Home  ›  Blog  ›  DORA Software Vendor Compliance
Compliance · EU Financial Services

DORA software vendor compliance — contracts as operational resilience.

The EU Digital Operational Resilience Act took effect on 17 January 2025 and rewrote how in-scope financial entities must contract for ICT services. Most existing software contracts — including renewals signed in 2023 and 2024 — fail Article 30 on at least three points. The remediation work is contractual, not technical, and renewal time is the practical moment to close the gaps.

Updated: June 2026 Reading time: 14 min Audience: CIO, Procurement, Legal, Risk
DORA Software Vendor Compliance
What DORA actually requires

A regulation, not a guideline.

DORA is an EU regulation, directly applicable in all member states, that replaces and consolidates the prior outsourcing guidelines from EBA, EIOPA and ESMA for ICT services. It establishes a uniform framework for operational resilience across the EU financial services sector and applies to a broad set of in-scope entities: credit institutions, investment firms, payment institutions, insurance and reinsurance undertakings, crypto-asset service providers, central counterparties, trade repositories, and others listed in Article 2.

Two structural choices shape its impact. First, DORA defines ICT services broadly to include all digital and data services provided through ICT systems — SaaS, IaaS, PaaS, managed services, and many software licensing arrangements where the vendor provides ongoing service. Pure perpetual licensing of on-premise software is typically out of scope, but the associated support and maintenance services typically are. Second, DORA introduces direct oversight of critical ICT third-party service providers by the European Supervisory Authorities — Microsoft Azure, AWS, Google Cloud, Oracle and several SaaS vendors are likely designated.

The Register of Information

DORA requires each financial entity to maintain a standardised Register of Information cataloguing all ICT third-party arrangements, with separate categorisation for arrangements supporting critical or important functions. The register is reported to national competent authorities annually and used to identify critical ICT third-party providers. Buyers should treat the register as procurement infrastructure, not a compliance artefact — it forces a single source of truth about ICT dependencies that supports renewal benchmarking, exit planning, and material-change tracking.

DORA renewal cycle in flight?

We run buyer-side DORA contract gap assessments for EU financial entities — Article 30 remediation, exit planning, audit-rights workouts.

Contact Us →
Article 30 in practice

The contractual mandatory provisions.

Article 30 specifies mandatory contractual provisions for all ICT services (Article 30(2)) and enhanced provisions for ICT services supporting critical or important functions (Article 30(3)). Most enterprise SaaS contracts signed before 2024 fail at least three of the Article 30(3) provisions, typically:

  1. Service descriptions and locations. The contract must specify which services are provided, from which locations, and for which entities and functions. Most SaaS MSAs are silent on location. Vendor-side standard clauses reserve the right to move processing without notice — this is no longer acceptable for in-scope services.
  2. Subcontracting chains. The contract must require the vendor to maintain and disclose the chain of subcontractors providing ICT services supporting critical or important functions, with prior notice of changes and customer rights to object on operational resilience grounds.
  3. Audit and access rights. The contract must grant the customer and the competent authorities unrestricted rights of access, inspection and audit — including on-site inspection at vendor premises. Standard SaaS audit clauses limited to SOC 2 attestations are insufficient on their own.
  4. Exit strategies and assistance. The contract must contain exit strategies, including transition periods during which the vendor continues service and provides reasonable assistance to a successor provider or in-house migration. Most SaaS MSAs cap exit assistance at 30 days; DORA effectively requires longer for critical functions.
  5. Termination rights. The contract must grant the customer specific termination rights, including for material vendor breach, regulatory direction, and material change in the vendor's circumstances. Standard "for cause" clauses are too narrow.

A practical renewal-time intervention covers all five at once. Splitting the work across multiple renewals creates exposure during the gap period and signals to the vendor that the buyer's leverage is fragmented.

Download the CIO Contract Governance Guide.

Cross-jurisdictional compliance — DORA, NIS2, FedRAMP, sectoral frameworks — mapped to renewal-time contractual remediation.

Get the guide →
Concentration and exit

Critical ICT third-party providers — the concentration problem.

DORA pays explicit attention to ICT concentration risk. Article 29 requires financial entities to assess concentration at the ICT third-party level (e.g., over-dependence on a single hyperscaler) and at the subcontracting level (e.g., multiple vendors backed by the same underlying infrastructure provider). For most EU financial entities, the practical work is a serious exit-feasibility test for the largest two or three ICT dependencies — typically the cloud hyperscaler, the core SaaS platform, and the core banking or insurance vendor.

Exit feasibility is rarely tested honestly. In our experience across 340+ engagements, vendor-supplied exit playbooks typically overstate the practical exit speed by a factor of two to three, and understate the customer-side technical and contractual lift. A defensible Article 28 exit strategy is a documented, costed, time-bound migration path — not a paragraph in the supervisor's questionnaire. The same documentary discipline that satisfies a DORA supervisor also underpins effective software license audit defense when a vendor turns a resilience review into a compliance claim.

Direct oversight of critical ICT third-party providers

The European Supervisory Authorities, acting through a Joint Oversight Forum, can designate ICT third-party providers as "critical" based on systemic importance and impose direct oversight requirements. Designated critical providers face inspection rights, recommendation powers, and potential periodic penalty payments. For the largest hyperscalers and SaaS platforms, this is the most material regulatory development in EU technology contracting in a decade.

When independent advisory pays back

FAQ

Common questions on this topic.

Who does DORA apply to?
DORA applies to in-scope EU financial entities (credit institutions, investment firms, payment institutions, insurance undertakings, crypto-asset service providers, and others listed in Article 2) and to their ICT third-party service providers. Critical ICT third-party providers face direct oversight from European Supervisory Authorities.
When did DORA take effect?
DORA's application date was 17 January 2025. EU financial entities have been subject to its requirements since then, including the requirement to maintain Registers of Information and to align ICT third-party contracts with DORA Article 30.
What are the mandatory contractual provisions under DORA?
Article 30 specifies mandatory contractual provisions for all ICT services and enhanced provisions for ICT services supporting critical or important functions. These include service descriptions, locations, security standards, audit rights, exit assistance, and termination rights — among others.
How does DORA differ from existing outsourcing guidelines like EBA, EIOPA, ESMA?
DORA replaces and consolidates the sectoral outsourcing guidelines for ICT services. The framework is broader (covers all ICT, not just outsourcing), more prescriptive on contracts, and introduces direct oversight of critical ICT third-party providers.
Are SaaS contracts subject to DORA?
Yes. DORA defines ICT services broadly to include all digital and data services provided through ICT systems — SaaS, IaaS, PaaS, managed services and many software licensing arrangements where the vendor provides ongoing service. Pure perpetual licensing of on-premise software is typically out of scope, but related support and maintenance services are typically in scope.
What is the Register of Information?
A standardised inventory each financial entity must maintain of all contractual arrangements with ICT third-party providers, with separate categorisation for arrangements supporting critical or important functions. It is reported to national competent authorities annually and used to identify critical ICT third-party providers for direct oversight.

DORA renewal cycle in flight?
We translate Article 30 into closed contractual clauses.

We represent enterprise buyers exclusively. No vendor relationships. Built around former licensing executives from Oracle, Microsoft, SAP and the major cloud vendors.

The Compliance Brief

Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.