If you provide technology, data or cloud services to financial firms, sooner or later an EU client sends the email: "Please review and sign the attached DORA clauses" or "complete this resilience questionnaire by [date]." For non-EU providers especially, it can feel like an out-of-nowhere compliance burden. It is not random, and pushing back wholesale is the fastest way to lose the deal. Here is what is happening, and how to respond.

Why your EU client is asking

The Digital Operational Resilience Act (DORA) makes EU financial entities legally responsible for the resilience of their entire ICT supply chain. They must put specific terms into every ICT contract (Articles 28-30) and perform due diligence before and during the relationship. Your client is not negotiating a nice-to-have; they cannot keep using you if the contract does not meet DORA. The leverage cuts both ways: a provider who answers confidently removes the single biggest blocker to signing.

The requirements they will pass to you

Most questionnaires and clause sets map to Article 30. Expect to commit to:

  • A full service description and data locations - what you do, the service levels, and where services run and data is stored (Art. 30(2)(a),(b)).
  • Security and data protection - availability, integrity and confidentiality of data, including personal data (Art. 30(2)(c)).
  • Incident assistance and cooperation - support during ICT incidents, and cooperation with your client's supervisors (Art. 30(2)(d),(e)).
  • Audit and access rights - unrestricted rights for the client, its auditors and the competent authority to access, inspect and audit you (Art. 30(3)(e)).
  • Sub-outsourcing transparency - disclosure and controls over the subcontractors you use for critical or important functions (Art. 30(2)(a) + the RTS on subcontracting).
  • Termination and exit - termination rights, notice periods, and a workable exit strategy with data return and transition support (Art. 30(2)(f), 30(3)(f)).

For the full breakdown, see our supplier guide to Articles 28-30 and the third-party risk page.

A five-step playbook to respond

  1. Triage by criticality. Ask whether you support a critical or important function for the client. If yes, expect the full set of obligations and deeper due diligence; if no, the bar is lighter. This single question shapes everything.
  2. Pre-fill a canonical answer set. Do not reinvent your answers for each client. Maintain one master response mapped to Articles 28-30, with evidence attached, and reuse it across every EU client.
  3. Negotiate the method, not the obligation. You usually cannot strike out audit or access rights - they are mandated. But you can agree proportionate methods: pooled audits, third-party assurance reports (ISO/IEC 27001, SOC 2 Type II), or scoped on-site visits. Offer the mechanism instead of refusing the right.
  4. Assemble an evidence pack. Certifications (ISO/IEC 27001, SOC 2), a recent penetration-test summary, BCP/DRP test results with RTO/RPO, incident-notification SLAs, and your sub-processor list. Having this ready turns weeks of back-and-forth into one attachment.
  5. Be transparent on sub-outsourcing and exit. Map the fourth parties behind the services you provide, and document how the client gets their data back and transitions out. These two areas are where deals stall most often.

Common mistakes that cost the contract

  • Refusing audit rights outright. It signals you cannot meet DORA, and your client legally cannot accept it.
  • Hiding sub-outsourcing. Undisclosed fourth parties surface in due diligence and destroy trust.
  • No exit plan. "We will figure it out later" is a red flag for a regulated buyer.
  • Treating each client as bespoke. Without a canonical answer set you will drown in near-identical questionnaires.

What to do next

  1. Confirm how DORA reaches you with the free exposure check - and if you are outside the EU, start at the non-EU hub.
  2. Download and pre-fill the supplier questionnaire so your next client review is a formality.
  3. If a major client deadline is looming, a 2-3 day DORA Flash Audit pressure-tests your answers and evidence before you respond.

Analytical guidance for compliance, legal and technology teams, not legal advice. References: DORA (Regulation (EU) 2022/2554), Articles 28-30 and the related RTS.