DORA (Regulation EU 2022/2554) is the Digital Operational Resilience Act. It applies to financial entities in the EU — banks, insurers, investment firms, payment institutions, and others — requiring them to manage ICT risk rigorously, including the risk they take on from third-party technology providers.

What does DORA Article 28 require from ICT providers?

Article 28 requires financial entities to maintain a register of all ICT third-party providers. For each provider, they must document the services provided, assess the ICT risks, and ensure contractual provisions cover security standards, incident reporting, audit rights, and sub-outsourcing transparency. As a vendor, you need to be able to supply this information on demand.

When did DORA come into force?

DORA entered into force on January 17, 2025. All financial entities and their ICT providers are expected to comply now. The European Supervisory Authorities (EBA, EIOPA, ESMA) have published their Regulatory Technical Standards, and national competent authorities have begun supervision.

DORA: what your financial sector customers now require from you

Q: Does DORA apply to me as a software vendor?

DORA does not directly regulate software vendors, but it indirectly affects you significantly. If any of your customers are financial entities (banks, insurers, investment firms), DORA legally requires them to assess, document, and monitor your ICT risk. They will demand security documentation, incident reporting capabilities, and contractual security commitments from you.

Q: What are DORA's penalties?

DORA's penalties fall on financial entities, not directly on ICT providers. However, a financial entity's failure to manage ICT third-party risk can result in fines up to 1% of average daily global turnover for up to 6 months (for ongoing violations), plus supervisory measures. This creates strong commercial pressure on you as a vendor to be compliant.

DORA is in force. If banks, insurers, or investment firms are your customers, they are now legally required to assess your ICT risk — and hold you to contractual security standards. Here is what that means in practice.

Does DORA affect you?

DORA does not directly regulate you as a software vendor — but it creates binding obligations on your customers that flow down to you. If any of the following apply, your financial customers are already asking for DORA evidence:

You sell software, SaaS, or technology services to banks, insurers, or investment firms in the EU
You provide cloud services, data analytics, or infrastructure to payment institutions or e-money firms
You supply ICT tools used in credit institutions, pension funds, or crypto-asset service providers
You are a subcontractor for a company that provides ICT services to financial entities

DORA applies to over 22,000 financial entities across the EU. If any of them are your customers, the downstream compliance pressure lands on you.

DORA timeline

Jan 16, 2023

DORA enacted

Regulation EU 2022/2554 published. Two-year implementation period began.

Jan 17, 2024

Level 2 RTS published

European Supervisory Authorities (EBA, EIOPA, ESMA) published Regulatory Technical Standards covering ICT risk management, incident classification, TLPT, and third-party risk.

Jan 17, 2025

DORA in force — compliance required now

All financial entities must comply. ICT third-party risk management, incident reporting, and register of ICT providers are active obligations. National competent authorities have begun supervision.

2025 onward

Critical ICT provider designation

The European Supervisory Authorities will designate "critical ICT third-party providers" subject to direct EU-level oversight. Designation criteria include systemic importance and number of financial entities served.

What your financial customers need from you

Under Articles 28–30, financial entities must maintain a register of ICT third-party providers and ensure specific contractual provisions are in place. The documentation they need from you maps directly to five areas:

Security practices documentation

Financial entities must document your ICT security standards for their Article 28 register. They need to know: what security frameworks you follow (ISO 27001, SOC 2, etc.), how you handle access control, encryption, and network security, and how you manage security across your supply chain.

DORA Article 28(2), Article 30(2)(a)

ICT incident detection and notification

Your customers must report ICT-related incidents to their competent authority. To do that, they need to know about incidents at your end that affect their service. You need a documented incident response process and a way to notify affected financial customers promptly when incidents occur.

DORA Article 19, Article 30(2)(f)

Vulnerability and patch management transparency

Financial entities assess the risk of vulnerabilities in systems they rely on. They need visibility into your vulnerability disclosure process: how you identify, triage, and fix security issues, and what timelines to expect for patches affecting their operations.

DORA Article 30(2)(a), RTS on ICT risk management

Sub-processor and supply chain transparency

DORA Article 30 requires contractual provisions covering sub-outsourcing. Financial entities must know who has access to their data and what security standards sub-processors meet. You need to be able to document your software supply chain — including SBOMs showing third-party component dependencies.

DORA Article 30(2)(c), Article 30(4)

Audit trail and access rights

Financial entities must retain audit rights over ICT providers. They need evidence that you maintain access logs, activity records, and that security changes are tracked. An auditable record of who accessed what and when is a contractual requirement, not optional.

DORA Article 30(2)(d), Article 30(5)

What DORA does not directly require from you

DORA is a regulation on financial entities. As an ICT provider, you have no direct regulatory obligations under DORA — but you face strong contractual and commercial pressure:

You will not be fined directly by DORA — penalties fall on your financial customers for failing to manage ICT risk. But if you cannot provide adequate documentation, they will either demand it contractually or replace you with a vendor who can.
No mandatory audit by the ESAs unless you are designated a "critical ICT third-party provider" — a high bar reserved for systemically important providers.
No prescribed format for your ICT documentation — you need to provide what your customers' contracts require. A centralized security trust center that their compliance teams can access is the practical answer.

How Security2Center maps to DORA obligations

Security2Center gives your financial customers a single, self-serve portal to access the ICT documentation DORA requires. Here is how each feature maps:

DORA — Article 28 ICT third-party register — documented security practices

Security2Center Your trust center is the live ICT documentation. Financial compliance teams access your security frameworks, certifications, and practices directly — replacing 60-page questionnaires.

DORA — Article 19 ICT incident detection and notification to affected clients

Security2Center Incident tracking with coordinated disclosure and subscriber notifications. Customers opt in to receive security updates. Full incident history with audit trail is available to verified clients.

DORA — Article 30(2)(a) Vulnerability disclosure and patch transparency

Security2Center Vulnerability lifecycle tracking with CSAF advisories and VEX documents. Controlled visibility — public or restricted to verified financial customers. Machine-readable for automated ingestion.

DORA — Article 30(2)(c) Sub-outsourcing and supply chain documentation

Security2Center Publish SBOMs (CycloneDX, SPDX) documenting your software supply chain. Gated access ensures only verified customers see sensitive component data.

DORA — Article 30(5) Audit rights — access logs and activity records

Security2Center Full audit trail across all document access requests, approvals, and portal activity. Demonstrate to financial customers' auditors that access is controlled and logged.

3 months free. No credit card. Full access.

Start your free trial

Frequently asked questions

What is DORA?

DORA (Regulation EU 2022/2554) is the Digital Operational Resilience Act. It applies to over 22,000 financial entities in the EU — banks, insurers, investment firms, payment institutions, crypto-asset service providers, and others — requiring them to manage ICT risk rigorously, including the risk from third-party technology providers.

Does DORA apply to me as a software vendor?

Not directly. DORA regulates financial entities, not their ICT providers. However, DORA creates strong downstream pressure: financial entities must contractually require security standards, audit rights, and incident notification from you. If you cannot supply the required documentation, they will enforce it contractually or find a vendor who can.

What is the Article 28 register of ICT providers?

Article 28 requires every financial entity to maintain a register listing all ICT third-party providers, the services they provide, and the ICT risk assessment for each. You need to enable your customers to populate and maintain their entry about you — which means giving them access to your security documentation, certifications, incident history, and supply chain information.

What do DORA contractual requirements mean for vendor contracts?

Article 30 mandates that contracts between financial entities and ICT providers include: clear service level descriptions, data location and processing information, security standards (including encryption and access controls), incident notification timelines, audit and inspection rights, sub-outsourcing conditions, and exit strategies. Your trust center documentation serves as the reference point for these contractual provisions.

What are DORA's penalties?

Penalties fall on financial entities, not ICT providers directly. Essential entities can face fines up to 1% of average daily global turnover for each day of ongoing violation. More importantly for you as a vendor: failure to provide adequate DORA documentation is grounds for contract termination and exclusion from future financial sector procurement.

How does DORA relate to NIS2 and CRA?

DORA is lex specialis for financial entities — it takes precedence over NIS2 for organizations within its scope. The CRA affects you as a software manufacturer independently. Many vendors selling to financial sector are subject to all three: CRA for product-level compliance, NIS2 for organizational resilience (if you are large enough), and DORA-driven contractual requirements from your financial customers.