DORA Is Here: What It Means for IT Suppliers to Banks and Insurers

Since January 2025, the Digital Operational Resilience Act (DORA) has been in full effect. For banks, insurers, and investment firms, this means new obligations around digital resilience. But the changes don't just affect financial institutions, they directly impact every IT supplier serving the financial sector. And this isn't some abstract future threat, it's happening right now.

What Is DORA and Why Should You Care

DORA is an EU regulation that introduces a unified framework for ICT risk management in the financial sector. Unlike previous directives, DORA explicitly targets third parties (IT suppliers, cloud service providers, and software developers).

If your company builds software for a bank or insurer, DORA applies to you. Quite directly and specifically.

Requirements Appearing in Tenders

1. ICT Risk Management

Financial institutions must demonstrate that their suppliers have established ICT risk management processes. In practice, tenders now include questions like:

• Do you have an ISMS (Information Security Management System)?
• How do you handle patch management?
• What are your vulnerability management processes?

2. Digital Resilience Testing

DORA requires regular testing of IT system resilience. Suppliers must be prepared for:

• Penetration testing (including TLPT – Threat-Led Penetration Testing)
• Business continuity testing
• Disaster recovery scenarios

3. Incident Reporting

The new ICT incident reporting regime means suppliers must have clear processes for:

• Incident detection and classification
• Client escalation and notification within defined timeframes
• Providing root-cause analyses

4. Third-Party Management

Financial institutions must maintain a register of all ICT suppliers and classify them by criticality. Expect:

• Extended due diligence questionnaires
• Certification requirements (ISO 27001, SOC 2)
• Right to audit your systems and processes
• Regular supplier performance evaluations

5. Contractual Requirements

DORA precisely defines what contracts with ICT suppliers must contain:

• SLAs with measurable KPIs
• Exit strategies and migration plans
• Obligations upon termination of cooperation

What This Means for Slovak IT Companies

Many Slovak IT companies supply software to financial institutions, either directly or as subcontractors to larger integrators. DORA raises the bar for everyone in the supply chain.

Companies that prepare for DORA early will have smoother negotiations with banks. Those that ignore it may find out from a tender that their bid didn't meet the conditions.

How we handle this

At Rise.sk, we build software for clients in regulated industries, including the financial sector. Last year, we helped a client navigate a DORA compliance audit. The biggest challenge wasn't technical — it was that process documentation only existed in people's heads. Since then, security documentation is a standard part of every project for us.

How to Get Started

If you supply IT services to the financial sector and want to prepare for DORA:

1. Map the requirements and identify which parts of DORA apply to you
2. Implement ISMS, if you don't have one yet, start with ISO 27001
3. Prepare documentation for incident management, BCP, disaster recovery
4. Test regularly with penetration tests and resilience testing

Need help building software that meets DORA requirements? Get in touch, we can help with security documentation and processes.