The Digital Operational Resilience Act (DORA) is widely understood as legislation for banks and financial services firms. That understanding is incomplete. DORA also creates binding requirements for the ICT suppliers that serve those financial firms — and in Ireland, that means a significant number of technology companies, managed service providers, software vendors, and cloud service providers are now in scope for DORA's third-party framework.
If a financial services client has sent you a security questionnaire referencing DORA, or has asked you to sign an addendum to your contract covering audit rights, incident notification, and exit plans, this article explains what is happening and what you are required to do.
Why Non-Financial Suppliers Are in Scope
DORA applies directly to financial entities — banks, insurance companies, investment firms, payment institutions, and others regulated under EU financial services law. Those financial entities are required to manage their ICT third-party risk: identifying, classifying, and managing the risk represented by every technology supplier that provides services to them.
The result is that DORA's requirements flow downstream to suppliers. Financial entities cannot be DORA-compliant if their suppliers refuse to engage with DORA requirements. In practice, this means:
- Financial firms are including DORA-specific security requirements in contracts with ICT suppliers
- They are sending security questionnaires covering DORA's specified due diligence areas
- They are requiring suppliers to agree to contractual clauses around audit rights, incident notification, sub-outsourcing controls, and exit plans
- Suppliers who cannot or will not engage with these requirements are at risk of losing financial services clients
The Three Tiers of DORA Third-Party Scope
Critical Third-Party Providers (CTPPs)
A small number of ICT providers — primarily large cloud infrastructure providers, major software platforms, and systemically important technology firms — have been formally designated as Critical Third-Party Providers under DORA. These firms are subject to direct oversight by EU financial supervisory authorities. This tier is unlikely to include most Irish SMEs.
ICT Suppliers to Financial Entities — Contractual Requirements
The majority of DORA's downstream impact on Irish IT suppliers comes through contractual requirements. If you supply ICT services to a DORA-regulated financial entity, that entity must include specified mandatory clauses in its contract with you. These clauses cover:
Service description and SLAs. A clear description of the ICT services you provide, agreed service levels, data location and processing locations, and provisions for capacity and performance.
Security requirements. Requirements to maintain appropriate security controls for the services you provide, including access controls, encryption, vulnerability management, and security monitoring.
Incident notification. An obligation to notify the financial entity promptly of any security incident or major operational disruption affecting the services you provide. DORA specifies this should include ICT-related incidents that have or may have an impact on the financial entity.
Audit rights. The right of the financial entity — and, where relevant, their regulators — to audit your provision of services. This is typically scoped to the services provided and does not give blanket access to your business, but you must agree to it in principle.
Sub-outsourcing controls. Notification and approval requirements if you sub-outsource the services you provide. The financial entity needs visibility of the supply chain behind the services they receive.
Business continuity. Requirements to maintain business continuity and recovery capabilities for the services you provide, consistent with the financial entity's recovery objectives.
Exit and termination provisions. Data return and deletion procedures, knowledge transfer obligations, and transition support to facilitate an orderly exit if the contract is terminated.
Security Questionnaire Recipients
Even suppliers who are not yet under a formal DORA-referenced contract may receive security questionnaires from financial clients as part of those clients' third-party risk management programmes. Responding to these questionnaires accurately and completely is the starting point.
What DORA Requires You to Have in Place
If you supply ICT services to financial entities and are signing DORA-compliant contracts, the following need to be real, documented, and demonstrable — not just asserted:
An incident response process. You must be able to notify the financial entity of significant incidents promptly. This requires a defined process for identifying, assessing, escalating, and communicating incidents. If you have no documented incident response process, you cannot credibly sign a contract obliging you to notify within defined timeframes.
Security controls appropriate to the services. The financial entity will expect that the security controls you apply to the services you provide them are appropriate to the sensitivity and criticality of those services. This should be documented and evidenceable.
Sub-outsourcer visibility. If you rely on sub-processors or sub-contractors to deliver any part of the service, you need to know who they are and be able to provide that information to your financial clients. You also need contractual mechanisms to flow down appropriate security requirements to those sub-contractors.
Business continuity for the service. What happens to your service delivery if your primary systems fail, your office is unavailable, or a key individual is not available? Financial entities will ask this question. You need a documented answer.
Audit response readiness. If your contract includes audit rights, you need to be prepared to respond to an audit request. In practice, this usually means completing a questionnaire, providing policy documents, and potentially hosting a remote or on-site review. Having your security documentation organised in advance makes this manageable.
The Commercial Reality
Many Irish IT suppliers are already finding that financial services clients are making DORA-related requirements a condition of contract renewal or extension. This is not optional from the client's perspective — they are legally required to have these provisions in place with their ICT suppliers.
The options are:
- Engage with DORA requirements and retain the financial services work
- Decline to engage and exit financial services client relationships
For most suppliers, the answer is clear. The practical question is how to engage with DORA requirements proportionately — not building a full financial services compliance programme, but implementing the specific security practices, documentation, and notification processes that DORA requires of ICT suppliers.
Where DORA and NIS2 Overlap for Suppliers
Many ICT suppliers in scope for DORA third-party requirements are also independently in scope for NIS2 in their own right — particularly managed service providers, cloud services, and digital infrastructure providers who are explicitly included in NIS2's scope categories.
Where both apply, an integrated approach is efficient. NIS2's Article 21 security requirements and DORA's contractual security requirements cover substantial common ground. A security programme that meets NIS2's requirements will typically satisfy most of what DORA requires contractually from ICT suppliers.
If your business is receiving DORA-related requirements from financial clients and you want to assess your current position and what you need to put in place, get in touch.
James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He advises Irish SMEs on DORA, NIS2, and practical cybersecurity compliance.