Example Conversation

You: We need to review our cloud hosting contract with NordCloud GmbH for DORA Art. 30 compliance. This provider hosts our core banking middleware – it’s definitely a critical function. The contract was signed in 2021 before DORA came into force.

Agent: I’ll set up a structured review of the NordCloud GmbH contract against all DORA Art. 30 requirements. Since the service supports a critical or important function, both the Art. 30(2) general provisions and Art. 30(3) enhanced provisions apply.

Let me gather the contract details. Could you share the existing contract document or its key terms? I’ll need to map each clause against the Art. 30 requirements.

You: I’ve uploaded the contract as nordcloud-hosting-agreement-2021.pdf.

Agent: I’ve read through the NordCloud hosting agreement. Here’s what I found so far:

Present but potentially weak:

• Service description (Section 2) – describes “cloud hosting services” but lacks detail on specific ICT functions and doesn’t address sub-outsourcing at all
• Service levels (Schedule B) – includes 99.5% uptime target but uses “reasonable efforts” language rather than firm commitments
• Termination (Section 12) – 90-day mutual notice, but no termination rights for material breach or supervisory order

Missing entirely:

• Data processing and storage locations – no country-level specification
• Incident assistance obligation – no cost provisions for incident support
• Authority cooperation clause
• Training participation conditions
• All Art. 30(3) enhanced provisions (performance targets, reporting, contingency, TLPT, audit rights, exit strategy)

This is a pre-DORA contract, so the gaps are expected. Shall I draft remediation clauses for each gap, or would you prefer a full compliance review report first?

You: Start with the compliance review report, then draft the missing clauses. Pay special attention to the audit rights and exit strategy – those are our negotiation priorities.

Agent: I’ll structure the contract terms and run the compliance checker first, then produce the full report with drafted clauses.

I’ve built the contract terms structure from the existing agreement and run dora_contract_checker. Results: 7 errors (missing mandatory provisions) and 2 warnings (weak language in service levels and sub-outsourcing).

The compliance review report is saved to output/NordCloud-DORA-Art30-Review.md. It includes:

• Compliance matrix mapping each Art. 30 requirement to the current contract
• Gap analysis with 7 missing provisions flagged as errors
• Drafted model clauses for all gaps, with particular detail on:
  • Audit rights (Art. 30(3)(e)): unrestricted access clause with no frequency caps, third-party auditor rights, competent authority access, and on-site documentation copying
  • Exit strategy (Art. 30(3)(f)): 12-month transition period, continued service at current SLAs, data return in open formats within 30 days, certified deletion within 60 days, and no-penalty exit on material breach or supervisory order
• GDPR alignment check – recommending a separate Data Processing Agreement to complement the DORA provisions
• Information register data points extracted for your Art. 28(3) register

Sample Output Excerpt

The skill produces a structured compliance review report with a requirement-by-requirement matrix, gap analysis, and drafted remediation clauses.

DORA Art. 30 – Contract Compliance Review Report

Financial Entity: Meridian Bank AG ICT Service Provider: NordCloud GmbH (DE-HRB 123456) Contract Reference: SVC-2021-0847 Review Date: 2026-04-02 Critical or Important Function: YES – Core banking middleware hosting

Executive Summary

The NordCloud hosting agreement predates DORA and covers only basic commercial terms. Of the 16 Art. 30 requirements assessed (10 general + 6 enhanced), 7 are missing entirely and 2 contain weak language that may not satisfy supervisory expectations. Priority remediation is required before the January 2025 DORA application date.

Overall Compliance Status: PARTIALLY COMPLIANT

Art. 30(3)(e) – Audit Rights (MISSING)

Status: ERROR – No audit rights clause present.

Drafted Clause:

14. Audit and Access Rights

14.1 The Financial Entity, its appointed third-party auditors, and its competent and resolution authorities shall have unrestricted rights of access to, inspection of, and audit of the Provider’s premises, systems, and documentation relevant to the ICT services provided under this Agreement.

14.2 Such rights shall not be subject to: (a) caps on audit frequency; (b) advance notice requirements exceeding five (5) business days except for on-site visits requiring physical access arrangements; (c) limitations on scope; or (d) prior approval of audit personnel by the Provider.

14.3 The Financial Entity may take copies of relevant documentation on-site. The Provider shall maintain complete and accurate records of service delivery, security measures, incident responses, and sub-outsourcing arrangements for the duration of the Agreement plus five (5) years.

14.4 Where the Provider is designated as a critical ICT third-party service provider under DORA Art. 31, the parties shall cooperate in pooled audit arrangements that do not impair the individual audit rights of the Financial Entity or its competent authority.

Art. 30(3)(f) – Exit Strategy (MISSING)

Status: ERROR – No exit or transition provisions present.

Drafted Clause:

15. Exit Strategy and Transition

15.1 Upon termination or expiry of this Agreement for any reason, the Provider shall continue to provide the ICT services at the same service levels for a transition period of twelve (12) months (“Transition Period”), extendable by six (6) months at the Financial Entity’s sole option.

15.2 During the Transition Period, the Provider shall provide reasonable migration assistance, including: (a) data export in standard, non-proprietary formats; (b) API documentation and interface specifications; (c) knowledge transfer sessions; and (d) parallel running support.

15.3 Within thirty (30) days of the Financial Entity’s written confirmation of successful data migration, the Provider shall securely delete all Financial Entity data and provide a certified deletion confirmation signed by an authorized officer.

Gap Analysis Summary

Extension Tools

dora_contract_checker

Validates a contract terms JSON file against all DORA Art. 30(2) general provisions and Art. 30(3) enhanced provisions. The checker reads a structured JSON representation of contract clauses and systematically verifies that each mandatory provision is present and substantive.

The checker automatically determines whether Art. 30(3) enhanced provisions apply based on the critical_or_important_function flag in the contract terms JSON. When set to false, only the 10 general provisions are checked. When true, all 16 provisions are validated.

Getting Started

To review an existing contract for DORA Art. 30 compliance:

1. Upload or paste the contract document into the workspace
2. Tell the agent the provider name, the ICT services covered, and whether the contract supports a critical or important function (if unsure, the agent will help you assess criticality using the Art. 3(22) criteria)
3. The agent will map existing clauses to Art. 30 requirements, build a structured contract terms file, and run the automated compliance checker
4. Review the compliance report – each Art. 30 requirement is assessed as compliant, missing (error), or weak (warning)
5. Request drafted remediation clauses for any gaps

To draft new contractual provisions from scratch:

1. Provide the service provider details, scope of ICT services, and criticality classification
2. The agent will generate a complete set of Art. 30 compliant clauses covering all applicable requirements
3. Review and customize the drafted clauses for your specific arrangement
4. Run the compliance checker against the final version to confirm full coverage

The skill includes a reference guide cross-referencing DORA Art. 30 with the RTS on standard contractual clauses (Commission Delegated Regulation (EU) 2024/1773) and a template for structured compliance review reports.