DORA explained: impact on software procurement in the financial sector
DORA comes into effect on 17 January 2025 and fundamentally changes how financial organisations procure and contract software. Here is everything you need to know about the five pillars, the contractual requirements, and the impact on vendor management.
- February 1, 2025
- 5 min
- DORA – Digital Operational Resilience Act
DORA, the Digital Operational Resilience Act, will come into force on 17 January 2025 across all EU member states. For financial organisations and their ICT suppliers, something fundamental is changing: digital resilience is no longer just an internal IT matter but a regulated business obligation subject to supervision and penalties.
What is DORA?
DORA is an EU regulation, not a directive, meaning it is directly applicable law that regulates the digital operational resilience of the financial sector. The regulation falls under the Digital Finance Package and applies to 20 categories of financial entities, ranging from banks and insurers to fintechs and crypto service providers.
The five pillars of DORA
DORA structures its requirements around five core areas:
ICT risk management: A comprehensive framework for identifying, classifying, and controlling ICT risks
Incident reporting: Major ICT incidents must be reported to regulators within strict deadlines
Testing digital resilience: Periodic penetration tests and resilience scenarios for critical systems
Third-party risk management: Contractual obligations, supplier registers, and concentration risk analysis
Information sharing: Proactively sharing threat information within the sector
What does DORA mean for software procurement?
The fourth pillar, third-party risk management, has a direct impact on how financial organisations procure and contract software:
Contractual minimum requirements: Every ICT contract must include clauses on SLA, incident notification, audit rights, exit plans, data location, and continuity
ICT supplier register: An up-to-date and complete register of all ICT suppliers is mandatory and must be available to regulators
Concentration risk: Excessive dependency on a single supplier (e.g., a single cloud provider) must be evaluated and reported
Subcontractors: Suppliers of your suppliers also fall within the scope of DORA
SoftVaro helps financial organisations map their software landscape and make contracts DORA-compliant.
Frequently Asked Questions
The most asked questions about this topic.
Who does DORA apply to?
DORA applies to banks, insurers, investment firms, payment institutions, crypto service providers, pension funds, and all ICT suppliers providing critical services to these institutions.
Does DORA apply to my software supplier?
Yes. If you provide software or ICT services to a financial institution subject to DORA, you as an ICT supplier are required to comply with the contractual DORA requirements imposed by that institution. Critical ICT suppliers may also fall directly under EU supervision.
What are the penalties for non-compliance with DORA?
Penalties can reach up to 2% of the total worldwide annual turnover. Additional sanctions apply to critical ICT suppliers directly supervised by the EU.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.