① Guide · banking and financial services
For a bank, a mainframe license is no longer just a commercial document. Operational resilience rules turn audit rights, exit provisions, and continuity terms into compliance obligations a supervisor can examine. The good news: the clauses the regulator wants are the clauses a strong negotiation already targets. Here is how the layers fit together.
48 hour mobilization Audit notice or renewal under 18 months out? We mobilize within 48 hours.
Get expert help →Banks have always negotiated mainframe software on price and capacity. What has changed is that operational resilience regulation now reaches into the same contracts and asks different questions. The EU Digital Operational Resilience Act, which entered application in January 2025, requires regulated financial entities to manage their critical ICT third party providers under defined contractual standards. For a bank running core processing, payments, or fraud screening on the mainframe, the publishers and support providers behind that estate are squarely the kind of ICT third parties these rules cover. The license and support agreements now have to satisfy a supervisor as well as a sourcing committee.
This is not unique to one jurisdiction. Operational resilience and outsourcing rules across major banking regulators share the same themes: the regulated entity must be able to audit, exit, and maintain continuity, and must understand and manage concentration risk where a single provider is critical. The mainframe, where decades of core systems often sit on a small number of publishers, is a textbook concentration risk. That makes the contract terms a regulatory matter, not just a commercial one.
The recurring resilience themes map directly onto specific license and support clauses. These are the terms a bank now has a regulatory reason to hold, not just a commercial preference:
| Regulatory theme | The clause it touches | The buyer side reading |
|---|---|---|
| Audit and access rights | Audit clause, data access, reporting | The bank, and its supervisor, must be able to examine the provider. A contract that blocks this is a compliance gap. |
| Exit and continuity | Termination, transition assistance, license portability | The bank must be able to leave a critical provider in a controlled way, with entitlement intact. |
| Sub contracting transparency | Assignment, sub contracting, support chain | Who actually delivers support, and where, must be visible and governed. |
| Concentration risk | Single vendor dependency, bundling | Heavy reliance on one publisher is a documented risk the bank must manage, which strengthens the case for credible alternatives. |
| Service location and data | Hosting location, data handling | Where the software runs and where data sits must be clear and compliant. |
Directional and pattern level. Specific obligations vary by jurisdiction and by the bank's regulatory classification. Confirm the exact requirements with compliance and legal before mapping them to your agreements.
The instinct is to treat regulation as another burden on an already hard renewal. The buyer side reading is the opposite. A bank now has a documented, supervisor backed reason to insist on audit rights, exit provisions, and continuity guarantees, and a publisher that resists is effectively asking a regulated entity to accept a compliance gap. That is a weak place for a vendor to negotiate from. The discipline is to map the regulatory requirements to the specific clauses in each publisher agreement before the renewal, so the bank arrives with a defined compliance baseline rather than discovering a gap mid supervisory review. Resilience compliance and good licensing hygiene point the same way: both want audit rights, clean exits, and managed concentration. This is the work of our mainframe license negotiation and audit defense engagements in regulated environments. For the clause level detail, see audit rights clauses to negotiate before you sign, and for a neighboring regulated sector, mainframe licensing in healthcare and payers.
It turns contract terms into compliance obligations. Resilience rules, including DORA in application since January 2025, require regulated entities to govern critical ICT third parties, and mainframe publishers are squarely in scope.
Audit and access rights, clear exit and continuity, sub contracting transparency, service location clarity, and concentration risk management. These are the same clauses a strong negotiation already targets.
It raises the stakes on the terms, which becomes leverage. A vendor resisting audit or exit rights is asking a regulated bank to accept a compliance gap, a weak position to hold.
Map the regulatory requirements to the specific clauses in each publisher agreement before the renewal, so the bank negotiates from a defined compliance baseline rather than finding the gap in a supervisory review.
A neighboring regulated sector with the same contract pressures.
Negotiating the compliance baseline and the commercial deal together.