Does DORA apply to SaaS vendors?

Critical ICT providers to the financial sector fall under DORA — check customer contracts and supervisory expectations.

DORA: digital operational resilience in financial services

DORA strengthens digital resilience in EU financial services — from ICT risk management to incident reporting, testing and supplier contracts.

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Review your ISMS approach in ISO Ready

DORA (Digital Operational Resilience Act) strengthens ICT resilience in EU financial services — risk management, incidents, testing and third-party chains.

Who is in scope?

Financial entities under EU supervision and critical ICT third-party providers to that sector. Many SaaS vendors feel DORA through bank and insurer contracts.

Practical steps

Map critical ICT services and subprocessors — link to vendor management.
Define incident and reporting routes.
Plan resilience testing including cloud failure scenarios.
Update contracts: audit, exit, subprocessors, data location.

See NIS2, Cyber Security Act Netherlands and GDPR for overlap.

Key takeaways

Applies to financial entities and critical ICT third-party providers.
ICT risk, incidents, resilience testing and supply chain are central.
Cloud and SaaS contracts need exit, audit and notification rights.
Align DORA evidence with your ISMS and vendor management.

Veelgestelde vragen

Does DORA apply to SaaS vendors?: Critical ICT providers to the financial sector fall under DORA — check customer contracts and supervisory expectations.

Run the ISO 27001 readiness scan

See where you stand before investing in documents or consultants.

Start the readiness scan