May 2026. DORA applies to financial entities and critical ICT providers. Dutch software vendors, cloud providers and MSPs find procurement and risk management ask sharper questions than a classic ISO 27001 questionnaire.
What changes for ICT providers?
- contracts with availability, incident reporting, penetration testing and exit clauses;
- audit rights or assurance reports (ISO 27001, SOC 2, ISAE);
- registration as a critical ICT provider when supporting essential functions;
- tighter vulnerability management and concentration risk expectations.
Three quick wins
- Map which customers classify you as critical — per contract.
- Document incident and escalation contacts and run a notification drill.
- Link measures to ISMS and risk register.
Relationship with ISO 27001
ISO 27001 helps operationally: scope, Annex A, internal audit, management review. DORA adds financial chain, exit and supervisory language. More: DORA explained, DORA compliance hub and vendor management.
Financial buyers in 2026 explicitly ask for exit plans, concentration risk and penetration test scope aligned to contracted services. Record per customer which DORA articles apply and which evidence you deliver annually.
DORA incident notification requires fast escalation and sometimes 24/7 reachability. Test with a tabletop with your SOC or MSP. Document timestamps and decisions — auditors compare with contract SLAs.
Critical ICT providers should expect registration and supervision. Prepare a register of services, dependencies and sub-vendors usable for ISO 27001 vendor management too.
As an ICT provider in the financial chain
Software and cloud vendors see financial customers revise contracts with DORA clauses on availability, incident reporting, testing and exit. Prepare a standard assurance pack: ISO 27001 certificate or roadmap, pen test summary, BCM overview and 24/7 escalation contacts.
Concentration risk is recurring: large banks want to know which sub-vendors you use and how you handle their outage. Maintain a register you also use for ISO 27001 vendor management.
Exit and data portability become contractual — document formats, timelines and which data remains the customer’s at termination. That overlaps GDPR and EU Data Act expectations.
Test incident notification with your largest financial customer at least annually. Timestamps and named contacts in the report are evidence auditors and supervisors want to see.
Assign a named account manager for incident escalation with financial customers — generic support lines seldom meet contract SLAs. Record roles in the ISMS and exercise handover between support, SOC and management.
Document exit and concentration risk
DORA emphasises exit strategies and chain concentration: what happens when a critical vendor fails or goes bankrupt? Record alternatives, data migration and contractual exit timelines — also when you are the vendor.
Financial customers ask for named incident escalation contacts, not generic support lines. Exercise handover between support, SOC and management and document response times.
Link DORA evidence to ISO 27001 vendor register and risk register. Tag per customer what is DORA-specific so you do not restart for every audit.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
