SaaS companies selling to banks, payment institutions, and other financial entities are not DORA entities themselves — but DORA's third-party risk requirements mean your bank customers' compliance obligations flow directly into your commercial relationship. How you respond to this shapes whether you win or lose regulated financial services deals.
You Are Not Regulated by DORA — But Your Customers Are
DORA applies to financial entities: banks, payment institutions, e-money institutions, investment firms, and others. As a SaaS vendor, you are an ICT third-party service provider — subject to DORA requirements through your customer relationships, not directly regulated.
Your bank customers must:
- Include you in their Register of Information (if you provide ICT services)
- Assess whether you are a critical ICT third-party service provider
- Ensure your contract meets DORA Article 30 minimum provisions
- Conduct pre-contract due diligence on your security practices
- Potentially exercise audit rights
In practice: every bank customer you have will send you security questionnaires, request contract amendments, and assess your criticality. How ready you are determines how smooth those conversations are.
The DORA Article 30 Contract Requirements
DORA Article 30 specifies the minimum provisions that financial entities must include in contracts with ICT third-party providers. These provisions will appear in contract amendments from your bank customers:
| Requirement | What your customer will ask for |
|---|---|
| Full description of services and SLAs | Detailed service description, uptime commitments |
| Data location | Where customer data is stored and processed |
| Audit rights | Right to audit your security or receive audit reports |
| Incident notification | You must notify them of incidents affecting their services promptly |
| Business continuity | Your BCP as it relates to their services |
| Termination rights | Right to terminate for security incidents or critical failure |
| Sub-contractor disclosure | Names of sub-contractors with access to their data |
| Exit assistance | Data return and migration support at contract end |
These provisions must be in the written contract — they cannot be in a separate policy document. Review your standard terms and service agreements and build these provisions into your base contract.
Security Due Diligence: What Banks Will Ask
DORA requires financial entities to conduct due diligence before contracting with ICT providers. The questionnaires your prospects will send typically cover:
Governance:
- Do you have an information security management system?
- Who is responsible for information security?
- Is ISO 27001 or SOC 2 Type II in scope?
Security controls:
- Network segmentation and access controls
- MFA implementation
- Patch management SLAs
- Vulnerability management programme
Incident management:
- Incident response procedure
- Notification timelines for incidents affecting customers
- History of significant incidents in the last 2 years
Business continuity:
- RTO and RPO for your service
- Backup frequency and testing
- Disaster recovery testing results
Third parties:
- Key sub-processors with access to customer data
- Cloud infrastructure providers and their certifications
Prepare these answers in a security questionnaire response document. The same questions appear across all banks — a standard response document saves significant time in sales.
Incident Notification: The 4-Hour Problem
DORA requires financial entities to notify their competent authority within 4 hours of a major ICT incident. For your bank customer to meet this obligation, they need to know about incidents affecting your service almost immediately.
Your contracts with bank customers should commit to:
- Notifying the customer within 1–2 hours of any incident affecting their services or data
- Providing an initial impact assessment within 4 hours
- Regular updates throughout the incident
- A final incident report within a defined timeframe
This is a material commitment. Build the corresponding customer notification procedure into your incident response plan before your first bank customer asks for it.
Critical ICT Provider Designation
DORA creates a process for the EU supervisory authorities (EBA, ESMA, EIOPA) to designate certain ICT providers as "critical third-party providers" (CTPPs) — subject to direct EU supervision. This applies to large, systemically important providers: primarily the major cloud providers.
For most SaaS companies, CTPP designation is not a near-term concern. However:
- If your service is critical to a significant number of financial entities, monitor CTPP designation criteria
- If you are designated, direct oversight by an EU supervisory authority and mandatory participation in oversight activities applies
Being Ready for DORA-Driven Enterprise Sales
A DORA-ready SaaS vendor has:
Documentation:
- Security questionnaire response document (based on DORA Article 30 + ISO 27001 framework)
- Incident notification commitment document
- BCP/DR summary for the service
- Sub-processor list
Contracts:
- Base contract incorporating DORA Article 30 minimum provisions
- Or a DORA addendum that can be attached to the standard agreement
Certifications:
- ISO 27001 or SOC 2 Type II — strongly preferred by regulated financial entities
- Pen test reports from the last 12 months
Process:
- Customer incident notification procedure with committed timelines
This is now table stakes for selling into regulated financial services. Without it, you will lose to competitors who are ready.