DORA is here – What suppliers need to know about Europe’s new financial services cybersecurity regime

The Digital Operational Resilience Act (DORA) came into effect on 17 January 2025, introducing a comprehensive overhaul of the legislative framework designed to enhance the operational resilience of Europe’s financial sector.

DORA applies across the entire financial ecosystem, encompassing banks and credit institutions, investment firms, insurance companies and intermediaries, pension funds, payment providers, trading houses and crypto asset providers.

DORA mandates that regulated entities establish robust ICT risk management frameworks based on new technical standards published by the EU’s supervisory authorities. These frameworks include, inter alia, risk management controls, incident reporting, testing and assurance, business continuity planning, and—crucially for suppliers to the sector—a new regime for the management of outsourced ICT services.

This article provides a high-level overview of what suppliers need to know about this new outsourcing regime, how it will impact them, and what steps they need to take now.

For a more in-depth insight into DORA’s general provisions, see our article here.

For financial services providers looking to embed Article 30 into their organizations, an outsourcing guide is available to download here.

Overview of DORA’s outsourcing framework

DORA requires financial entities to ensure that operational resilience extends to their supply chain. It sets clear requirements for outsourcing arrangements, emphasizing the importance of risk management, contract governance, and ongoing oversight of third-party ICT providers when procuring ICT services.

Under DORA, “ICT services” encompass a broad range of digital functions, including cloud computing, data storage, cybersecurity, network management, and IT support. The definition also extends to a variety of digital and data services, meaning that a supplier need not have direct access to the financial services provider’s ICT system to be subject to DORA requirements. Crucially, DORA emphasizes that frameworks governing these services must be clearly documented to meet the standards outlined in the “Article 30 provisions.”

Enhanced requirements apply to ICT services supporting “critical or important functions,” necessitating detailed due diligence, monitoring, and risk mitigation measures. These stricter obligations are designed to ensure that disruptions to these services do not jeopardize the operational stability of financial entities or the broader financial ecosystem.

The legislation introduces an additional layer of oversight for Critical Third-Party Providers (CTPPs), designated by European Supervisory Authorities (ESAs) based on their systemic importance. Only a limited number of major ICT providers, such as large cloud or cybersecurity firms, are expected to fall under this category. Once designated, CTPPs are subject to direct regulatory supervision, regular audits, and stringent operational resilience obligations.

The Article 30 provisions

Providers of ICT services to the financial services sector must ensure their ability to adhere to and/or accept the mandatory requirements outlined in Article 30(2) of DORA.

These provisions must be incorporated into all contracts for the supply of ICT services to financial entities and include the following:

• Service Descriptions and SLAs: Contracts must provide clear, detailed descriptions of all ICT services and service levels, including updates or revisions. They must also specify if subcontracting is allowed for critical or important functions and under what conditions.
• Subcontracting: Contracts should specify whether subcontracting is permitted, the parameters for its use, and the specific regions or countries where services will be performed and data processed or stored.
• Data Protection: Provisions must ensure the availability, authenticity, integrity, and confidentiality of all data, including personal data, to safeguard it.
• Data Access and Recovery: Contracts must guarantee that personal and non-personal data processed by the financial entity is accessible, recoverable, and returnable in an accessible format in cases of insolvency, business closure, or contract termination.
• Incident Assistance Obligation: ICT providers must assist financial entities in responding to ICT incidents, whether or not the incidents originated within the provider’s systems, either at no additional cost or at a pre-determined rate.
• Cooperation with Authorities: Providers must fully cooperate with competent and resolution authorities and any appointed representatives.
• Termination and Notice Rights: Contracts must specify termination rights and minimum notice periods consistent with the expectations of regulators.
• ICT Security and Resilience Training: Providers must participate in financial entities' ICT security awareness programs and operational resilience training.

For ICT services that support critical or important functions, contracts must include additional “enhanced” requirements under Article 30(3). These include:

• Enhanced Service Level Descriptions: Contracts must outline precise performance targets to enable effective monitoring and allow prompt corrective actions when service levels are not met.
• Notice and Reporting Requirements: Providers must adhere to specified notice periods and reporting obligations, including disclosing any developments that could materially impact their ability to deliver critical services.
• Business Contingency Plans (BCPs): Contracts must provide detailed information about agreed BCPs and mechanisms for financial entities to monitor adherence.
• Penetration Testing: Providers must participate in and fully cooperate with threat-led penetration testing exercises conducted by the financial entity.
• Monitoring Rights: Financial entities must have continuous monitoring rights, including unrestricted access, inspection, and audit rights, or the ability to agree on alternative assurance levels if other clients’ rights are affected.
• Exit Provisions: Providers must implement exit strategies, including a mandatory transition period to ensure continuity of service and minimize disruptions, supporting financial entities in transitioning to alternative providers or in-house solutions during resolution or restructuring.

Robust documentation

It is important to note that Article 30 does not require the underlying technical, commercial, and information security aspects of the service to be explicitly included in the contract itself but mandates that they are formally documented. As a result, financial entities will require suppliers to provide a comprehensive range of supporting documentation. This includes detailed records of security controls, service descriptions, technical documentation and BCP plans. Suppliers must also document their incident management procedures, ensuring that financial entities have clearly defined protocols for identifying, responding to, and recovering from disruptions.

SLAs must be meticulously documented, specifying performance expectations, response times and escalation procedures. Suppliers must also ensure transparency in their technical and operational capabilities, enabling financial entities to evaluate the reliability of critical ICT services effectively. These documentation requirements not only support compliance but also reinforce trust and accountability between suppliers and their financial clients.

Enhanced oversight

DORA introduces stringent audit and oversight obligations for ICT service providers, particularly those supporting critical or important functions within the financial sector. Regulators are granted broad powers to audit suppliers to ensure compliance with operational resilience requirements. These audits may involve reviewing documentation, inspecting facilities, and evaluating the implementation of security controls.

In addition to standard audits, DORA provides regulators and financial entities with the ability to conduct threat-led penetration testing of a supplier’s systems. Suppliers must cooperate fully with these activities, including providing access to systems, data, and personnel as required. These oversight measures emphasize the importance of proactive risk management and reflect the increased scrutiny that ICT service providers will face under DORA.

Strategies for large suppliers

For larger suppliers, navigating the complexities of DORA while offering services across multiple jurisdictions requires a strategic approach to contracting. Developing a standardized DORA Addendum is a practical step to ensure consistency and compliance in contractual arrangements with financial entities. This addendum should address key elements of DORA, such as security controls, SLAs, incident management procedures, and BCPs, while aligning the supplier’s obligations with the regulation's requirements. A harmonized approach can streamline negotiations, reduce duplication of effort, and foster trust with financial clients. It will also be vital for suppliers to be able to prove they can comply with the obligations set out in any Addendum.

Additionally, suppliers must ensure their contractual support documentation is responsive to the specific needs of financial entities, which will be under pressure to demonstrate compliance to regulators. Proactively offering detailed technical documentation, transparent service descriptions, and robust risk management frameworks will not only facilitate smoother onboarding processes but also position suppliers as trusted partners in the financial ecosystem. By adopting a well-defined and harmonized strategy, suppliers can efficiently meet their DORA obligations while maintaining a competitive edge in the marketplace.

For further information on DORA, assistance with drafting or negotiating DORA Addenda, or implementing underlying compliance documentation, please engage with our Resiliency team.