Text Link

EU DORA Regulation: What Swiss software companies need to know

Vanessa
Written by
Vanessa
16.4.2025

Are you an IT or software company that provides information and communication technology services to EU financial entities? Then you are most likely a third-party ICT service provider within the meaning of the "DORA Regulation".

The so-called "DORA Regulation" of the European Union came into force on January 17, 2025 and places new requirements on financial entities and on you as a third-party ICT service provider. DORA stands for “Digital Operational Resilience Act”. The purpose of the regulation is to strengthen the digital operational resilience of financial market players in the EU by setting out requirements for IT security and risk management with regard to digital risks.

But what exactly are ICT services within the meaning of DORA and what are the actual requirements of DORA?

ICT services include all digital and data services that are provided via IT systems – from cloud and hosting services to software solutions and hardware services, including technical maintenance and updates.

Financial institutions must ensure that their ICT service providers meet certain standards in terms of operational security and resilience. ICT third-party service providers are only indirectly addressed in DORA, but you should be prepared for the DORA minimum requirements when financial entities approach you with contract requirements.

The central question is: How can you, as an IT or software company with customers in the financial sector, meet the new requirements without being overwhelmed by excessive compliance? It is important to be prepared for discussions and negotiations with customers and to know exactly where is room for maneuvering.

DORA minimum requirements: Maintain flexibility and minimize risks

DORA requires financial entities to have clear contractual agreements with their ICT service providers. The minimum requirements differ depending on whether or not your services are classified as important or critical functions.

What does "important or critical function" mean?

A service is considered critical or important if its failure or disruption has a significant negative impact on the ability of a financial entity to provide its core services.

If your services are not classified as critical or important, the minimum requirements of Art. 30 para. 2 DORA apply. Otherwise, additional obligations pursuant to Art. 30 para. 3 DORA apply.

The minimum contractual requirements for all ICT third-party service providers include:

  • Detailed service description of all ICT functions and services provided.
  • Location details for service provision, data processing and storage – including notification obligation in the event of changes.
  • Security and data protection provisions on availability, authenticity, integrity, confidentiality and the protection of personal data.
  • Data access and return in the event of a crisis, especially in the event of insolvency or business closure.
  • Performance quality, including updates and revisions.
  • Incident support, either free of charge or at fixed prices.
  • Cooperation with authorities.
  • Termination rights in accordance with the requirements of the supervisory authorities.
  • Mandatory training and awareness-raising on digital resilience.

ICT service providers that provide critical or important functions must additionally:

  • Agree on more detailed performance standards with quantitative and qualitative targets.
  • Specify the conditions under which subcontracting is permitted – there is explicitly no obligation to ask for approval or to notify.
  • Comply with longer notice periods and reporting obligations.
  • Implement emergency plans and security measures and test them regularly.
  • Participate in TLPT tests (Technology and Operations Testing) of financial companies.
  • Accept monitoring rights of the financial entities, including inspections and audits.
  • Define exit strategies to ensure a smooth transition.

Attention to subcontracting and choice of location

Even if financial companies often have the upper hand, you don't have to put up with every demand. In particular, do not allow any clauses that go beyond the minimum requirements to be imposed on you.

Excessive obligations can cause enormous additional effort Approval requirements or notification obligations in particular are easily forgotten in day-to-day business – in the worst case scenario, this can result in contractual penalties or even termination. As a third-party ICT service provider, you should therefore make sure not to bind you by contract more than necessary.

You should examine two central topics in particular:

Subcontractors

It has not yet been finally clarified whether regulations on subcontracting are mandatory for all ICT third-party service providers or only for providers of critical or important functions. The wording of Art. 30 para. 2 lit. a DORA speaks more in favor of the latter. However, this requirement has been placed within the regulation at the position where the obligations of all ICT third-party service providers are generally concerned.

Accordingly, many financial companies insist on one regulation for all to avoid regulatory risks. If your company does not perform critical or important functions, you should point out in negotiations that the obligation to regulate subcontracting is not an explicit minimum requirement.

Note: Any requirement for prior approval or notification of subcontractor changes goes beyond DORA's minimum requirement – whether you are performing critical/important functions or not – it's worth negotiating here anyway.

Location of the services

DORA only requires notification of changes to the countries or regions in which ICT services and data processing take place. A prior approval procedure is not provided for. If financial companies nevertheless insist on this, this point also offers scope for negotiation.

Conclusion and takeaway

As an IT and software company with banks and insurance companies operating in the EU as customers, you should be prepared to be confronted with corresponding contracts in accordance with the DORA requirements. Even if you are only indirectly regulated as an ICT third-party service provider, you need to know what contractual obligations financial entities are allowed to demand – and where you can defend yourself against excessive requirements.

The two critical points of subcontracting and choice of location require special attention in order to avoid unnecessary obligations. A well-prepared negotiation strategy helps to minimize compliance burdens and at the same time secure long-term business relationships with financial entities.

If you provide IT services to financial entities operating in the EU, you're most likely considered a third-party ICT service provider under the new DORA Regulation. Since January 17, 2025, strict requirements for digital operational resilience have come into force – and they affect not only financial entities, but also their ICT partners. Your clients must now ensure that you meet these standards. So the key question is: How can you meet these new requirements without being buried under compliance work? Now is the time to be prepared – and to know exactly where you have room to maneuver.
Book a meeting with a Lex Futura Team Member
Back to overview
Get PDF