontractors:** [list or "none"]
- **Approval requirement:** Yes, per contract
## Security Standards
- **Certifications:** [ISO 27001, SOC 2, etc.]
- **Last audit:** [date]
- **Next audit:** [date]
## Incident Response
- **Internal reporting deadline to clients:** < 1 hour
- **24/7 availability:** [Yes/No, contact]
- **TLPT cooperation commitment:** Yes
## Exit Strategy
- **Transition period:** Minimum 6 months
- **Data export format:** [formats]
- **Deletion confirmation:** Yes, in writing
## Last updated: [date]Model Contract Clauses
Incident Cooperation
The contractor undertakes to inform the client without undue delay, but no later than 60 minutes after detecting an ICT-related incident that affects or may affect the services used by the client. The contractor shall support the client in classifying, documenting, and reporting the incident in accordance with the requirements of Regulation (EU) 2022/2554 (DORA).
Audit Rights
The client, its competent supervisory authority, and third parties appointed by them shall have the right to conduct on-site inspections and audits at the contractor's premises. This includes unrestricted access to the contractor's premises, information, systems, and personnel, insofar as this is necessary for verifying compliance with contractual and regulatory requirements. The contractor shall actively support these audits without undue delay.
Exit Clause
Upon termination of the contract, the contractor shall grant a transition period of at least 6 months, during which all services shall be continued under unchanged conditions. The contractor shall make all data available to the client in a commonly used, machine-readable format and shall confirm the complete deletion of data in writing upon completion of data transfer.