DORA in 2026: What the EU’s Cyber Resilience Law Means for SaaS Vendors and Their Financial-Sector Customers

In today’s financial-services world, digital technology is no longer just “nice to have”; it’s absolutely foundational. That means resilience, reliability and operational continuity are now board-level issues. That’s why the Digital Operational Resilience Act (DORA) is such a game-changer.

Since 17 January 2025, the EU’s DORA regulation has been fully applicable, setting a new regulatory baseline for how financial firms (and by extension, their technology suppliers) must manage Information and Communication Technology (ICT) risks, third-party services, incident reporting, resilience testing and more.  

In this blog, we'll cover: 

• What is DORA and Why It Matters
• How DORA is affecting businesses right now
• Key Insights for SaaS Vendors in 2026
• Checklist: What SaaS Vendors Should Be Ready for

What is DORA and Why It Matters

At its core, DORA aims to ensure that regulated financial institutions (banks, insurers, investment firms, payment and crypto firms) can withstand, respond to and recover from ICT-disruptions such as cyberattacks, system failures or outages of service-providers. DORA outlines five fundamental areas: 

• ICT Risk Management: This includes identifying, protecting, and responding to all ICT risks to ensure a robust and comprehensive risk management framework.

• ICT-Related Incident Reporting: Financial entities must standardize the way they classify and report major ICT incidents to authorities promptly and accurately.
• Digital Operational Resilience Testing: This pillar requires regular testing of critical systems to identify vulnerabilities, with advanced methods like Threat-Led Penetration Testing (TLPT) being encouraged.
• Managing ICT Third-Party Risk: This involves managing the risks associated with ICT service providers, including conducting due diligence, monitoring service level agreements, and planning for exit strategies.
• Information Sharing: This pillar encourages the sharing of cyber threat intelligence to strengthen collective defences against cyberattacks. 

In plain language: if you supply software or IT services to firms in the financial ecosystem, you’re in the chain of responsibility — either directly or indirectly. 

How DORA is affecting businesses right now 

For financial firms and their tech partners, several effects are already clear. 

• Contractual frameworks are being rewritten: Firms are requesting (or being required to include) specific clauses in their SaaS/outsourcing contracts, such as service description, data processing location, termination and exit rights, audit rights, and full cooperation with regulators.
• Enhanced due diligence requests: Vendors are required to provide enhanced due diligence (EDD), implement sub-processor scrutiny, and agree to more demanding SLAs around incidents and resilience. 
• The supply chain is under more pressure: Financial firms must maintain a “Register of Information” on all their ICT-contracts / sub-contracts and provide visibility into their vendor ecosystem.
• Oversight of “critical third-party providers” (CTPPs) is rising: Even if you aren’t designated “critical”, your customers will increasingly evaluate concentration risk, exit risk, audit/support obligations. 

So for SaaS vendors, even if DORA doesn’t legally bind you directly (in many cases, it may), your customers’ compliance obligations will cause them to adjust procurement, contracts, onboarding, and vendor-monitoring behaviour. 

Key Insights for SaaS Vendors in 2026

As DORA reshapes expectations across the financial sector, vendors sit right at the intersection of regulation and resilience. Here are some key insights to help vendors understand what’s changing and how to stay ahead.

• Scope is broad: The definition of “ICT services” under DORA is wide — SaaS, PaaS, IaaS, data services, software support, cloud, etc. If your customer is a regulated financial firm in the EU, your service may fall under their DORA obligations. 
• Contract-readiness matters: Customers will ask for DORA-specific contract language (not just generic vendor terms). Prepare boilerplate or addenda aligning your service terms with Article 30 of DORA.
• Evidence-ready operations: Beyond contract language, customers expect evidence: Do you have documented resilience testing, incident management records, sub-processor maps and data-location disclosures? This is becoming the “table stakes”. 
• Exit, data portability, and audit readiness are growing focus areas: Customers want assurance that if they end the relationship, they can recover their data easily (exit and data return), move it elsewhere without disruption (portability), and that you can fully support audits or regulator inquiries — including providing evidence and cooperating during incident investigations. Transparency around any sub-outsourcing is also essential.
• Global footprint matters: Even non-EU vendors can be drawn in if they provide services to EU-regulated firms. Your physical or processing location, and your ability to meet EU regulator expectations, may be scrutinised.
• Don’t wait for the perfect time,  start now: While some Level-2 technical standards are still being finalised, financial firms (and their vendors) can already take actions to update contracts, map vendor services, and conduct a vendor-risk gap analysis.  

Checklist: What SaaS Vendors Should Be Ready for

So what does DORA readiness actually look like in practice? Beyond broad awareness of the regulation, vendors need to demonstrate concrete actions and evidence to customers. The checklist below outlines the core areas you should focus on — from contractual terms to operational controls — to show that your service can stand up to DORA-level scrutiny. 

Turning Compliance Into Competitive Advantage

In a world where the supply chain is as critical as the firm itself, DORA isn’t just another regulation; it’s a signal of how resilience will be measured, contractually and operationally, in the years ahead. For vendors, being ready means not just meeting the bar, but helping your customers cross it — and in doing so, turning compliance into a competitive advantage. Want to see how usecure can support your DORA-ready security culture? Reach out to our team to enjoy a 14-day free trial of our products or access a library of on-demand demos.