DORA in Practice: ICT Contracts, Operational Resilience and What Companies Are Actually Negotiating

EnglishEU Lawtech lawdigital servicesBusinesses
Written By Avocat Partener Ana-Maria Drăgănuță Briard

The Digital Operational Resilience Act (“DORA”) is often described as an ICT or cybersecurity regulation for the financial sector. In practice, it is much broader than that.

DORA changes how financial entities oversee technology risk, assess ICT providers, negotiate contracts, structure outsourcing relationships, manage operational resilience, and allocate internal responsibilities among legal, compliance, procurement, security, infrastructure, and operational teams.

Over the past year, this has become increasingly visible in contract negotiations across the market. SaaS providers, cloud vendors, cybersecurity companies, AI providers, analytics platforms, infrastructure providers, and managed service providers are increasingly receiving DORA questionnaires, contractual addendums, resilience assessments, and operational oversight requests from financial sector customers, even where the provider itself is not directly regulated as a financial entity.

This has created more workload for many companies, asking the following questions:

  • Why does DORA affect SaaS providers outside the financial sector?

  • Which companies are actually in scope?

  • When should DORA clauses be accepted, negotiated, or pushed back on?

  • Why are customers suddenly asking detailed questions about subcontractors, resilience capabilities, or data center locations?

  • Which obligations are legal questions and which require technical validation?

What DORA Actually Is

The Digital Operational Resilience Act (DORA) was introduced to strengthen the operational resilience of the EU financial sector against ICT disruptions, cyber incidents, infrastructure failures, and third-party dependency risks.

The regulation became applicable on 17 January 2025 and applies directly to a broad range of regulated financial entities, including banks, insurers, investment firms, payment institutions, crypto-asset service providers, and other regulated financial actors.

At its core, DORA requires those entities to ensure they can:

  • continue operating during ICT disruptions,

  • manage operational and cyber incidents,

  • oversee technology-related risk,

  • and maintain resilience even where critical functions rely on external ICT providers.

The reason ICT providers are increasingly pulled into DORA discussions is relatively straightforward: financial institutions today are heavily dependent on external technology environments.

Cloud infrastructure, SaaS platforms, outsourced operational tooling, cybersecurity services, AI solutions, analytics environments, and communication systems now form part of the operational backbone of many financial entities.

As a result, increasing attention is being placed on the resilience of the broader ICT ecosystem supporting the financial sector.

This is also where the concept of “critical” or “important” functions becomes relevant under DORA, which places significant emphasis on ICT third-party risk management under Articles 28–44 of the regulation.

Why SaaS and ICT Providers are increasingly affected

One of the most common misconceptions around DORA is that it only matters for companies formally operating in the financial sector.

In practice, DORA is often relevant because of the customer relationship, not because the provider is regulated as a financial institution.

Financial entities subject to DORA are expected to oversee ICT providers supporting “critical or important functions.” This includes assessing operational dependency, resilience capabilities, subcontracting structures, incident management processes, and broader ICT risk exposure.

Importantly, “critical” does not only mean infrastructure-level cloud environments or hyperscalers.

In practice, relatively standard SaaS platforms may become operationally important where:

  • employees cannot perform essential operational functions without the service,

  • the platform supports regulated activities,

  • the outage would materially disrupt operations,

  • or the institution lacks realistic alternatives during an incident.

We increasingly see DORA obligations flowing into agreements involving:

  • HR and workforce management platforms,

  • customer onboarding systems,

  • CRM and operational tooling,

  • AI and analytics providers,

  • cybersecurity vendors,

  • communication platforms,

  • cloud and hosting environments,

  • and outsourced support providers.

As a result, many technology companies that historically negotiated relatively standard enterprise SaaS agreements are now facing DORA addendums, resilience questionnaires, audit negotiations, incident reporting clauses, subcontractor transparency obligations, and operational oversight requirements.

Why Customers Are Asking About Data Center Locations

One area that increasingly creates confusion during DORA negotiations is the level of detail customers request regarding infrastructure and hosting environments.

Many ICT providers are now being asked:

  • where their data centers are located,

  • which jurisdictions are involved,

  • whether backup or disaster recovery environments exist in other regions,

  • which subcontractors or cloud providers are used,

  • and whether operational functions are concentrated within a single geographic area.

Under DORA, financial entities are expected to understand operational dependency and concentration risk within their ICT supply chain.

In practice, data center location becomes relevant because it may affect:

  • operational resilience during regional outages,

  • geopolitical or jurisdictional risk,

  • concentration risk,

  • disaster recovery capabilities,

  • supervisory access expectations,

  • and the institution’s ability to continue operating during disruptions.

For example, a financial entity may need to assess whether all operational workloads are concentrated in a single region, whether backup environments are separate, whether a cloud provider outage could affect multiple critical systems simultaneously, or whether a subcontractor chain creates excessive dependency on a single infrastructure provider.

We increasingly see customers requesting visibility into disaster recovery sites, backup storage regions, support operations locations, and material subcontracting chains beyond their primary hosting locations.

This is also one reason why subcontractor transparency obligations are becoming more detailed in DORA negotiations.

Importantly, this does not necessarily mean providers must disclose unlimited infrastructure information or sensitive architectural details.

In practice, many providers negotiate balanced approaches that allow customers to assess operational resilience and concentration risk without exposing sensitive security information or unnecessarily exposing broader infrastructure architecture.

What Companies Are Actually Negotiating

One of the most noticeable developments across the market has been the large-scale rollout of standardised DORA addendums by financial entities.

Many procurement and legal teams are simultaneously revisiting supplier agreements across their vendor ecosystems. In practice, this often results in highly standardised contractual positions being proposed across very different service models and risk profiles.

We have seen requests for:

  • unrestricted audit rights,

  • mandatory cooperation during resilience testing,

  • extensive access to internal security documentation,

  • broad subcontractor approval rights,

  • detailed business continuity obligations,

  • and highly aggressive incident notification timelines.

Some of these requests are understandable from a regulatory perspective. Financial entities are under increasing pressure to demonstrate operational resilience and ICT oversight to regulators.

At the same time, not every proposed contractual position is automatically appropriate, proportionate, or operationally realistic.

For example, in several negotiations, we have seen customers request audit provisions that would effectively permit direct access into multi-tenant SaaS or cloud environments shared across multiple customers. Providers often cannot accept such clauses without creating separate confidentiality, security, or infrastructure risks.

Similarly, many standard DORA templates are drafted without sufficient consideration of how modern cloud or SaaS environments actually operate technically.

This is why sophisticated DORA negotiations increasingly focus on whether the proposed implementation model is operationally workable.

Incident Reporting: One of the Most Sensitive Areas in Practice

Incident reporting obligations are one of the most heavily negotiated areas under DORA.

Under the regulation, financial entities are expected to establish processes for managing and reporting ICT-related incidents. As a result, customers increasingly seek detailed contractual notification obligations from ICT providers.

In practice, we have seen requests requiring providers to:

  • notify incidents “immediately upon awareness,”

  • provide extensive real-time updates,

  • disclose detailed forensic information early in investigations,

  • or commit to rigid reporting timelines before operational impact is even understood.

These clauses often create tension between legal expectations and operational reality.

During the initial stages of an incident, technical teams frequently do not yet know:

  • the root cause,

  • the affected systems,

  • whether the event is isolated or systemic,

  • the actual customer impact,

  • or whether the incident ultimately becomes reportable under regulatory frameworks.

This is why incident reporting clauses often require careful calibration.

More workable contractual structures usually distinguish between initial awareness, preliminary notification, ongoing status updates, and confirmed incident reporting.

Providers should also assess whether proposed obligations:

  • are operationally realistic,

  • align with internal incident response processes,

  • conflict with forensic containment measures,

  • or create broader legal and security risks.

Final Thoughts

DORA is changing how operational resilience, outsourcing oversight, technology dependency, and ICT risk allocation are assessed across the EU financial sector.

For ICT providers and SaaS companies, this means that even organisations outside the financial sector may face extensive DORA-driven contractual and operational expectations from customers.

Our recommendation is to assess whether the obligations being proposed:

  • reflect the actual operational role of the provider,

  • are proportionate to the service being delivered,

  • align with technical and operational reality,

  • and can realistically be implemented in practice.

This assessment should consider both the legal and technical teams.

The content of this article is general information, not tailored legal advice for your specific situation. It has a strictly informative and general purpose; the information contained does not constitute legal advice.

Every business is different. For personalized consultancy, schedule a consultation call or write to us directly at 📧 anamaria@legallyremote.online.

Avocat Partener Ana-Maria Drăgănuță Briard
Next

Brand Protection in the Age of AI: Beyond Trademarks and Copyright Notices