DORA explained: impact on software procurement in the financial sector
DORA comes into force on 17 January 2025 and fundamentally changes how financial organisations procure and contract software. Here’s everything you need to know about the five pillars, the contractual requirements, and the impact on supplier management.
- 1 February 2025
- 5 min
- DORA – Digital Operational Resilience Act
DORA, the Digital Operational Resilience Act, will take effect across all EU member states on 17 January 2025. For financial organisations and their ICT suppliers, something fundamental changes: digital resilience is no longer just an internal IT issue but a regulated business obligation subject to supervision and fines.
What is DORA?
DORA is an EU regulation, not a directive, meaning it is directly applicable law that governs the digital operational resilience of the financial sector. The regulation is part of the Digital Finance Package and applies to 20 categories of financial entities, ranging from banks and insurers to fintechs and crypto service providers.
The five pillars of DORA
DORA structures its requirements around five core areas:
ICT risk management: A comprehensive framework for identifying, classifying, and controlling ICT risks
Incident reporting: Significant ICT incidents must be reported to regulators within strict timeframes
Testing digital resilience: Periodic penetration tests and resilience scenarios for critical systems
Third-party risk management: Contractual obligations, supplier registers, and concentration risk analysis
Information sharing: Proactively sharing threat information within the sector
What does DORA mean for software procurement?
The fourth pillar, third-party risk management, directly impacts how financial organisations procure and contract software:
Contractual minimum requirements: Every ICT contract must contain clauses on SLA, incident notification, audit rights, exit plans, data location, and continuity
ICT supplier register: An up-to-date and complete register of all ICT suppliers is mandatory and must be available to regulators
Concentration risk: Excessive dependency on a single supplier (e.g. one cloud provider) must be assessed and reported
Subcontractors: Suppliers of your suppliers also fall within the scope of DORA
SoftVaro helps financial organisations map their software landscape and make contracts DORA-compliant.
Frequently Asked Questions
The most commonly asked questions on this topic.
Who does DORA apply to?
DORA applies to banks, insurers, investment firms, payment institutions, crypto service providers, pension funds and all ICT suppliers providing critical services to these institutions.
Does DORA apply to my software supplier?
Yes. If you provide software or ICT services to a financial institution covered by DORA, you as an ICT supplier are required to comply with the contractual DORA requirements imposed on you by that financial institution. Critical ICT suppliers may also be subject to direct EU supervision.
What are the penalties for non-compliance with DORA?
Fines can reach up to 2% of total global annual turnover. Additional sanctions apply to critical ICT suppliers who fall directly under EU supervision.
Ready to save on software?
SoftVaro negotiates the best deal for you with over 4,000 suppliers. Independent, transparent, within 24 hours.