DORA for ICT providers
DORA for ICT providers serving EU financial entities: customer evidence, subcontractors, incident support, exit plans, resilience and contract readiness.
Direct answer
ICT providers serving EU financial entities should prepare contract evidence, service descriptions, incident support commitments, subcontractor transparency, resilience controls, data location facts, audit support and exit-plan assistance. Even non-critical ICT providers can face DORA-driven customer due diligence.
What should ICT providers prepare for DORA customers?
ICT providers serving EU financial entities should prepare contract evidence, service descriptions, incident support commitments, subcontractor transparency, resilience controls, data location facts, audit support and exit-plan assistance. Even non-critical ICT providers can face DORA-driven customer due diligence.
- Contract readiness
- Operational resilience
- Subcontractor transparency
| Customer base | EU financial entities |
| Main risk | Third-party ICT dependency |
| Best first artifact | DORA customer evidence pack |
ICT providers serving EU financial entities should prepare contract evidence, service descriptions, incident support commitments, subcontractor transparency, resilience controls, data location facts, audit support and exit-plan assistance. Even non-critical ICT providers can face DORA-driven customer due diligence.
Financial customers may request DORA evidence during onboarding and renewal.
Source: ESMA DORA guidance
DORA for ICT providers checklist
Action checklistPrepare standard responses for audit, incident, subcontractor and exit clauses.
Document uptime, backup, recovery, testing and monitoring controls.
List critical dependencies and notification process for material changes.
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| Customer review | Due diligence requestsFinancial customers may request DORA evidence during onboarding and renewal. | ESMA DORA guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
DORA ICT provider readiness
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
DORA ICT provider readiness
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
DORA ICT provider readiness
Evidence to retain
Applicability decision
Shows whether DORA readiness for ICT providers applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Does DORA apply directly to all ICT providers?
Not all ICT providers are directly supervised, but providers serving financial entities can face DORA contract and due-diligence requirements from customers.
What should a SaaS vendor give DORA customers?
A SaaS vendor should provide resilience, incident, subcontractor, data location, security, audit and exit-plan evidence.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.