Compliance, Control, Consequences: What DORA means for ICT Service Providers  and how it may reshape Europe's Digital Landscape

With the Digital Operational Resilience Act (DORA) entering into force on January 17, 2025, and the first major deadline for financial institutions to submit their ICT third-party registers ‘Register of Information’ set for April 28, the ripple effects of the new regulation are already being felt—especially by ICT service providers.

DORA brings Information and Communication Technology (ICT) into sharper regulatory focus, placing third-party providers squarely in the spotlight. While financial institutions remain accountable for their providers' compliance, the legislation marks a turning point: for the first time, ICT service providers fall explicitly within the scope of EU financial regulation—complete with concrete obligations and the threat of sanctions.

The impact is significant, and ICT providers deemed ‘critical’ to the financial system will even come under the direct supervision of one of the three European Supervisory Authorities (ESAs). This introduces a new layer of scrutiny and responsibility for vendors previously operating in a largely unregulated space.

For financial institutions, vendor selection is no longer just about cost-efficiency or innovation. It's now equally about transparency, resilience, and risk control across the entire digital supply chain.

The pressure is on ICT providers to deliver more than just reliable tech. As regulated companies, they are now required, just like their customers, to constantly prove their compliance. Those unable—or unwilling—to meet the new expectations may find themselves sidelined, regardless of technical capabilities.DORA could drive industry-wide consolidation, raise entry barriers, and favor providers who treat compliance not as a burden, but as a strategic edge. The implications may even go beyond the financial sector as regulatory expectations cascade down supply chains.

What are ICT Services under DORA?

ICT services as defined in Article 3 DORA are digital or data-driven services delivered through ICT systems, including hardware and cloud services—but excluding traditional analogue telephony.

To help classify and report ICT third-party services, the corresponding Implementing Technical Standard (ITS) defines 19 service types—known as the “S-Classes”. Each class is assigned an identifier (S01 to S19) with a corresponding description.

By now, most potential ICT providers should have been contacted by their financial sector clients. The process of aligning with the new regulatory requirements is well underway—and for many, just beginning to reveal its complexity.

How should ICT Service Providers respond to DORA?

DORA introduces a range of new obligations for ICT service providers, including risk management, incident reporting, resilience testing, and greater transparency across subcontracting chains, particularly when supporting critical or important functions.

While financial institutions remain ultimately responsible for their providers' compliance, the new regulations require more than just contractual agreements and ticking checkboxes.

Some key examples of how ICT providers must adapt:

·      Incident Reporting: ICT providers must ensure that, in the event of serious ICT incidents, financial institutions can fulfill their reporting obligations. In case of a major incident, the financial institution must submit an initial report to the supervisory authority within 24 hours, and no later than 4 hours after classifying the incident as ‘major’. The financial institution relies on the ICT provider’s detection mechanisms and information sharing for this purpose. If the financial institution misses these deadlines, they must immediately inform the competent authority and explain the reasons for the delay and there might be a fine.

·      Register of Information: Financial institutions must report information about ICT third-party providers and their subcontractors, including service and data locations. If the register is not submitted, incorrect, not complete, or not on time, fines may be imposed.

·      Resilience Testing: Financial institutions are required to ensure (and demonstrate) operational resilience by performing testing programs. These programs cover areas such as vulnerability assessments, network security, penetration testing, and even physical security audits. For ICT service providers, this means being included in these tests. To avoid extensive effort providers must design their own testing program to make participation in the customers' programs obsolete or organizing integrative tests on their own terms.

·       The same applies to similar requirements, such as the participation of ICT service providers in the resilience training programs of their customers.

Beyond the technical measures, compliance with DORA demands a cultural shift within ICT service providers. It's not just about adapting internal processes or creating new ones — to meet regulatory intent resilience needs to be embedded into every workflow, every team, and every aspect of operations.

Conclusion: The Time to Act is Now

DORA raises the bar—and with it, the stakes. However, those who view regulation not as a constraint but as a catalyst can significantly enhance their position. By embracing the new requirements, ICT service providers can unlock new business opportunities, build stronger client relationships, and secure their relevance in an evolving financial ecosystem.