Digital Operational Resilience Act (DORA)
For financial services firms, that means digital operational resilience is no longer just an internal risk issue. It is a regulatory requirement.
For technology companies selling into financial services, it means your contracts, service model, audit position, incident support, data storage arrangements and exit planning may now face much tougher scrutiny.
That includes SaaS providers, cloud platforms, managed service providers, cyber security businesses, infrastructure providers and any technology supplier supporting financial services operations.
If you are a UK tech company with EU financial services customers, or customers who themselves serve regulated financial institutions, DORA is a commercial issue. Not just a compliance one.
What DORA changes
DORA, the Digital Operational Resilience Act, creates a single framework for managing ICT risk across the EU financial sector.
It brings together requirements on ICT risk management, incident reporting, resilience testing, third-party risk and oversight of critical ICT providers.
The shift is clear. Financial services firms must show they can protect, detect, respond, recover and learn when technology fails.
That affects suppliers.
Financial services firms rely heavily on third-party technology. Cloud hosting, SaaS platforms, data analytics, AI tooling, cyber security monitoring, payment infrastructure and core operational software all sit inside the risk picture.
DORA changes the procurement conversation.
It is no longer enough to say the product is secure, available and supported. Customers will want evidence on data location, incident support, subcontractors, audit rights, continuity, recovery and exit.
For SaaS, cloud, AI, cyber security and managed service providers, a standard procurement process can quickly become a detailed operational risk review.
The contract now carries more weight
DORA makes ICT contracts part of the resilience framework. Contracts for ICT services need to cover points such as:
For many tech suppliers, a short order form plus generic online terms will not be enough for regulated financial services customers.
That does not mean accepting unlimited audit rights, vague cooperation obligations or open-ended incident support.
It does mean having a contract position that maps to DORA without giving away control, margin or operational flexibility.
Critical functions raise the bar
DORA applies stricter requirements where an ICT service supports a critical or important function.
For suppliers, that can mean stronger customer demands around sub-outsourcing, audit rights, business continuity, security testing, exit planning, transition support and service continuity during migration.
Sub-outsourcing is often the sticking point.
If your service depends on hosting providers, infrastructure providers, support vendors, AI tooling or offshore teams, customers may need clearer visibility of that chain.
The contract should make clear what is permitted, what requires notice, what requires approval and what happens if the supply chain changes.
Resilience, not just prevention
DORA is not just about stopping disruption.
It is about whether financial services firms can keep operating when technology fails.
That includes cyber attacks, system outages, provider failure, data access issues and operational incidents.
For tech suppliers, resilience needs to show up in both the contract and the operating model. Incident response, continuity, recovery, testing, reporting support and exit planning all matter.
This is where vague terms create risk.
The repapering problem
DORA applied in full from 17 January 2025.
That has created a major contract remediation exercise across financial services. Existing ICT contracts, not just new agreements, are being reviewed and updated.
For suppliers, that means DORA addenda, revised terms, customer questionnaires and new procurement requirements can arrive even where the customer relationship has been in place for years.
If every request is treated as a one-off negotiation, the process becomes slow, inconsistent and expensive.
A better approach is to prepare a DORA-ready contract position in advance.
That means having clear wording on data location, subcontracting, incident support, audit rights, service continuity, exit assistance and regulatory cooperation.
The aim is not to accept every customer request.
The aim is to know what you can agree, what you should push back on and where a bespoke position is needed because the service supports a critical or important function.
The board-level point
DORA is not just a financial services regulation.
It is a commercial pressure point for technology suppliers serving that market.
If your product is part of a regulated customer’s operational infrastructure, your contract is no longer just about price, liability and payment terms. It is part of that customer’s resilience evidence.
Tech suppliers that can show a clear, credible DORA position will be easier to buy from.
Those that cannot may find themselves stuck in procurement, pushed into tougher terms or excluded from higher-value regulated deals.
DORA has raised the standard.
The question is whether your contracts have caught up.
Need your tech contracts to stand up to DORA scrutiny?
Ethiqs helps scaling technology companies review, negotiate and update customer and supplier contracts for regulated markets.
If your SaaS, cloud, AI, infrastructure or managed service contracts are being pushed through DORA reviews, we can help you get ahead of the questions before they slow the deal down.
Book a call with the Ethiqs team to review your DORA contract position.