DORA explained: impact on software procurement in the financial sector
DORA comes into effect on January 17, 2025, fundamentally changing how financial organisations procure and contract software. Here’s everything you need to know about the five pillars, the contractual requirements, and the impact on vendor management.
- February 1, 2025
- 5 min
- DORA – Digital Operational Resilience Act
DORA, the Digital Operational Resilience Act, will be effective across all EU member states from January 17, 2025. For financial organisations and their ICT suppliers, this represents a fundamental shift: digital resilience is no longer just an internal IT issue, but a regulated business obligation subject to supervision and fines.
What is DORA?
DORA is an EU regulation, not a directive, meaning it is directly applicable legislation that governs the digital operational resilience of the financial sector. The regulation is part of the Digital Finance Package and applies to 20 categories of financial entities, ranging from banks and insurers to fintechs and crypto-service providers.
The five pillars of DORA
DORA structures its requirements around five core areas:
ICT risk management: A comprehensive framework for identifying, classifying and controlling ICT risks
Incident reporting: Major ICT incidents must be reported within strict deadlines to regulators
Testing digital resilience: Regular penetration tests and resilience scenarios for critical systems
Third-party risk management: Contractual obligations, vendor registers and concentration risk analysis
Information sharing: Proactive sharing of threat information within the sector
What does DORA mean for software procurement?
The fourth pillar, third-party risk management, has a direct impact on how financial organisations procure and contract software:
Contractual minimum requirements: Every ICT contract must include clauses on SLA, incident notification, audit rights, exit plans, data location and continuity
ICT vendor register: An up-to-date and complete register of all ICT vendors is mandatory and must be accessible to regulators
Concentration risk: Overreliance on a single supplier (e.g., one cloud provider) must be assessed and reported
Subcontractors: Suppliers of your suppliers also fall within DORA’s scope
SoftVaro helps financial organisations map their software landscape and ensure contracts are DORA-compliant.
Frequently Asked Questions
The most common questions about this topic.
Who does DORA apply to?
DORA applies to banks, insurers, investment firms, payment institutions, crypto-service providers, pension funds, and all ICT suppliers providing critical services to these institutions.
Does DORA apply to my software supplier?
Yes. If you supply software or ICT services to a financial institution subject to DORA, you as an ICT supplier are required to comply with the contractual DORA requirements imposed by the financial institution. Critical ICT suppliers may also be directly subject to EU supervision.
What are the fines for non-compliance with DORA?
Fines can reach up to 2% of total worldwide annual turnover. Additional sanctions apply to critical ICT suppliers directly supervised by the EU.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.