Questionnaire for assessing compliance of a contract with the DORA standard

1. Identification of Third-Party Service Providers

1.1. Does the contract clearly identify the third-party service provider (name, contact information, legal status)?

1 : No information provided

2 : Information partially provided (name only)

3 : Name and complete contact information provided

4 : All information except legal status

5 : All information (name, contact details, legal status) is complete

3. Duration and Terms of the Agreement

3.1. Does the contract include information on the duration and renewal terms ?

1 : No information on duration or renewal

2 : Duration mentioned but no renewal terms

3 : Duration and renewal terms partially defined

4 : Duration and renewal terms defined but lacking details on termination conditions

5 : Duration, renewal conditions, and termination terms are clearly defined

4. Access and Auditability

4.1. Does the contract provide for provisions related to audits and inspections of the vendor ?

1 : No audit rights mentioned

2 : Limited or vague audit rights

3 : Audit rights mentioned but without specifying the modalities

4 : Audit rights well mentioned with some details on modalities

5 : Well-defined audit rights, clear modalities, full access to systems

5. Risk Management Measures

5.1. Does the contract contain specific risk management measures (cybersecurity, business continuity)?

1 : No risk management plan mentioned

2 : Basic risk management measures

3 : Partial measures but lacking a detailed continuity plan

4 : Detailed plan but gaps in certain cybersecurity measures

5 : Complete risk management measures and detailed business continuity and disaster recovery plans

6. Data Location and Subcontracting

6.1. Does the contract mention data location and the use of subcontractors ?

1 : No information on data location

2 : Data location mentioned but no details on subcontractors

3 : Data location and subcontractors partially mentioned

4 : Clear details on data location but subcontractors are not explicitly identified

5 : Well-identified data location and subcontractors with control over downstream subcontracting

7. Regulatory Compliance Obligations

7.1. Does the vendor commit to complying with applicable regulations (DORA, GDPR, etc.)?

1 : No regulatory commitment

2 : Vague and non-specific commitment

3 : Commitment mentioned for certain regulations but not exhaustive

4 : Well-defined commitment for most applicable regulations

5 : Complete and detailed commitment to compliance with all applicable regulations

8. Liability Regime

8.1. Does the contract specify a liability regime in case of an incident ?

1 : No mention of liability

2 : Vague mention of liability without details

3 : Liability regime partially defined

4 : Liability regime clearly defined but without specific penalties

5 : Liability regime and financial penalties or compensation clearly established

9. Incident Notification Mechanisms

9.1. Does the contract include mechanisms for the notification of security incidents or service interruptions ?

1 : No notification mechanism mentioned

2 : Notification mechanisms vague or incomplete

3 : Mechanisms mentioned but without details on timelines or modalities

4 : Well-defined notification mechanisms but long notification timelines

5 : Complete notification mechanisms, with short timelines and clear modalities

10. Ongoing Evaluation and Performance Review

10.1. Does the contract provide for ongoing evaluations and performance reviews of the vendor ?

1 : No provision for ongoing evaluation

2 : Very limited provisions for evaluation

3 : Evaluations planned but frequency or criteria not specified

4 : Regular evaluations planned but without details on performance criteria

5 : Regular evaluations, performance criteria clearly defined, and detailed review modalities

Audit modelQuestionnaire for assessing compliance of a contract with the DORA standard