DORA Compliance for Non-Financial Vendors: Why You're Being Asked About It (And How to Respond)

DORA has started coming up in more client conversations. But not with the types of clients you may expect. 

DORA is the EU's Digital Operational Resilience Act. It’s written for banks, insurers, and other financial institutions. However, increasingly, we’re fielding questions about DORA from startups operating dev tools, productivity apps, sales platforms and alike. 

These companies aren’t fintechs, and don’t touch payments, yet they’re still receiving security addendums focused on DORA — and they need answers. 

If that situation sounds familiar, this is for you. Let’s walk through what DORA is, why it exists, why you’re being asked about it, and how to respond. 

What Is DORA?

The EU's Digital Operational Resilience Act (DORA), was brought into place in January 2025. It consolidated a patchwork of ICT rules that used to live across various pieces of EU financial services regulation. 

Because it’s a regulation (Regulation (EU) 2022/2554), DORA applies across every EU member state. So whether you’re working with a financial institution in Frankfurt or a payment provider in Amsterdam, you may face similar questions. 

What’s been causing some confusion of late is how DORA applies to companies that don’t look financial. We're seeing DORA questions land in contracts from customer support tools, sales tools, dev platforms, productivity software. These are companies with no payment processing, no invoicing, and nothing that looks like financial infrastructure. 

EU financial institutions aren't misreading the regulation when they push these questions out to vendors. DORA is written in a way that makes financial institutions accountable for their complete IT supply chain. So whether you’re touching financial data or a note taking tool used by the sales team that doesn’t come into contact with any financial infrastructure, EU-based entities still need to cover their risk. 

In short, if you sell into European financials, there's a decent chance you'll be asked about DORA, and you'll need to have a good response on hand when the question lands.

Who's In Scope and Who Gets Pulled In Anyway

DORA directly applies to 20 types of financial entities. The list goes well beyond banks and insurers:

• Credit institutions (banks)
• Insurance and reinsurance undertakings
• Investment firms
• Payment and e-money institutions
• Crypto-asset service providers
• Central securities depositories and central counterparties
• Trading venues and trade repositories
• Credit rating agencies
• Crowdfunding service providers
• Institutions for occupational retirement provision (IORPs)

There’s also a second group covered by DORA: Critical ICT Third-Party Providers (CTPPs). This covers large cloud providers like AWS, Microsoft Azure, and Google Cloud. These organizations

Then there’s everyone else, and most companies I speak with sit in this bucket: Software and cloud providers that aren't in scope directly but they're being asked about DORA anyway because every regulated customer is required to manage their third-party risk.

What DORA Covers

DORA is organized around five key coverage pillars: 

1. ICT Risk Management and Governance
2. ICT-Related Incident Management, Classification, and Reporting
3. Digital Operational Resilience Testing
4. ICT Third-Party Risk Management
5. Information Sharing Arrangements

For almost everyone reading this Third-Party Risk Management will be the main driver of DORA questions showing up in your contracts. Even if DORA has nothing to do with your product, you’re going to get asked about it anyway because DORA’s third-party risk coverage pushes specific contractual requirements onto financial entities, which in turn, get passed to their vendors. 

So if a European bank or financial institution wants to use their product, its procurement team will have to run DORA due diligence before a contract can be signed. Most of you aren't in scope of DORA itself. That said, you still need an informed response to every financial customer that asks. I'll get to the specific playbook near the end of this piece.

How to Respond If  DORA Doesn't Apply To You But Your Customers Are Asking

When a customer puts DORA clauses in front of you, you can't just say "we're not a financial entity" and move on. You need to have a short, structured response ready. Ideally, something you can attach to a security addendum or security questionnaire. It should:

1. Reference Regulation (EU) 2022/2554.
2. Explain that DORA applies directly to financial entities and that your business  sits downstream as a provider of IT services. 
3. Share any security frameworks you have in place like SOC 2 or ISO 2700. 
4. Detail your incident response business continuity plans. 

Additionally, if your customer considers your service to support critical or important business functions, you may also need to acknowledge Article 30 and add specific clauses to your contract around incident reporting and audit rights. Your incident reporting SLA will also need to be quick enough to meet DORA’s requirements. 

If DORA Applies Directly to Your Business 

If DORA directly applies to your business or you’re a designated CTPP, there’s a lot more work involved. You’ll need to ensure your entire security posture is set up to meet DORA requirements which means setting up a Register of Information, rewriting contracts to meet Article 30 clauses, and aligning your risk management framework and incident reporting to DORA requirements.  

Why It Helps to Be Prepared for DORA

Third-party risk is core to DORA, which means it can reach further than its direct scope. So even if you're not a financial entity, you'll need to be prepared to explain why DORA doesn't apply to you, and to show the security posture you do have in its place.

When you field questions about DORA it means your customer is doing things exactly as they should be. Under DORA, each financial institution is required to dig into third-party risk with every vendor they work with. If you have a clear reposnose ready and waiting, you’ll be able to keep deals moving faster. 

If you’d like to chat more about DORA, how it may apply to your business, or how to draft a note explaining why it doesn’t apply to your business, reach out to us here.