DORA: what contractual obligations for SaaS vendors?

The DORA regulation (Digital Operational Resilience Act) imposes strict obligations on banks and insurance companies regarding digital resilience. Adopted by the European Union, it aims to strengthen the management of risks associated with information technology and introduces heightened oversight of IT service providers. These requirements directly impact SaaS vendors that provide services to financial sector entities. Understanding these obligations is essential to anticipate customer demands and secure contractual relationships.

Why DORA also concerns SaaS vendors

DORA requires financial institutions to exercise greater control over the risks associated with the technologies they use. As a result, banks and insurance companies now require strengthened guarantees from their IT and SaaS providers — particularly regarding security, business continuity and incident management.

A SaaS vendor that wishes to continue serving these clients should expect contract revisions incorporating more demanding commitments. It is better to anticipate these requests than to face renegotiation under pressure.

Security and risk management: heightened requirements

Clients subject to DORA will require specific guarantees covering:

• Infrastructure and software security: compliance with high cybersecurity standards.
• Incident management: strict procedures for promptly reporting and resolving any vulnerability.
• Resilience testing: regular audits and simulations to demonstrate the vendor’s ability to withstand an attack or outage.
• Business continuity: recovery plans in the event of a major incident, with commitments on recovery timeframes.

For further detail on security provisions in a SaaS agreement.

What contractual obligations for SaaS vendors?

Agreements will now need to include:

• Precise cybersecurity provisions covering updates, cyberattack protection and vulnerability management.
• A transparency commitment on IT incidents, with a prompt notification obligation where availability or integrity of the service is affected.
• Heightened liability in the event of failure: liability limitation provisions may need to be revised upward to better protect customers.
• Strengthened audit rights for financial sector clients, enabling them to verify the vendor’s compliance with DORA requirements.

DORA complements GDPR requirements by imposing stricter digital resilience measures on financial sector entities.

DORA and IT subprocessing: a key compliance point

Banking clients subject to DORA will also require strict oversight of the SaaS vendor’s subprocessors. The regulation imposes full transparency over the IT subcontracting chain, with strengthened objection rights and notification requirements in the event of a provider change. Vendors must anticipate these demands by documenting their critical subprocessors and including appropriate provisions in their agreements.

How to anticipate these new obligations

• Review existing agreements now to identify provisions that need updating.
• Strengthen internal compliance by implementing cybersecurity measures aligned with DORA.
• Train teams on the new requirements to ensure consistent application of obligations.
• Include appropriate contractual guarantees to secure commitments without accepting disproportionate obligations.

For an overview of the key provisions in a SaaS agreement, see the SaaS contracting guide. For further analysis of SLA penalties and liability.

Conclusion

DORA does not apply directly to SaaS vendors, but it imposes requirements on their banking and insurance clients that will be passed down to their service providers. A vendor that anticipates these obligations will be better positioned to negotiate its agreements. If you serve financial sector clients and need to update your contracts, book a call.

‍