DORA regulation: what are the obligations for software and SaaS companies?

The DORA (Digital Operational Resilience Act) regulation imposes strict obligations on banks and insurance companies in terms of digital resilience. Adopted by the European Union, it aims to strengthen the management of risks associated with information technology and imposes increased surveillance on IT service providers. These requirements have a direct impact on software publishers who provide services to these actors. Understanding these obligations is essential to anticipate customer requests and secure contractual relationships.

Why does the DORA regulation also apply to software publishers?

DORA requires financial institutions to better control the risks associated with the technologies they use. As a result, banks and insurance companies now require strengthened guarantees from their IT and SaaS providers, especially in terms of security, business continuity and incident management.

A software company that wants to continue working with these companies should expect contracts to be revised to incorporate more stringent commitments. It is better to anticipate these requests rather than undergo renegotiation under pressure.

Security and risk management: increased requirements

Customers subject to DORA will require specific guarantees on:

Infrastructure and software security : compliance with high cybersecurity standards.
Incident Management : strict procedures to quickly report and resolve any faults.
Resilience tests : regular audits and simulations to demonstrate the ability of the service provider to deal with an attack or failure.
Business Continuity : recovery plans in the event of a major incident, with commitments on recovery times.

What contractual obligations for software and SaaS publishers?

Contracts should now include:

Precise clauses on cybersecurity, covering updates, cyber attack protection, and vulnerability management.
A commitment to transparency on computer incidents, with an obligation to promptly notify in the event of a problem affecting the availability or integrity of services.
Increased responsibility in the event of a failure : limitation of liability clauses could be increased to better protect customers.
A right to audit reinforced for financial customers, allowing them to verify the publisher's compliance with DORA requirements.

DORA complements the requirements of GDPR by imposing more stringent digital resilience measures on financial actors. While GDPR governs the protection of personal data, DORA imposes proactive management of IT risks, thus forcing software publishers to strengthen their commitments in terms of cybersecurity and business continuity.

How can a software or SaaS publisher anticipate these new obligations?

Analyze existing contracts now to identify which clauses need to be updated. Otherwise, think internally about what it will be possible to amend at the request of this type of customers.
Strengthen internal compliance by implementing cybersecurity measures aligned with DORA.
Training teams to meet new requirements to ensure consistent application of obligations.
Provide appropriate contractual guarantees in order to secure commitments without accepting disproportionate obligations.

Conclusion

DORA does not apply directly to software companies, but imposes requirements on their banking and insurance customers that they will pass on to their service providers. A publisher that anticipates these obligations will be better equipped to negotiate its contracts and avoid complex renegotiations under duress. Adapting your contractual and technical strategy now is a necessity to remain a reliable partner in this highly regulated sector.