DORA and Software Providers: Who Is Responsible for What?
DORA is often reduced to one of two claims: either the software provider must now meet every regulatory requirement, or DORA concerns the financial entity alone. Neither is an adequate account of the position.
Regulation (EU) 2022/2554 on digital operational resilience in the financial sector has applied since 17 January 2025.[1] Primary regulatory responsibility remains with the financial entity. At the same time, DORA requires much tighter governance of ICT third-party service providers and mandatory contractual provisions. Critical providers are also subject to direct oversight at European level.
Outsourcing does not transfer accountability
Article 28(1)(a) DORA makes clear that a financial entity remains fully responsible for compliance with its obligations when using external ICT services.[1]
It must manage ICT third-party risk as an integral component of its ICT risk-management framework. This includes a strategy, a policy for services supporting critical or important functions, and a register of information covering ICT contractual arrangements.[1, Article 28(2)–(3)]
Before entering into a contract, the entity must assess matters including:
- the importance of the function supported,
- regulatory conditions,
- operational, security and concentration risks,
- the provider’s suitability and information security standards,
- conflicts of interest,
- risks arising from subcontractors and third countries.
The financial entity cannot replace that assessment with a general reference to a certificate or to the supplier’s own responsibility.
DORA reaches providers through contracts
Article 30 DORA requires the parties’ rights and obligations to be set out clearly in writing, together with the service levels.[1][5]
Contractual arrangements for the use of ICT services within DORA's scope must address matters including:
- a complete description of services and functions,
- the subcontracting information required by Article 30(2)(a),
- locations where services are provided and data is processed and stored,
- requirements for availability, authenticity, integrity and confidentiality,
- access to, recovery and return of data,
- service levels and their revision,
- assistance with ICT incidents,
- cooperation with competent authorities and resolution authorities,
- termination rights and notice periods.
For services supporting critical or important functions, further requirements include specific provisions on whether and under what conditions material parts may be subcontracted, measurable service levels, reporting duties, tested contingency plans, security measures, participation in threat-led penetration testing and extensive access, inspection and audit rights.[1, Article 30(2)(a) and (3)]
For ordinary ICT third-party service providers, operational DORA requirements are generally made concrete through DORA-compliant contracts entered into by the financial entity. Whether an amendment is required also depends on the content and interpretation of the existing contract. Providers designated as critical are additionally subject to the direct EU oversight framework under Articles 31 et seq. DORA.
Exit capability is part of resilience
For critical or important functions, DORA requires documented and tested exit strategies.[1, Article 28(8)] The entity must consider alternatives, transition plans and the continuity of its functions.
The contract should therefore cover more than business-as-usual service. Data portability, transition assistance, appropriate transition periods and clear termination rights are part of resilience. A service may work perfectly well from a technical perspective and still present a regulatory problem if dependencies cannot be controlled or changing provider would be impracticable.
Subcontractors and concentration risks
Article 29 DORA requires financial entities to assess concentration risk and subcontracting chains.[1] Relevant considerations include limited substitutability, several critical services concentrated with one provider, third-country risk, data protection, insolvency, and long or opaque subcontracting chains.
Delegated Regulation (EU) 2025/532 specifies how subcontracting arrangements for services supporting critical or important functions are to be assessed.[2] For providers, this means that technically permissible subcontracting may still be unacceptable where transparency, control rights or exit capability are lacking.
Designated critical providers are subject to the European oversight framework
Under Article 31 DORA, the European Supervisory Authorities may designate ICT third-party service providers as critical. Relevant criteria include systemic impact, the importance of the financial entities served, dependencies and substitutability.[1]
In November 2025, the ESAs published their first list, designating 19 critical ICT third-party providers.[3] A Lead Overseer is appointed for each. Under DORA's specific oversight framework, it may request information, conduct investigations and on-site inspections, and issue recommendations on governance, security, incidents, testing, data portability and subcontracting risks.[1, Articles 35 and 37–42]
This direct oversight does not apply to every software supplier. It nevertheless shows why the claim that “DORA is never directed at providers” is also wrong.
Does DORA require additional services free of charge?
DORA contains no general rule requiring a provider to develop every regulatory enhancement at no charge. Article 30 prescribes contractual content; it does not generally determine the remuneration of future software development.
Article 30(2)(f) is particularly instructive: assistance in the event of an ICT incident must be agreed either at no additional cost or at a cost determined in advance.[1] The Regulation thus expressly permits different pricing models.
Whether a particular modification is already owed depends in particular on:
- the service description and agreed purpose,
- any commitment to regulatory compliance,
- service levels,
- update, maintenance and support clauses,
- change and compliance clauses,
- the contractual concept of a defect and the type of contract.
BaFin highlighted at an early stage that ICT third-party contracts would need to be renegotiated.[4] Renegotiation is not the same as an automatic, cost-free amendment.
Practical steps for both parties
Financial entities should classify their ICT dependencies, maintain their registers of information and criticality assessments, prioritise contractual gaps and test exit plans.
Providers should define transparently which DORA-relevant services form part of their standard offering and which must be agreed separately. This includes information on subcontractors, data locations, incident assistance, audit models, data return, resilience testing and transition services.
Conflict often arises not from DORA itself but from unclear legacy contracts. If scope, cost and cooperation are first discussed during an incident, the negotiation has happened too late.
Conclusion
DORA leaves primary accountability with the financial entity, but closely integrates ICT third-party service providers through due diligence, contracts, oversight and exit requirements. Critical providers may also be subject to direct European oversight.
DORA does not turn every software supplier into a financial supervisor. It does, however, make ICT contracts a central instrument of operational resilience.
Professional scope: This article describes the regulatory framework. Classifying a particular contract and determining existing payment or defect-related claims requires case-specific legal advice.
Sources
[1] European Parliament and Council. Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector, OJ L 333, 27 December 2022, pp. 1–79, in particular Articles 28–35 and 42. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554.
[2] European Commission. Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 concerning subcontracting ICT services supporting critical or important functions. https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng.
[3] European Supervisory Authorities. European Supervisory Authorities designate critical ICT third-party providers under DORA. 18 November 2025. https://www.eba.europa.eu/publications-and-media/press-releases/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital (accessed 11 July 2026).
[4] German Federal Financial Supervisory Authority (BaFin). DORA für IKT-Drittdienstleister [DORA for ICT third-party service providers]. Presentation of 21 February 2024. https://www.bafin.de/SharedDocs/Downloads/DE/Anlage/dl_Praesentation_DORA_IKT_Drittdienstleister.pdf?__blob=publicationFile&v=1.
[5] German Federal Financial Supervisory Authority (BaFin). Mindestvertragsinhalte nach DORA [Minimum contractual provisions under DORA], July 2025 version. https://www.bafin.de/SharedDocs/Downloads/DE/Anlage/dl_Mindestvertragsinhalte_DORA_DE_EN.html (accessed 11 July 2026).