The EU Digital Operational Resilience Act (DORA): top 7 challenges for IT vendors

Background

The Digital Operational Resilience Act ("DORA"), is the EU's latest legislative effort to enhance digital operational resilience across the financial sector through a harmonised set of rules for managing information and communication technology risk. DORA's primary focus is to mitigate systemic vulnerabilities which exist due to the interconnectedness of financial institutions, financial markets and financial market infrastructures.

Vendors that provide information and communication technology (ICT) services play a crucial role in the day to day functioning of the financial ecosystem and the provision of financial services to customers. For regulated financial entities, DORA introduces significant new regulatory obligations. Although most IT vendors are not directly subject to obligations under DORA, the regulation nevertheless has significant implications for them because of the enhanced oversight that affected customers will be expected to exert over IT vendors and a range of new contractual obligations that may need to be included in IT vendor contracts.

It has now been six months since DORA came into effect on 17 January 2025, yet the journey to DORA compliance is far from complete. The industry is still getting to grips with DORA, and whilst implementation efforts are well underway, vendors are still facing challenges with DORA and what it means for their business.

Based on our experience working with vendors on their DORA preparations, we set out below the 7 most common challenges that IT vendors are facing in relation to DORA, and what vendors need to think about.

1. Are the vendor's services "ICT services" as defined in DORA?

"ICT services" is defined in DORA as "digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services."

The definition is intentionally broad and includes most types of IT-related services provided to regulated financial entities on an ongoing basis, including cloud services (IaaS, SaaS and PaaS), software support and maintenance services, data analytics services, data subscription services and cybersecurity services.

There are, however, instances where there is room for interpretation which has given rise to debate between customers and vendors as to whether DORA applies; for example, the terms "through ICT systems" and "on an ongoing basis" have given rise to questions as to how regulators will ultimately come to interpret the definition in certain types of service models.

The lack of a materiality threshold has also presented challenges for customers and vendors alike, particularly in relation to services that present a seemingly negligible risk to the customer's regulated business.

2. Could the vendor have direct obligations under DORA?

We are frequently asked this question by IT vendors that provide services to the EU financial sector, and for the vast majority of vendors, the answer is "no".

DORA only creates direct obligations for:

• regulated financial entities including banks and payment institutions as well as investment firms, insurance companies, e-money providers, crypto-asset service providers and crowdfunding platforms among others; and
• systemically important vendors that are designated as critical ICT third-party service providers ("CTPPs"). These are vendors that are so heavily relied upon that they would cause significant problems for the financial system as a whole if their services were to be interrupted. The European Supervisory Authorities are responsible for designation of CTPPs - see point 7 below for more on the designation process and what it means for CTPPs.

However, DORA still indirectly impacts other IT vendors because financial entities must ensure their IT vendor contracts contain certain mandatory terms designed to manage ICT risk. This includes contracts with small vendors and vendors located outside the EU.

Whilst indirectly impacted vendors do not face penalties for non-compliance, they risk losing business if they resist or ignore the requirements of DORA. In practice, if IT vendors wish to continue supplying services to the EU financial sector, they will likely need to review their governance and security arrangements including security measures, incident response and business continuity plans, and they may need to make amendments to customer contracts.

3. Which of the vendor's customers are in scope of DORA?

All regulated financial entities operating in the EU are subject to DORA. This includes banks, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers and issuers of asset-referenced tokens, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.

IT vendors should also consider whether they provide services to in-scope financial entities indirectly as a subcontractor. DORA creates obligations that apply throughout the supply chain, so even if a vendor does not directly supply services directly to EU financial entities, DORA may be applicable if the vendor's customers use those services to deliver ICT services to EU financial entities.

4. How is DORA different from existing financial sector regulations that the vendor might already have addressed?

DORA builds on an existing package of EU regulations designed to improve financial entities' operational resilience. Some vendors will already have worked with customers to address requirements under existing EU regulations, including the European Banking Authority Guidelines on outsourcing arrangements (the “EBA Guidelines”). For vendors and financial entities alike, this was a time and cost intensive exercise.

However, the EBA Guidelines largely apply only in relation to outsourcing arrangements – a concept which is much narrower than the provision of ICT services which are now regulated under DORA. So, for many vendors, DORA introduces new requirements which they have not had to consider before.

The key changes brought about by DORA are as follows:

• a wider range of financial entities are in scope (see the full list of entities in-scope of DORA in point 3 above);
• DORA catches a much wider range of services, as services do not need to meet the definition of "outsourcing" to be caught by DORA;
• there will be direct obligations for critical ICT third-party service providers (CTPPs). DORA is the first regulation that creates direct oversight powers for financial regulators over IT vendors (these powers will only apply once a vendor has been designated as a CTPP – see point 7 below); and
• DORA introduces a wider range of obligations, including new contractual requirements. Vendors that have already addressed the requirements of the EBA Guidelines will be better prepared for DORA but there will still be some work to do to address the gaps.

5. Do the vendor's services support "critical or important functions"?

DORA imposes stricter obligations in relation to ICT services that support a financial entity's "critical or important functions".  

Under DORA, a "critical or important function" means "a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a  financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law". 

A common challenge that vendors face is the question as to whether their services support a critical or important function – particularly where the vendor and the customer do not agree. The consequences can be significant for the vendor (see point 6 below for the difference in contractual obligations).

Vendors can ultimately decide on the terms on which they provide their services, but vendors may find themselves in a position of deadlock with customers if there are differences in opinion as to whether they need to address the additional obligations associated with services supporting critical or important functions.

6. What types of contract terms are required in contracts with financial entities?

Contracts for the provision of ICT services will need to include the following:

• Service locations: The contract must specify the locations from which the ICT services are to be provided and where data is processed and stored;
• Assistance to the financial entity: The IT vendor must provide assistance following ICT incidents;
• Security measures and data: The vendor will be required to implement appropriate security measures and ensure customer data can be recovered when the service terminates or if the vendor goes insolvent;
• Staff training: the contract will need to include provisions regarding "operational resilience awareness programmes"; and
• Termination: termination rights may need to be reviewed as there are specific situations in which the customer must be allowed to terminate the contract.

Additional (and more onerous) contract terms are required in contracts for ICT services supporting a critical or important function of a financial entity. These additional terms include:

• Business continuity: the contract should include obligations to implement and test business contingency plans;
• Threat-led penetration testing: the contract should include obligations to participate in Threat-led Penetration Testing (“TLPT”), an intensive testing exercise which may be mandated by regulators and which involves testing on live production systems;
• Audit: the customer will be expected to secure audit rights in favour of itself and its regulators;
• Exit: the contract should include exit provisions which minimise the risk of disruption to the financial entity when the service comes to an end; and
• Subcontracting: the contract will need to stipulate the conditions under which the vendor can subcontract the services to other vendors.

7. What happens if a vendor is designated as a critical third-party service provider (CTPP)?

The European Supervisory Authorities (comprising the European Banking Authority, the European Insurance and Occupational Pension Authority and the European Securities and Markets Authority) are responsible for identifying and formally designating CTPPs.

The ESAs must apply detailed criteria to make the designation, such the size of the organisation and the number of global systemically important institutions that rely on its services.

According to a roadmap published by the ESAs in February 2025, the ESAs are expected to start notifying the ESAs of their classification as critical by July 2025. For more information on this, see our article here.

Once a CTPP is designated, one of the ESAs will be appointed to oversee that CTPP (the "Lead Overseer"). The oversight regime involves assessing whether the CTP effectively manages the ICT risk it may pose to financial entities, taking account of factors such as the physical security of data centres and data interoperability. The Lead Overseer will then adopt an "oversight plan" with annual objectives and actions for the CTP. The Lead Overseer may also request information from a CTP and conduct investigations and inspections on the CTP.

CTPPs may be subject to fines for non-compliance of up to 1% of the average daily worldwide turnover in the preceding business year, accruing on a daily basis until compliance is achieved, for up to 6 months.

Authored by Louise Crawford and Alex Nicol.