DORA does not limit the financial entities in the way to implement the relevant audit requirements, including regarding the audit frequency. In case the contracts between the financial entities and their ICT third-party service providers would refer to a (maximum) audit frequency, the frequency shall be agreed by the financial entities (i.e., not imposed by the ICT third-party service providers) and shall not prevent the financial entities to implement the DORA audit requirements on a risk-based approach.

Therefore, financial entities shall also ensure that the contractual arrangements grant them the ability to carry out an audit on an ad-hoc basis when they find it necessary to comply with the DORA requirements (for example, in the event of doubts regarding the proper performance of the contract), without the clause on the audit frequency preventing it. If such conditions are met, the financial entities and their ICT third-party service providers may agree on an audit frequency in their contracts.