DORA (Digital Operational Resilience Act) has applied to EU financial institutions since January 2025. What many SaaS providers, IT service providers, and FinTech platforms underestimate: as soon as a financial institution uses your service and you're classified as a "critical ICT third-party provider", DORA obligations apply to you as well – passed through via the service contract.
When a Supplier Becomes "Critical"
DORA Art. 28 + RTS define "critical ICT third-party providers" via four criteria:
- Function is critical or important for the continuous delivery of the financial service.
- Hard to replace without significant impact on customers or market position of the financial customer.
- Concentration indicator: many financial customers depend on the same provider (cloud provider, core banking, a specific SaaS workflow).
- Data sensitivity: processing of critical or regulation-relevant data.
Anyone meeting one, two, or five of these criteria should expect intensified DORA requirements from their financial customers.
What DORA Passes Through Technically
1. ICT Risk Management Framework, Approved by the Board
Written, annually updated, with documented management approval. This includes: asset inventory, risk assessment, treatment plan, effectiveness reviews. The multi-framework platform helps because the ISO 27001 foundation covers 80 % of DORA requirements.
2. Incident Classification With RTS Triggers
Every incident is classified (high/medium/low) per DORA RTS. "Major" incidents must be reported within 4 h, with initial, intermediate, and final reports. Integrated health monitoring + audit log delivers the data in minutes instead of days.
3. Operational Resilience Tests
Annual resilience tests documented; every 3 years TIBER-EU-conformant threat-led penetration testing for significant providers. Results archived and lessons learned implemented.
4. Contract Requirements DORA Art. 30
- Audit rights for the financial customer + supervisory authority
- Service levels with sanctions
- Exit plan documented (data return, migration support)
- Sub-contracting transparency (which suppliers does the provider use?)
- Incident notification to the financial customer, with deadline
- Key personnel clause
5. Concentration Risk Analysis
If your service has many financial customers, the supervisor (BaFin, EBA, SSM) will examine the aggregated risk situation. Multiple bank outages due to one SaaS incident = systemic risk = direct supervision by the ESAs.
What Financial Customers Demand From Suppliers in 2026
From real supplier audits 2025/2026:
- ISO 27001 certificate (often a minimum requirement)
- Trust center with current compliance evidence (white-label trust center delivers this publicly)
- Sub-processor list in GDPR-compliant form
- Pen-test report ≤12 months old
- Backup + restore-test logs
- EU hosting confirmation with Schrems II assessment
- SLA agreement with incident response
- Exit plan with data migration formats
Strategic Consequences
Option 1: Position DORA as a Sales Advantage
If you want to actively acquire financial customers: prove DORA conformity proactively. This opens doors that are closed for other SaaS providers.
Option 2: Deliberately De-Prioritize Financial Customers
If financial customers are only 5 % of revenue and DORA obligations cause 30 % higher compliance costs: it can strategically make sense not to actively cultivate the segment. But: then document in writing "not suitable for financial services", otherwise contract acceptance triggers obligation transfer.
Option 3: Manage Sub-Contracting Structurally
If you yourself use cloud providers or other SaaS: DORA obligations reach further down. Your own suppliers must also be DORA-suitable. TPRM module with DORA extension manages that.
Realistic Compliance Effort Estimate
- SaaS with ISO 27001 in place: ~30 PD additional for DORA extension (contract templates, incident RTS, exit plan).
- SaaS without ISO 27001: ~120 PD for ISO foundation + ~30 PD DORA top-up.
- Annual ongoing effort: 15–25 PD for reviews, re-tests, contract updates.
Conclusion
DORA affects you if even one financial institution uses your service – and affects you massively if you become a "critical ICT third-party provider". An integrated compliance and security platform with ISO 27001 foundation and DORA top-up brings you within 4–6 months to a state where you pass financial supplier audits without drama. Anyone planning to grow with financial customers in 2026 should not defer this.