The Digital Operational Resilience Act (DORA), which entered into force on January 16, 2023, and becomes applicable on January 17, 2025 , is a pivotal piece of legislation in the European Union. It aims to enhance the digital operational resilience of financial entities . However, its reach extends far beyond banks and insurance companies, introducing a new paradigm for Information and Communication Technology (ICT) service providers that serve the financial sector. Unlike previous directives, DORA imposes direct obligations on both financial entities and ICT service providers . For ICT providers, understanding these new responsibilities is critical for maintaining business and avoiding penalties. Here are five essential insights every ICT provider needs to know.
1. Direct Oversight for Critical Providers
One of the most significant changes DORA introduces is the establishment of a Union-wide oversight framework for critical ICT third-party providers (CTPPs) . The European Supervisory Authorities (ESAs)—EBA, ESMA, and EIOPA—will designate providers as “critical” based on specific criteria. These criteria include the systemic impact a large-scale operational failure of the provider would have on the stability and continuity of financial services . Providers designated as critical will be subject to direct oversight by a Lead Overseer from one of the ESAs. This oversight can include requests for information, on-site inspections, and the issuance of recommendations . This marks a fundamental shift, bringing technology companies under the direct supervision of EU financial regulators for the first time.
2. Heightened Contractual Requirements
DORA makes contractual agreements between financial entities and ICT providers significantly more prescriptive. Article 30 of the regulation details the key contractual provisions that must be included in all relevant contracts. These include, among others, a clear and complete description of all functions and ICT services to be provided, the locations where data is processed, and provisions on data security . For services supporting critical or important functions, the requirements are even stricter, mandating full service level descriptions, requirements for contingency plans, and exit strategies . ICT providers must be prepared to renegotiate existing contracts to align with these detailed requirements.
3. A Comprehensive ICT Risk Management Framework
While the primary responsibility for ICT risk management remains with the financial entity, DORA indirectly requires ICT providers to support and align with these frameworks. Financial entities must establish a comprehensive ICT risk management framework that includes strategies, policies, and tools to protect all information and ICT assets. ICT providers will need to demonstrate that their own processes and controls are robust enough to meet their clients' standards. This includes having contracts in place with defined service levels and, for critical functions, having an exit strategy available . Furthermore, providers must be open to audits and assessments by their financial clients and competent authorities .
4. Mandatory Resilience Testing and Incident Reporting
DORA places a strong emphasis on digital operational resilience testing. Financial entities are required to conduct regular testing of their critical ICT systems and applications . For the most significant entities, this includes advanced Threat-Led Penetration Testing (TLPT) at least every three years . ICT providers that support critical functions are expected to participate in these tests. Article 26 stipulates that the financial entity must ensure the participation of ICT providers while retaining full responsibility . Additionally, providers must assist their clients in reporting major ICT-related incidents to regulators, providing assistance at no additional cost or at a cost that is determined ex-ante .
5. Third-Party and Subcontracting Risk Management
DORA recognizes that risk doesn't stop at the direct provider. The regulation extends requirements to cover the entire ICT supply chain. Financial entities must monitor risks stemming from subcontracting by their ICT providers, especially when the subcontracting concerns critical or important functions. ICT providers must be transparent about their own subcontracting arrangements and ensure their subcontractors adhere to the same standards of security and resilience. Contracts must include terms governing subcontracting , and providers must inform their financial clients of any changes in subcontracting. This focus on the supply chain requires ICT providers to have greater oversight and control over their own vendors.
In conclusion, DORA is not just another regulation for the financial sector. It is a transformative framework that directly supervises ICT providers deemed critical to the stability of the EU's financial system . Providers who fail to prepare for these changes risk not only regulatory action but also the loss of client trust in an increasingly interconnected financial world.