STRATEGIC DATA PROTECTION CONSULTING
STRATEGIC DATA PROTECTION CONSULTING
DORA
What is the DORA Regulation?
​
DORA (Digital Operational Resilience Act) is an EU regulation designed to strengthen the digital resilience and cybersecurity of financial sector entities. The financial industry is already one of the most heavily regulated sectors, but DORA has a notably broad impact – affecting not only financial institutions themselves but also their IT service providers.
​
Although DORA directly applies only to financial sector entities, it inevitably affects IT companies providing services to them. The regulation has significantly changed how IT services are designed, delivered, and managed contractually.
Why does DORA also concern IT providers?
​
DORA requires financial entities to reflect certain minimum contractual clauses in their IT service agreements. Consequently, IT service providers must take these obligations into account if they wish to serve financial clients. The scope of obligations depends on how critical the service is from the client’s perspective. All IT services are subject to certain minimum requirements, and additional clauses must be included when the service supports the customer’s critical or important functions.
In some cases, DORA may even apply directly to the IT provider if the authority designates the provider as critical due to the systemic importance of its services to the financial sector.
What must be considered in contracts?
From the perspective of a financial entity, it is essential that its IT service agreement complies with DORA requirements. Depending on the nature of the service, the client may also wish to impose additional obligations on the provider to ensure that the client can meet its own DORA responsibilities in practice.
​
While DORA leaves room for negotiation in certain areas, some obligations are more rigid. Therefore, attention should be paid to balancing commercial interests, technical feasibility, and regulatory compliance. Negotiating such contracts requires not only legal expertise but also a strong understanding of business operations and IT services.
​​