Since its entry into force, the Digital Operational Resilience Act (DORA) has brought about a fundamental change in the way digital services to financial institutions must be organized. Although DORA primarily imposes obligations on financial entities themselves, the regulation has a strong indirect effect on IT suppliers. These suppliers become an indispensable link in their customers' operational resilience framework, which inevitably means they will be faced with additional requirements, contractual renegotiations, and increased supervisory obligations. This article by Pieter Ballings (lawyer at Holla legal & tax) discusses the most important obligations under DORA from the perspective of the IT supplier and describes their impact on practice, technology, and contracting.
DORA focuses primarily on financial entities, but at the same time imposes a set of obligations on their "ICT third-party service providers." For the IT supplier, this means that it becomes part of the customer's broader ICT risk management. Article 28 of DORA emphasizes the responsibility of the financial institution to manage its entire ICT chain, including external suppliers. This creates a situation in which the IT supplier, although not formally under the direct supervision of DNB or the ECB, is nevertheless obliged to comply with the standards set out in DORA and to demonstrate that these are being complied with.
This regulatory burden is in line with existing duties of care in Dutch IT contract law, where suppliers have long been held accountable for their professional expertise and duty to provide information. After all, legal literature and case law show that an IT supplier has a special duty of care when its services are essential to the customer's business operations, especially when sensitive data is processed or critical functions are supported. DORA formalizes this development and gives it a European legal dimension.
In addition, it is important to emphasize that it is solely the financial institution itself that determines whether an outsourced ICT service qualifies as a "critical" or "important" function within the meaning of Article 28 DORA (Article 28(1)(b) and 28(4)(a)). This qualification is therefore not up to the IT supplier. Although the supplier can provide input on technical or operational risks, the ultimate responsibility for risk classification remains with the financial entity. This assessment then largely determines the severity of the contractual and operational obligations that may be imposed on the supplier.
One of the most important parts of DORA concerns the obligation to establish a solid framework for ICT risk management (Articles 5-15 DORA). Although responsibility for this framework lies primarily with the financial institution, the IT supplier must demonstrate through contractual agreements that its own processes and measures are in line with the expectations set out in the regulation. This includes policies for patch management, logging, internal controls, vulnerability management, and backup and recovery procedures.
The supplier must be prepared not only to implement this policy, but also to have it audited. Documentation plays a crucial role in this regard: financial institutions must be able to demonstrate to the supervisory authority that the supplier is reliable and meets the required standards. This need for verifiability ties in with the broader theme of "being in control," which is emphasized in several professional guidelines for cloud and IT services.
DORA introduces an obligation for financial institutions to report serious ICT incidents to the supervisory authority within strict time limits (Articles 17-19 DORA). Compliance with this obligation is impossible without the active involvement of the IT supplier.
Suppliers are expected to report incidents to their customers promptly and in full, including all relevant technical details. In addition, they may be required to cooperate in forensic investigations, root cause analyses, and documentation for reporting to the regulator. This requires a culture of transparency, timely communication, and immediate escalation.
The standard that suppliers must proactively inform and warn has been confirmed for years in case law and in professional IT guidelines, which state that warning and information obligations are at the core of professional IT practice. DORA reinforces this principle by adding a supervisory dimension.
Another key component of DORA is the obligation to test digital operational resilience, as laid down in Articles 21-26 of the regulation. This obligation could have far-reaching consequences for IT suppliers. They may be asked to participate in technical investigations, including advanced forms of penetration testing such as threat-led penetration testing (TLPT).
Participation in such testing requires strict security protocols and a clear understanding of the risks associated with testers' access to internal systems. Suppliers will have to contractually specify the conditions under which testing is possible, who is allowed to test, what material will be provided, and how the risk of damage or data loss will be limited.
Various practical sources show that traditional audit methods, such as physical audits, are often not applicable to cloud environments. That is why third-party assurance, such as SOC reports or ISAE statements, is widely used in practice. These are ideally suited to demonstrate DORA compliance without having to expose internal systems.
Article 30 of DORA requires financial institutions to retain at least effective audit rights over their IT service providers. This includes not only contractual audit rights for the customer itself, but may also include access for supervisory authorities.
This can be a complex obligation for IT suppliers. On the one hand, they must be able to comply with audit requests; on the other hand, they must guarantee the security of their own systems and the interests of other customers. Finding a balance between openness and security is therefore essential.
Here too, third-party assurance reports offer a useful alternative. Practice shows that suppliers can manage audit requests more effectively when they offer a standardized set of assurance documents that meet the needs of both customers and regulators.
DORA requires financial institutions to monitor their entire ICT chain, including dependencies on subcontractors (Article 28(4) and Article 29 DORA). This means that the IT supplier must provide transparency about its own suppliers and subcontractors.
For suppliers, and certainly for cloud providers, this means that they need to think carefully about their supply chain architecture. Subcontractors or technical partners can only be engaged if customers are informed and the risks are adequately managed. Previous analyses of cloud contracts have pointed out that a lack of insight into chain relationships leads to considerable legal risks, because the customer cannot determine who has access to which data and systems.
Finally, DORA introduces an explicit obligation for financial institutions to have workable exit strategies in place when they wish or need to terminate an ICT service provider (Articles 28(7) and 28(8) DORA).
IT suppliers must therefore be able to demonstrate that they are capable of transferring data, systems, documentation, and knowledge in an orderly and timely manner. In practice, this leads to complex contract negotiations, especially when there is a lot of customization, closed infrastructures, or dependencies on subcontractors. The ICT Contracts Handbook emphasizes that clear agreements on exit are crucial to prevent suppliers from being confronted with open-ended obligations or disproportionate burdens. Contract management and the demarcation of responsibilities are essential in this regard.
DORA brings a new reality for IT suppliers operating in the financial sector. Although the obligations formally rest with financial institutions, in practice they are shifted to suppliers through contractual requirements, audit requests, reporting obligations, and chain transparency. For IT suppliers, this means further professionalization of processes, a greater emphasis on documentation and predictability, and a need to clearly define in contracts which obligations are feasible and proportionate.
Suppliers who invest in compliance structures, clear communication, and demonstrable governance will emerge stronger from this development and distinguish themselves as reliable partners in an increasingly regulated market.
