DORA (Digital Operational Resilience Act, EU Regulation 2022/2554) is an EU regulation that entered into force on 17 January 2025. It applies to financial entities operating in or serving the EU, including banks, investment firms, insurance companies, payment institutions, and crypto-asset service providers.

Global financial institutions with EU operations or subsidiaries are also subject to DORA, meaning it has direct relevance to tier one banks headquartered outside the EU. Tens of thousands of financial entities across Europe are subject to its requirements, including banks, investment firms, insurance companies, payment institutions, and many others. The European Banking Authority has confirmed the regulation applies to a broad range of financial entities regulated at EU level.

DORA Article 30 requires financial entities to ensure that contracts with ICT third-party service providers supporting critical or important functions contain specific mandatory provisions, including:

Services description: A clear description of services and the locations from which they are delivered.

Data provisions: Data location, data processing, and applicable data protection requirements.

Audit rights: Including the right to audit the ICT provider directly.

Incident reporting: The provider's obligations to assist and report during ICT incidents.

Business continuity: Exit strategy provisions ensuring the financial entity can exit or substitute the service without disruption.

Resilience testing: Rights to require penetration and resilience testing.

Subcontracting: Obligations to disclose and govern the provider's own subcontractor chain.

Regulatory cooperation: Provider obligations to cooperate with the national competent authority.

DORA entered into force on 17 January 2025. Financial entities subject to the regulation were required to be compliant from that date. There is no grace period for contract remediation, the obligation to ensure ICT supplier contracts contain the mandatory Article 30 provisions applies from the date of enforcement.

Under DORA Article 65, financial entities can face administrative penalties of up to 2% of total annual worldwide turnover for sustained non-compliance. Daily penalty payments are also possible for ongoing breaches.

For a global tier one bank, 2% of annual worldwide turnover represents a financial exposure that far exceeds the cost of contract remediation. Individual managers and officers can also face personal penalties under certain circumstances.

The UK FCA and PRA operational resilience framework (Policy Statements PS21/3 and PS24/16) applies to UK-regulated financial institutions. It carried a compliance deadline of March 2025. PS24/16, effective from 1 January 2025, extended oversight to critical third parties and requires contractual standards equivalent to those mandated under DORA.

While the two frameworks have different legal bases and specific requirements, the underlying contract obligations are substantially similar. Many global institutions subject to both frameworks apply a unified contract remediation standard, which is more efficient than maintaining separate compliance processes.

DORA Article 30 requirements apply to all contracts with ICT third-party service providers that support critical or important functions of the financial entity. DORA Article 28 separately requires financial entities to maintain a complete register of all ICT third-party service arrangements, regardless of criticality classification.

In practice, determining which functions are critical or important is itself a significant exercise for most institutions, as it requires mapping every ICT supplier relationship to the business functions it supports.