What DORA Means for ICT Suppliers: MSPs, SaaS and Cloud in Scope

Posted on

If you provide ICT (information and communication technology) services to financial institutions in the EU – whether managed services, SaaS (software as a service), Cloud facilities, payment infrastructure, or other tools and platforms – then DORA (the EU Digital Operational Resilience Act) affects you.

What does DORA do?

DORA creates a single, EU-wide framework for ICT risk management, incident reporting, resilience testing, third-party risk and information sharing for financial services companies. It also establishes a supervisory regime for their third-party ICT providers.

For suppliers, two points are therefore important:

  • Supervisory authorities can require action. Critical providers may be supervised at EU level, asked to remediate weaknesses, participate in thematic reviews and provide documentation. Even if you are not designated ‘critical’, expect tougher evidence requests via client audits, exit plans and testing.
  • Non-compliance can be costly. DORA enables significant administrative measures and fines (in some cases up to 2% of annual turnover). There is, of course, also an immediate commercial disadvantage to non-compliance: missed bids, stalled onboarding and lost renewals if you cannot satisfy DORA-driven assurance requirements.

What it means in practice

You will likely see DORA in RFPs (requests for proposal), due diligence and contract schedules, in which you’ll be asked about the following:

  • Incident management and reporting.
    • Demonstrate roles, runbooks and SLAs (service level agreements).
    • Classify incidents in a way that aligns with client thresholds.
    • Commit to timely notification with agreed artefacts.
    • Show post-incident reviews and corrective actions.
  • Resilience testing participation.
    • Support client-led scenario exercises and, where relevant, advanced testing (e.g. threat-led).
    • Show how you plan, run and learn from continuity and recovery tests.
    • Provide results summaries without exposing confidential details.
  • Control evidence on demand.
    • Provide a current control framework mapping to recognised standards (e.g. ISO 27001, ISO 22301).
    • Share independent assurance (certificates, SOC 2 reports, penetration test summaries).
    • Evidence change management, configuration hardening, vulnerability management and patch KPIs.
    • Show supply-chain risk management for your own critical sub-processors.
  • Service continuity and exit planning.
    • Document RTOs (recovery time objectives)/RPOs (recovery point objectives), data backup regimes and restoration testing frequency.
    • Evidence capacity management and dependency monitoring.
    • Provide client-ready exit support and data portability plans.
  • Contractual commitments.
    • Accept clauses covering incident notification, audit/access rights, resilience testing cooperation, data location, sub-processor controls and termination assistance.
    • Align SLAs, credits and reporting cadence to client regulatory obligations.
  • Governance and accountability.
    • Name accountable owners.
    • Show how senior management oversees ICT risk and resilience.
    • Provide training records for relevant staff.

Why it matters now

DORA has applied since 17 January 2025. For ICT providers, the risks are immediate:

  • Revenue risk.
    • Slower onboarding if you can’t supply evidence quickly.
    • Lost renewals where competitors look “more DORA-ready”.
    • Barriers to entry for new markets or larger clients.
  • Reputational risk.
    • Being named as a weak link in client audits or incident communications.
    • Increased scrutiny from multiple clients at once after sector events.
  • Cost of catch-up.
    • Last-minute remediation is expensive.
    • Retro-fitting documentation to existing practices drains teams and delays deals.

There are also upsides:

  • Early-mover advantage.
  • “DORA-ready” status differentiates you in crowded RFPs.
  • Shorter sales cycles when assurance packs are complete and current.
  • Stronger, more resilient operations – fewer outages, faster recovery and clearer accountability.

Doing the work once, then packaging the evidence for clients, pays back fast.

How we can help

If you are new to DORA’s structure and terminology, start with focused training. Our Certified DORA Foundation training course gives your team the essentials in a single, structured course so you can align obligations with your existing ISO 27001 and business continuity controls, and respond to client requests with confidence.

Book DORA Foundation training

To accelerate your DORA implementation, pair training with a ready-made document set. The ISO 27001:2022 and DORA Integrated Toolkit helps you map and evidence controls against DORA’s requirements, fast – ideal for building your supplier assurance pack.

Explore the DORA Toolkit

The post What DORA Means for ICT Suppliers: MSPs, SaaS and Cloud in Scope appeared first on IT Governance Blog.

Related Posts