DORA for IT Service Providers – When SMEs Suddenly Have to Meet Banking Standards

The Digital Operational Resilience Act (DORA) is an EU regulation designed to ensure the cyber resilience and operational resilience of the European financial sector.

All regulated financial market participants are directly obligated: banks, insurers, investment firms, payment service providers, and fintechs. These companies must implement comprehensive requirements in the areas of ICT risk management, incident reporting, and resilience testing.

For most SMEs in the IT sector, the following applies: they are not directly subject to DORA, unless they are classified by the EU supervisory authorities as one of the few “critical ICT third-party service providers,” such as major hyperscalers. All other IT service providers are indirectly affected because their regulated customers must pass DORA requirements on to them contractually.

Although DORA is directly aimed at banks, insurers, and fintechs, it indirectly affects almost every IT service provider working with this sector.

Financial companies are now legally required to monitor their IT suppliers more closely and make them contractually accountable. For many small and medium-sized IT companies, this means they suddenly have to meet compliance requirements that were previously more common in large corporations, often without their own legal or compliance department.

DORA contains strict rules on the “management of third-party ICT risks.” Financial firms must demonstrate that their IT service providers do not represent a vulnerability in their own security chain.

In practice, this means for you:

• Stricter due diligence obligations: Financial clients must verify, both before entering into a contract and on an ongoing basis thereafter, whether your security measures are sufficient.
• Minimum contractual requirements: DORA mandates which clauses must be included in contracts with IT service providers-such as those regarding audit rights, exit strategies, and subcontractors.
• Incident reporting chains: If a relevant security incident occurs at your company, you must report it to your financial client extremely quickly so that they can fulfill their strict legal reporting obligations.

If you cannot provide the required evidence, your client risks running into problems with the regulator and, in case of doubt, will terminate the contract with you or not enter into it in the first place.

The specific expectations vary depending on how critical your service is. However, financial clients now typically require the following core areas:

• Information security management: Evidence of a structured, risk-based security concept, ideally ISO 27001, including documented policies.
• Incident management: Defined and tested processes for quickly detecting and reporting security incidents to the customer.
• Business continuity and disaster recovery: Documented emergency plans and regular testing of backup and recovery capabilities, including RTO and RPO.
• Subcontractor management: Full transparency regarding your own suppliers. You must guarantee that your subcontractors also comply with the required security standards.
• Audit and inspection rights: Contractual granting of audit rights that allow the financial client, or their auditors, to check your security on-site or via self-assessments.
• Exit strategies: Evidence of how data will be returned securely, completely, and in a usable format if the contract ends, helping to avoid vendor lock-in.

For SMEs, DORA readiness does not mean copying an enterprise compliance program overnight. In Article 4, the regulation explicitly refers to the principle of proportionality: measures must be proportionate to the size, risk, and complexity of the service provider. Use this step-by-step approach:

• Step 1: Take stock: Which of your customers are subject to DORA? Which services do you provide for them, and how critical are these services to the customer’s core business? Prioritize your focus accordingly.
• Step 2: Implement quick wins: Document processes you already follow in practice, such as your patch management or backup routines. Create a transparent list of your critical subcontractors.
• Step 3: Define incident reporting channels: Create a clear process for worst-case scenarios. Who informs the financial client in the event of a cyberattack, and within what timeframe?
• Step 4: Review contracts: Prepare for contract amendments. Check whether your liability clauses, audit rights, and subcontractor provisions align with your customers’ DORA requirements.

The international ISO 27001 standard for information security management systems (ISMS) is one of the most effective tools for IT service providers to meet DORA requirements.

• Broad coverage: The framework systematically covers almost all core areas that financial clients review under DORA, from risk analysis to supplier management.
• High market acceptance: An ISO 27001 certificate, or demonstrable progress in building such a system, reduces the customer’s review burden and significantly shortens due diligence processes.
• Scalability: An ISMS can be perfectly adapted to the manageable size of an SME.

Important to know: ISO 27001 is an excellent foundation, but not an automatic free pass. In some areas, such as the highly specific timeframes for incident reporting or the explicit requirements for exit scenarios, DORA requires a little more detail, which must be reflected individually in customer contracts.

Use this checklist for a self-assessment: is your company DORA-ready? The checklist summarizes the typical weaknesses of SMEs and the expectations of regulated customers.

Organization and security system

• A security concept or lightweight ISMS, for example based on ISO 27001, is in place.
• A person responsible for information security, such as an Information Security Officer, has been appointed internally.
• Employees receive regular awareness training on IT security and phishing.
• Basic technical measures, such as MFA for critical systems, network segmentation, and encryption, are active across the organization.

Emergency and incident management

• A documented process for detecting and escalating IT security incidents exists.
• Contractual reporting deadlines for customer notifications in the event of incidents are defined.
• A tested backup and recovery concept with defined recovery times, RTO and RPO, is in place.
• Business continuity plans, meaning emergency plans, are documented and regularly tested.

Supply chain and contracts

• All critical subcontractors, such as cloud or data center providers, are documented.
• Contracts with subcontractors contain appropriate security and data protection requirements.
• Standard contracts and terms and conditions have been expanded to include DORA clauses, such as audit rights, exit scenarios, and data portability.

Dealing with legal requirements alone can be tough. Contact us if you need expert advice.

DORA noticeably increases the compliance pressure on IT service providers, but it also offers SMEs a major opportunity to stand out in the market. Those who can proactively provide the required evidence not only secure existing customer relationships but also gain a real competitive advantage when acquiring regulated financial clients.

No one expects perfect compliance from day one. In practice, a clear, documented roadmap, guidance from proven standards such as ISO 27001, and transparent communication with your customers are usually enough to become DORA-ready.

Do I now need to build my own compliance department as a small IT service provider?

No. Thanks to the principle of proportionality, it is completely sufficient for SMEs to appoint one person responsible for information security, such as an Information Security Officer, to coordinate the topic. What matters is that the documented processes are actually followed in practice. If you need external support from experts, feel free to contact us.

What happens if I simply refuse to sign the new DORA clauses in the contract?

Since financial institutions are legally required to enforce these clauses with their service providers, they risk significant fines if they fail to do so. If you do not sign, the customer will have to end the collaboration in the long term.

Does DORA also apply to us if we only provide software development without hosting?

Yes, if your software is used for critical or important functions of the financial institution. Financial clients must then ensure that your software development lifecycle (SDLC) is secure in order to minimize risks such as code vulnerabilities or supply chain attacks.