Question ID: 3370 - DORA 275
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: Disclosure (Art. 26 – 33, 35 - 39 PEPP)
Article: 30(1, 2)
Status: Rejected
Date of submission: 23 Jun 2025
Question
A critical ICT third-party service provider is denying the Company, an update to our contractual agreement with a DORA-addendum. They would like us to pay for a so-called "regulatory package" since they must be remunerated for their participation in dealing with incidents that transpire with the Company. Art. 30.2(f) specifies that remunerations are permissible to the ICT service provide to a cost that is determined ex ante. It is the Company's opinion that this critical ICT service provider is in breach of the DORA regulation by denying an updated contractual agreement specifying how they comply with the said regulation. The Company already informed the ICT service provider that it agrees on a cost per incident ex ante as stated in DORA, Art. 30.2(f), however, that the addendum or updated contract must be provided free of charge or without entering into a entire "regulatory package" (costing thousands of euros!) because Art. 30.2 & 30.3 state clearly the requirements that a contractual agreement MUST contain. Currently this is not the case with that ICT service provider and they deny us an updated contract unless we sign and pay for their regulatory package. I think they are using means that are in breach of the regulation and they are even abusing their market position.
Background of the question
See scenario description above.
EIOPA answer
The question falls into the category of institution-specific questions requiring bespoke advice.