DORA Explained: Impact on Software Procurement in the Financial Sector
DORA comes into effect on 17 January 2025 and fundamentally changes how financial organisations procure and contract software. This is everything you need to know about the five pillars, the contractual requirements, and the impact on supplier management.
- 1 February 2025
- 5 min
- DORA – Digital Operational Resilience Act
DORA, the Digital Operational Resilience Act, will apply in all EU Member States from 17 January 2025. For financial organisations and their ICT suppliers, this marks a fundamental shift: digital resilience is no longer just an internal IT issue, but a regulated business obligation subject to supervision and fines.
What is DORA?
DORA is an EU regulation—not a directive—but directly applicable legislation that regulates the digital operational resilience of the financial sector. The regulation is part of the Digital Finance Package and applies to 20 categories of financial entities, ranging from banks and insurers to fintechs and crypto service providers.
The Five Pillars of DORA
DORA structures its requirements around five core areas:
ICT Risk Management: A comprehensive framework for identifying, classifying and managing ICT risks
Incident Reporting: Major ICT incidents must be reported to regulators within strict timelines
Testing Digital Resilience: Periodic penetration tests and resilience scenarios for critical systems
Third-Party Risk Management: Contractual obligations, supplier registers and concentration risk analysis
Information Sharing: Proactively sharing threat intelligence within the sector
What Does DORA Mean for Software Procurement?
The fourth pillar, third-party risk management, has a direct impact on how financial organisations procure and contract software:
Contractual Minimum Requirements: Every ICT contract must include clauses on SLA, incident notification, audit rights, exit plans, data location, and business continuity
ICT Supplier Register: An up-to-date and comprehensive register of all ICT suppliers is mandatory and must be available to regulators
Concentration Risk: Excessive dependence on a single supplier (e.g. one cloud provider) must be assessed and reported
Subcontractors: Your suppliers’ subcontractors also fall within the scope of DORA
SoftVaro assists financial organisations to map their software landscape and make contracts DORA-compliant.
Frequently Asked Questions
The most commonly asked questions on this topic.
Who does DORA apply to?
DORA applies to banks, insurers, investment firms, payment institutions, crypto service providers, pension funds, and all ICT suppliers delivering critical services to these entities.
Does DORA also apply to my software provider?
Yes. If you supply software or ICT services to a financial institution subject to DORA, you as an ICT supplier are obligated to comply with the contractual DORA requirements imposed by the financial institution. Critical ICT suppliers may also fall directly under EU supervision.
What are the penalties for non-compliance with DORA?
Fines can reach up to 2% of the total global annual turnover. For critical ICT suppliers directly supervised by the EU, additional sanctions apply.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.