DORA for IT & Telecommunications

What is DORA?

The Digital Operational Resilience Act (DORA) is a European Union regulation that entered into force on January 17, 2023, with full application from January 17, 2025. It establishes a comprehensive framework for managing information and communication technology (ICT) risks across the financial sector and its key third-party service providers. DORA aims to ensure that financial entities and their technology partners can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA and the IT & Telecommunications Industry

While DORA is primarily directed at financial institutions such as banks, insurance companies, and investment firms, it casts a wide net over the IT and telecommunications sector. Any technology company that provides critical ICT services to regulated financial entities falls within DORA's scope as a third-party ICT service provider. This includes cloud infrastructure providers, managed security service providers, software vendors, data center operators, and telecommunications carriers that supply connectivity or communication services to financial clients.

For example, a telecommunications company providing dedicated leased lines or SD-WAN connectivity to a major retail bank must now comply with stringent contractual and operational requirements defined by DORA. Similarly, an IT managed services firm handling network operations for an insurance company must demonstrate robust incident management capabilities and submit to contractual audit rights. Software-as-a-Service providers delivering core banking platforms or trading applications are required to participate in operational resilience testing and maintain transparent reporting obligations toward their financial sector clients.

The regulation fundamentally changes the business relationship between financial institutions and their IT suppliers. Telecommunications firms and technology vendors that once operated under standard service-level agreements now face a new layer of regulatory accountability. Contracts must include specific clauses around service continuity, data location, subcontracting chains, and exit strategies. Non-compliance can result in financial institutions being required to terminate contracts, which makes DORA compliance a direct commercial necessity for IT and telecommunications companies active in this market.

Key Requirements

• ICT Risk Management Framework: ICT and telecommunications providers classified as critical third-party providers must maintain a documented, comprehensive risk management framework that identifies, classifies, and continuously monitors all ICT risks relevant to the services delivered to financial clients.
• Incident Reporting and Classification: Providers must establish clear processes for detecting, classifying, and reporting major ICT-related incidents to their financial entity clients within defined timeframes, enabling those clients to meet their own regulatory reporting obligations to national competent authorities.
• Digital Operational Resilience Testing: Critical ICT providers are expected to support and participate in their clients' resilience testing programs, including threat-led penetration testing (TLPT) exercises that simulate advanced cyberattacks against live production environments.
• Third-Party Risk and Subcontracting Transparency: Full visibility into the subcontracting chain is required. IT and telecommunications companies must disclose all material subcontractors involved in delivering services, ensuring that the financial entity can assess concentration risk across the supply chain.
• Contractual Compliance: All contracts with financial entity clients must include DORA-mandated clauses covering audit rights, data access, business continuity obligations, termination conditions, and the geographic location of data processing and storage.
• Business Continuity and Disaster Recovery: Documented and tested business continuity plans (BCP) and disaster recovery plans (DRP) must be in place, with recovery time objectives (RTO) and recovery point objectives (RPO) that align with the criticality of the services provided.
• Information Security Standards: Providers must implement robust cybersecurity controls aligned with internationally recognized frameworks such as ISO 27001, NIST, or equivalent standards, covering areas including access management, encryption, vulnerability management, and security monitoring.
• Concentration Risk Reporting: Providers that supply services to a significant number of financial entities may be designated as critical third-party providers (CTPPs) by the European Supervisory Authorities, subjecting them to direct regulatory oversight and examination.

Implementation Steps for IT & Telecommunications Companies

1. Conduct a DORA Scoping Assessment: Identify all existing and prospective financial sector clients. Determine whether your organization qualifies as a critical third-party ICT provider under DORA criteria. Map the specific services delivered to these clients and assess which contractual relationships are subject to DORA requirements.
2. Perform a Gap Analysis Against DORA Requirements: Evaluate your current ICT risk management framework, incident response procedures, business continuity plans, and contractual templates against the obligations set out in DORA and its Regulatory Technical Standards (RTS). Document all identified gaps with associated risk ratings.
3. Update Contracts and Service Agreements: Work with your legal team and client relationship managers to review and renegotiate all contracts with financial entity clients. Ensure that DORA-mandated clauses are incorporated, including provisions for audit rights, incident notification timelines, data location disclosures, subcontractor transparency, and exit assistance obligations.
4. Strengthen Incident Management Processes: Implement or upgrade your incident detection, classification, escalation, and reporting procedures. Define clear thresholds for what constitutes a major ICT incident affecting a financial client, and establish communication protocols that allow clients to meet their own reporting deadlines to regulators.
5. Map and Govern Your Subcontracting Chain: Create a complete and up-to-date register of all subcontractors and fourth parties involved in delivering services to financial entity clients. Establish a governance process for approving new subcontractors, assessing their compliance posture, and notifying clients of material changes in the supply chain.
6. Develop and Test Business Continuity and Disaster Recovery Plans: Review existing BCP and DRP documentation to ensure they address the continuity of services to financial entity clients specifically. Conduct regular tabletop exercises and live failover tests, and share test results and remediation plans with clients as required by contractual obligations.
7. Prepare for Resilience Testing Participation: Establish a formal process for engaging with financial entity clients who initiate threat-led penetration testing or other resilience testing activities that require your participation. Identify internal technical teams responsible for coordinating test scoping, execution support, and remediation of identified vulnerabilities.
8. Monitor Regulatory Developments and Critical Provider Designations: Continuously track guidance issued by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). If your organization is designated as a critical third-party provider, engage proactively with the lead oversight authority and prepare for direct supervisory examination.

Frequently Asked Questions

Does DORA apply to my IT company if we are not based in the European Union?

Yes. DORA applies based on where your clients are located, not where your company is headquartered. If you provide ICT services to financial entities regulated within the European Union, your services and contractual arrangements with those clients must comply with DORA requirements regardless of whether your organization is based outside the EU. Non-EU providers should assess their exposure carefully and engage with their EU-based financial clients to understand specific compliance expectations.

What is the difference between a standard third-party ICT provider and a critical third-party provider under DORA?

All ICT providers delivering services to financial entities in the EU are subject to DORA's contractual and operational requirements to varying degrees. However, the European Supervisory Authorities may formally designate certain providers as critical third-party providers (CTPPs) based on criteria such as the systemic importance of the services they provide, the number of financial entities they serve, and their substitutability in the market. CTPPs face a higher level of scrutiny, including direct oversight by a designated lead overseer from among the European Supervisory Authorities, onsite inspections, and mandatory participation in supervisory exercises.

How does DORA affect telecommunications companies specifically?

Telecommunications companies that provide connectivity, managed network services, or communication infrastructure to financial institutions must ensure that their service delivery meets DORA's resilience and continuity standards. This includes demonstrating redundant network architectures, documented failover capabilities, and the ability to support their clients' resilience testing. Telecommunications providers must also be prepared to disclose data routing paths, geographic locations of network nodes involved in service delivery, and any third-party carriers or subcontractors in the transmission chain.

What happens if our organization does not comply with DORA-mandated contract requirements by the deadline?

Financial entity clients are required by DORA to include specific contractual provisions in agreements with all ICT providers. If a provider refuses to incorporate these provisions or cannot demonstrate compliance, the financial institution may be compelled by its own regulator to terminate or not renew the contract. Additionally, if your organization is designated as a critical third-party provider and fails to cooperate with the oversight regime, lead overseers have the authority to impose periodic penalty payments and require financial entities to suspend or terminate their contractual arrangements with the non-compliant provider.

Summary

DORA represents a fundamental shift in how the IT and telecommunications industry must approach its relationships with financial sector clients, elevating operational resilience from a best-practice recommendation to a binding regulatory requirement with direct commercial consequences. Companies that invest in DORA compliance now will not only protect their existing client relationships but will also gain a competitive advantage in a market where financial institutions are required to scrutinize and validate the resilience of every critical supplier. Begin your compliance journey today by assessing your current exposure, engaging your legal and technical teams in a structured gap analysis, and opening transparent dialogue with your financial sector clients about their DORA implementation expectations.