What is DORA?

DORA is the EU’s comprehensive regulation on digital operational resilience and cybersecurity for the financial sector, formally known as Regulation (EU) 2022/2554. It becomes fully applicable on 17 January 2025 and introduces harmonized rules to ensure that financial entities—and the ICT providers supporting them—can withstand, respond to and recover from ICT-related disruptions.

After setting the stage, this article focuses specifically on due‑diligence obligations and contractual requirements under the regulation. Other DORA topics will follow in the next installments.

DORA’s central mission is simple but ambitious: to make sure financial institutions can survive ICT incidents—from system malfunctions and service outages to sophisticated cyberattacks. Beyond resilience, the regulation seeks to unify cybersecurity standards across the EU, reinforce ICT risk management practices, and enhance incident reporting and response frameworks throughout the sector.

DORA applies to an extensive spectrum of financial entities: banks, credit and investment institutions, insurers, central securities depositories, and many others. It also directly targets ICT third‑party service providers such as cloud platforms, analytics tools, data centers and other digital infrastructure providers who play a crucial role in supporting financial operations.

Paragraph 21 of the regulation underscores the need for a robust ICT risk management framework and clearly defined mechanisms for handling ICT-related incidents. Paragraph 64 goes even further: regardless of outsourcing arrangements, the financial entity always remains fully responsible for its compliance with DORA. Monitoring third-party risks must be proportionate but rigorous, taking into account the nature, scale, complexity and criticality of ICT dependencies and their potential impact on the continuity of financial services.

First Things First: Due Diligence

This is where DORA doubles down on an issue we often return to—thorough pre‑contracting due diligence. Before signing anything, financial entities must analyze the importance of the services involved, obtain relevant supervisory approvals, assess concentration risks, identify possible conflicts of interest, and evaluate the suitability of the ICT provider. This diligence isn’t a formality; it is the foundation on which contractual engagement must be built.

A Quick Guide to Contractual Arrangements

Under DORA, contractual arrangements must include complete and precise descriptions of the contracted functions and services, including the physical or digital locations where services are delivered and where data is processed. These contracts must also contain several mandatory elements.

Exit strategies, for example, are not optional. Contracts must provide for transition periods to avoid service disruptions, enable orderly switching to another provider or reverting to in‑house solutions, and ensure resilience even in the event of a financial entity’s resolution. To increase certainty, parties may also rely on standard contractual clauses issued by public authorities—such as the Commission’s model clauses for cloud computing.

The Essentials: Contractual Obligations Under Article 30

Article 30 sets out the mandatory contractual clauses for ICT service arrangements. As expected, all rights and obligations must be clearly specified in writing, within a single accessible, durable document. Key elements include:

• A full description of all functions and ICT services, including rules on subcontracting (and conditions for it, especially when critical or important functions are involved);
• Detailed information on locations—regions or countries—where services are performed and data is processed, along with notification requirements for any changes;
• Clauses addressing availability, integrity, authenticity and confidentiality of data;
• Contractual guarantees for access, recovery and return of personal and non‑personal data if the provider becomes insolvent, discontinues operations, or the contract terminates;
• Clear service level descriptions;
• An obligation for the ICT provider to assist the financial entity at no additional—or pre‑agreed—cost in the event of an ICT incident;
• The provider’s duty to fully cooperate with competent and resolution authorities;
• Defined termination rights and minimum notice periods;
• Conditions for involving ICT providers in the financial institution’s security awareness programs and digital operational resilience training.

For ICT services supporting critical or important functions, Article 30 imposes additional requirements—enhanced service level descriptions (including detailed performance metrics), obligations to maintain and test contingency plans, tighter reporting duties, and more.

More DORA topics are coming soon, but these due‑diligence and contractual requirements already illustrate one thing clearly: financial institutions cannot treat ICT outsourcing as a simple commercial arrangement. Under DORA, it becomes an integral part of their operational resilience strategy—and a key compliance obligation.

Note: This text reflects the author’s personal opinion and does not constitute legal advice.