Effective January 17, 2025, the EU’s Digital Operational Resilience Act (DORA) requires many IT service providers in the EU financial sector to meet a higher standard for cybersecurity and operational resilience. This includes mandated contractual terms as well as technical and procedural safeguards.

What could DORA mean for IT service providers whose customers include EU financial entities like banks, insurance companies, brokerages, and FinTechs? This article covers the most important potential considerations and impacts.

Key takeaways

• Reducing the risk associated with third-party IT service providers is a primary DORA objective.
• DORA covers a wide range of IT services, including cloud and data center services, SaaS/PaaS/IaaS, IT managed services, cybersecurity services, software offerings, and payment processing.
• DORA compliance may require IT vendors to up their game in areas like business continuity, cybersecurity governance, risk assessment, and subcontractor risk management.
• DORA mandates contract terms for IT vendors and their customers, including clauses to create “exit strategies” for customers and return their data safely when services terminate.
• IT vendors deemed “critical or important” are subject to additional compliance guidelines under DORAs.

What IT service providers could DORA apply to?

One of DORA’s primary elements is managing third-party IT risk, especially for “critical or important” vendors. DORA references a broad spectrum of IT services, including but not limited to:

• Cloud and data center service providers
• Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) providers
• Managed service providers (MSPs) and Managed Security Service Providers (MSSPs)
• Software vendors
• Payment processors
• Telecommunications service providers
• Data analytics service providers

In general, many IT vendors in the EU financial space will face DORA compliance considerations. Suppliers deemed critical/important, as well as Critical Third-Party Providers (CTPPs), must meet additional criteria to support the supply chain’s collective resilience.

How might DORA impact IT service provider operations?

As part of their DORA compliance obligations, EU financial entities will need to assess their current and potential IT suppliers in areas like:

• Business continuity and resilience. Can the vendor’s risk management and business continuity programs effectively support/ensure the client’s operational resilience?
• Risk assessment and cybersecurity due diligence. Can the vendor’s cybersecurity program meet DORA standards?
• “Fourth-party” risk. Who are the vendor’s subcontractors and how do they impact the end client’s risk?

According to Dejan Kosutic, CEO at Advisera, to align with DORA many IT service providers will need to invest in cybersecurity governance, including policies, procedures, monitoring, and risk assessment.

“From my experience working with lots of companies, in most cases these companies already have the appropriate technology in place [for DORA],” explains Dejan. “But very often they are not using this technology in the most secure way. They’re missing the governance part of how to handle their internal security.”

Achieving third-party certification against a comprehensive cybersecurity framework like ISO 27001, HITRUST, or a strong SOC 2 report, can help improve governance in alignment with DORA and other regulations.

How can DORA affect IT suppliers’ contracts with clients?

DORA outlines requirements for contracts between financial entities and their IT suppliers. Many service providers will need to amend or rewrite their contracts to meet these new terms.

The first step in determining what DORA contract guidance applies to your business is knowing if you provide a “critical or important” IT service to clients. If so, you face additional contract requirements (see below).

Contract requirements that DORA specifies for all IT services include:

• Description of services and locations. What services are provided and where (e.g., in what country) should be contractually specified.
• Right to terminate. The client should have the right to terminate the contract following a minimum notification period if there is a serious breach of contract terms or if the supplier subjects the client to undue IT risk.
• Data security. Contracts should include language on protection of personal data and other sensitive data, including its availability, integrity, and confidentiality.
• Service levels. Contracts should cover service level agreements (SLAs) and key performance indicators (KPIs).
• Return of data. Contracts should cover recovery and return of client data if the IT service provider goes out of business or terminates the contract.
• Support following incidents. DORA obliges IT service providers to assist clients if an incident involving their offering occurs.
• Security awareness training. IT vendors should agree to participate in clients’ cybersecurity awareness training programs.

DORA defines critical or important functions as those whose disruption would significantly harm the client’s financial performance. Examples include financial transaction management, payment processing, and benefits/pension payments.

Additional contract requirements for critical or important IT suppliers include:

• Exit strategies. Clients are required to put exit strategies in place such that, if a critical/important IT vendor relationship fails, they can non-disruptively transition to a replacement vendor.
• Performance monitoring. Clients must monitor the performance of critical/important IT vendors in relation to contract SLAs.
• Critical/important IT suppliers are required to report business developments that could significantly impact their service delivery.
• Disaster planning. Critical/important IT vendors must implement and regularly test emergency contingency plans, such as disaster/IT recovery.
• Pen testing cooperation. Critical/important IT vendors are obliged to cooperate in their clients’ threat-led penetration tests (TLPTs) under DORA.
• Client access rights. Clients have the right to continuously monitor a critical/important IT vendor’s performance, including through on-site audits or inspections.

What are Critical Third-Party Providers under DORA?

Critical Third-Party Providers (CTPPs) are key IT vendors (e.g., Amazon Web Services) whose failure could impact operational resilience across the whole EU financial sector. CTTPs are designated by the European Supervisory Authorities (ESAs) that enforce DORA, based on factors like size, regulatory relevance, overall importance/market penetration, and difficulty in replacing their service(s).

DORA requires CTTPs to take various steps to ensure their resilience, such as:

• Implementing a robust business continuity plan.
• Conducting regular operational resilience testing.
• Implementing a best-practice operational risk management program.
• Implementing an effective third-party risk management program that ensures their subcontractors meet required resilience standards.
• Report cyber incidents under strict guidelines to relevant authorities and financial entities.
• Collaborating with regulators and financial entities to support optimal incident response.

DORA also subjects CTTPs to direct financial regulatory oversight.

“If a company is classified as a CTPP, it will come directly under the supervision of an EU government entity even if it is based outside the EU,” Dejan points out. “The overseer will be looking at the details of how that company operates and how it implements cybersecurity measures.”

He cites as an example a US-based vendor that develops core software for a specific EU bank.

“If the overseer thinks there is a heightened risk, they could not only force the vendor to pay fines, but even replace their management,” adds Dejan.

What areas of an IT vendor’s business will EU financial firms scrutinize?

If you have customers subject to DORA you will likely face due diligence scrutiny in multiple areas. You should be ready in advance to address questions and show evidence of compliance or strong performance regarding:

• Incident response and disruption management. Clients will want evidence of a documented and regularly tested incident response process, especially in vital areas like data loss prevention and continuous improvement.
• Disaster recovery and business continuity. Clients will want documentation on your recovery capabilities, including recovery time objectives, etc. You should also show evidence of testing these programs.
• Your cybersecurity program and tools. Clients need to know that your cybersecurity, vulnerability management, data protection, etc. align with DORA standards. Trusted cybersecurity certifications/reports like ISO 27001, SOC 2, or HITRUST can be useful in this regard.
• Robust HR policies around access control. Clients may have specific concerns around safety and security processes, including identity management, role-based user access, and revocation of access.

What’s next?

For more guidance on this topic, listen to Episode 154 of The Virtual CISO Podcast with guest Dejan Kosutic, CEO at Advisera.