DORA Impact: Outsourcing Third-Party Service Providers from 2025

News, Software development
DORA Impact: Outsourcing Third-Party Service Providers from 2025

The EU’s Digital Operational Resilience Act (DORA) is just around the corner, coming into effect on January 17, 2025. DORA establishes new requirements and technical standards for financial entities – as well as for their third-party service providers.

Because of its overarching impact on financial entities working with third-party service providers, and the scope of what you need to do to be compliant, the time to start preparing for DORA is now.

What is DORA and how will it impact the financial sector?

As you’re already aware, the Digital Operational Resilience Act (DORA) is a new EU regulation providing uniform, binding rules that strengthen the IT security of financial firms operating in the EU. 

The impacts of DORA will be felt by traditional financial sector companies like credit institutions, trading venues and clearing houses, investment firms, insurance companies, payment institutions, electronic money (eMoney) institutions, as well as crypto-asset service providers, issuers of crypto-assets and issuers of asset-referenced tokens.

According to DORA, third-party service providers (TPSP) that offer critical ICT services need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA impacts the financial sector by providing a consistent set of rules governing the digital operational resilience needs of all regulated financial entities, establishing an oversight framework for critical ICT third-party providers – used for vital areas of digital transformation.

Here are the pillars of the Digital Operational Resilience Act in a nutshell:

  • ICT risk management: Financial entities are required to have a sound, comprehensive, and well-documented ICT risk management framework established to keep ICT assets and information assets protected from risks.
  • ICT-related incident reporting: Financial entities are required to monitor, classify, and report major ICT-related incidents to competent authorities within a specified timeframe. 
  • Resilience testing: You will have to conduct regular resilience testing of your ICT systems and tools against realistic and severe scenarios, including cyberattacks, natural disasters, or operational failures, and must involve internal and external stakeholders, such as third-party service providers.
  • ICT third-party risk: As a financial entity, you will need to manage and mitigate the ICT risks related to your outsourcing arrangements with third-party ICT service providers. The management and mitigation must include due diligence, risk assessment, contractual requirements, monitoring, oversight, audit, and termination rights.
  • Information sharing: This pillar requires you and supervisory authorities to share information and cooperate on ICT-related matters, such as ICT risks, incidents, testing, and best practices. The information sharing and cooperation must be done in a secure, confidential, and timely manner, and must respect mutual data protection and privacy rights.

While rules will apply to all financial entities, how much they apply depends on the size of your organization and the amount of risk to which it is exposed.

DORA Third-Party Service Providers regulations: Why you need to think about it now and what to do?

With streamlined and effective governance standing as the overall objective of DORA, third-party service providers will be subject to oversight which aims to ensure they don’t pose unnecessary operational risks for the EU financial sector.

While the European Supervisory Authority’s (ESA) Lead Overseer will issue recommendations for third-party service providers, national competent authorities (NCAs) are responsible for following up and taking action against financial entities that fail to implement these recommendations. 

In these cases, NCAs have the authority to step in and require that you terminate contracts with your third-party service providers that are non-compliant with DORA.

The goal here is to ensure adequate monitoring of third-party service providers, and by doing so prevent a cascading domino effect throughout the vastly interconnected financial sector.

Penalties for non-compliance may go up to 1% of the average daily worldwide turnover of the third-party provider in the previous business year to compel them to comply.

In order to be in alignment with the ESA’s outsourcing guidelines, DORA requires the harmonization of contractual arrangements in terms of establishment, maintenance (e.g., reporting, review), and termination (e.g., exit plan, data retention).

DORA solution: EU-based third-party service providers, dedicated teams, and custom software development companies

This, in addition to third-party risk management (TPRM) requirements, places a lot of pressure on financial services entities working with offshore outsourced third-party service providers.

To be DORA compliant with your TPSPs, you will need to re-negotiate terms with your providers to include provisions that would otherwise be difficult, e.g. unrestricted access to premises. 

Satisfying this provision with a TPSP based offshore may be nearly impossible, even.

So, what can you do to avoid non-compliance with DORA and third-party providers?

The solution may be closer than you think. Literally.

Working with TPSPs based in the EU will help you satisfy time-sensitive and geographically dependent ESA guidelines that become mandatory under DORA.

The benefits of working with nearshore TPSPs

DORA_Digital Operational Resilience Act_nearshore outsourcing

There are several additional benefits to working with nearshore TPSPs, and these include:

Cultural compatibility

Language barriers are called barriers for a reason. But a nearshore TPSP literally speaks your language.

Working within the EU and with nearshore TPSPs will help you communicate faster, easier, and more effectively – which is in line with a critical DORA requirement (i.e. timely reporting).

Knowledge of complex and regulated industries

TPSPs in the EU will be more thoroughly acquainted with the complex regulations and standards you face for ICT resilience than their offshore counterparts.

With DORA announced in December of 2022, many TPSPs took notice and started taking steps towards providing services in compliance with ESA guidelines.

Unified security, regulations, and compliance standards

As a result, most specialized TPSPs that deal with the finance industry will be well-versed in the related unified security, regulations, and compliance standards.

This gives you mobility between TPSPs with the same knowledge of uniform regulations and security practices, plus a faster time to compliance.

No time zone differences

Time-critical reporting guidelines for TPRM under DORA make it critical for any TPSPs to be in the same – or similar – time zone with the financial entity they service.

Staying nearshore with TPSPs will help you with time-critical reporting, in accordance with ESA guidelines that become binding under DORA. Additionally, this kind of setup will streamline operational processes for your business.

Onsite visits availability

With the ESA requiring contracts between financial entities and TPSPs to include provisions for unrestricted access to TPSP premises, working with EU-based third-party service providers facilitates this – and other – requirements.

“One team” approach

Instead of going through the costly and time-consuming process of recruiting and onboarding, you can look to a reputable third-party service provider with a deep talent pool and hand-pick the best talent for your project.

This way, you won’t break your team structure. In fact, working with nearshore TPCPs will help you reinforce the “one team” approach, by fully integrating a skilled engineer in your team who now fully understands the requirements of your business. 

Technology experts

Nearshore TPSPs are full of technology experts accustomed to delivering services according to the highest standards. 

These technology experts will quickly gain an understanding of your systems and architecture, for maximum efficiency and full compliance with EU regulations when delivering your solution. Their expertise combined with quick turnaround prior to any new regulation change, will be key in future-proofing your business.

Ultimately, all of these are the foundations you need to build a beneficial long-term partnership.

Talk to us for a smooth transition to a near-shore partner that complies with all EU regulations.


Exceptional ideas need experienced partners.