DORA does not regulate software vendors directly — but it reaches you through every EU financial-entity client you serve. Banks, insurers and investment firms are now contractually obliged to push DORA requirements down to their ICT providers. If your software supports a client’s critical or important function, “DORA-ready” is becoming a condition of doing business.

This guide explains what custom software vendors and SaaS providers actually have to support, and how getting ahead of it turns a compliance headache into a sales advantage.

How DORA reaches a software vendor

Under Article 28, a financial entity remains fully responsible for DORA compliance even when it outsources ICT services — so it cannot accept a provider that undermines that. Under Article 30, the contract between the entity and the provider must contain a specific set of provisions. As a vendor you will increasingly be asked to sign up to these, and to evidence them in due diligence. Every arrangement also has to be listed in the client’s Register of Information and, where you support a critical function, the bar is materially higher.

What you must be able to support

  • Audit and access rights. The entity — and its supervisor — can inspect and audit your services. Provide audit reports (SOC 2, ISO 27001), pen-test summaries and a right-to-audit clause.
  • Security requirements & incident assistance. Demonstrable security controls, and a commitment to assist the client during an ICT incident, including timely information for their 4-hour / 72-hour / 1-month regulatory reporting.
  • Sub-outsourcing transparency. Disclose your own material subcontractors (the client’s “fourth parties”) and notify changes — the 2025 RTS on subcontracting raised this bar.
  • Exit and portability. A credible, tested way for the client to leave you without disruption to a critical function: data export, transition support, no hostage lock-in.
  • Data location & handling. Where data is processed and stored, and how availability, integrity and confidentiality are protected.

Turn compliance into a sales advantage

Most vendors treat this as a procurement nuisance. The smart ones build a “DORA readiness pack”: a standard Article 30 addendum, an up-to-date subcontractor list, current security attestations, a documented exit plan, and a one-page mapping of how your product supports each relevant DORA obligation. When a bank’s procurement team asks, you answer in days, not months — and you win against competitors who cannot.

Tip. The team inside the financial entity who evaluates you is often the contract or third-party-risk function. Speaking their language — Article 30, critical functions, exit testing — signals you are a safe choice.

Build it into the product, not just the contract

The vendors that scale make DORA easy to support by design: clean data export APIs, audit logs clients can pull, status and incident notifications, and clear security documentation. That is also good engineering — see our companion pieces on architecture choices that reduce ICT risk and auditability by design.

Go deeper

Want to master the contractual side end to end? The Certified DORA Contract Manager course covers the full Article 30 clause set, and the Register of Information Specialist course covers how your clients will inventory you. Both are part of the verifiable DORA certification catalogue.