April 29, 2025
.webp)
Introduction
The Digital Operational Resilience Act (“DORA”), formally known as Regulation (EU) 2022/2554, has entered into force early this year, introducing comprehensive requirements for ICT service providers working with European financial institutions. For Indian SaaS companies serving this sector, understanding and implementing DORA's detailed contractual requirements is now a business imperative. This article provides a comprehensive overview of DORA's contractual provisions and oversight framework from the perspective of Indian technology providers, offering practical guidance for maintaining compliant and competitive relationships with European financial clients.
Understanding DORA's Contractual Requirements
Article 30 of DORA establishes extensive requirements for contracts between financial entities and ICT third-party service providers. For Indian SaaS companies, these requirements represent a significant shift in how service relationships must be documented and managed.
Mandatory Contractual Elements for All ICT Services:-
Every contract between an Indian SaaS provider and a European financial institution must include:
1. Comprehensive service description: A clear and complete documentation of all functions and services provided, with explicit provisions regarding subcontracting permissions and conditions.
2. Location transparency: Specific identification of all locations (regions or countries) where services will be provided and data processed, with advance notification requirements for any location changes.
3. Data protection provisions: Explicit terms ensuring availability, authenticity, integrity, and confidentiality of all data, including personal data.
4. Data recovery guarantees: Clear provisions for data access, recovery, and return in easily accessible formats in cases of provider insolvency, resolution, or business discontinuation.
5. Service level specifications: Detailed service level descriptions with regular updates and revisions.
6. Incident response obligations: The obligation to provide assistance during ICT incidents at no additional cost or at predetermined costs.
7. Regulatory cooperation: Commitments to cooperate fully with the financial entity's competent authorities and resolution authorities.
8. Termination rights: Clear termination provisions with minimum notice periods that meet regulatory expectations.
9. Security training participation: Conditions for participating in the financial entity's security awareness and resilience training programs.
Enhanced Requirements for Critical or Important Functions:
For Indian SaaS companies supporting critical or important functions of European financial institutions, contracts must additionally include:
1. Quantitative performance targets: Precise quantitative and qualitative performance metrics enabling effective monitoring and timely corrective actions.
2. Material impact notifications: Specific notification requirements for developments that might materially impact service delivery.
3. Business continuity requirements: Obligations to implement and test business contingency plans and maintain appropriate security measures.
4. Testing participation: Commitment to participate in the financial entity's threat-led penetration testing (TLPT).
5. Comprehensive audit rights: Provisions granting the financial entity, appointed third parties, and regulatory authorities unrestricted rights of access, inspection, and audit.
6. Detailed exit strategies: Comprehensive transition plans that:
- Ensure continued service provision during transition periods
- Enable migration to alternative providers or in-house solutions
- Consider the complexity of services provided
The Critical ICT Third-Party Service Provider Designation:
DORA establishes an oversight framework for ICT providers deemed "critical" to the European financial system. Indian SaaS companies should understand this designation process and its implications.
Designation Criteria:
The European Supervisory Authorities (ESAs) may designate an ICT provider as critical based on:
1. Systemic impact: The potential effect on financial stability if the provider experiences operational failure.
2. Client importance: The systemic importance of the financial entities served, particularly if they include Global Systemically Important Institutions (G-SIIs) or Other Systemically Important Institutions (O-SIIs).
3. Dependency level: The extent to which financial entities rely on the provider for critical functions.
4. Substitutability challenges: The difficulty of replacing the provider due to market concentration, technical complexity, or migration challenges.
Implications of Critical Designation
Indian SaaS companies designated as critical must:
1. Establish EU presence: Set up a subsidiary in the European Union within 12 months of designation.
2. Accept oversight: Submit to direct oversight by a designated Lead Overseer from among the ESAs.
3. Coordinate communications: Designate a coordination point for representation and communication with the Lead Overseer.
4. Notify clients: Inform all financial entity clients of the critical designation.
Conclusion
DORA introduces unprecedented contractual and operational requirements for Indian SaaS companies serving European financial institutions. The regulation's detailed provisions on service descriptions, data handling, audit rights, and exit strategies demand a thorough review of existing practices and agreements.
For Indian providers, DORA compliance represents both a challenge and an opportunity. Those who proactively address these requirements—developing comprehensive documentation, enhancing operational resilience, and streamlining audit processes—will find themselves well-positioned in the European market.
The potential for critical designation adds another layer of consideration, particularly for larger providers serving systemically important financial institutions. Understanding the designation criteria and preparing for its implications, including the possible need for European subsidiaries, should be part of strategic planning.
Ultimately, DORA compliance should be viewed not merely as a regulatory burden but as an opportunity to demonstrate commitment to operational excellence and client security. Indian SaaS companies that embrace these standards will build stronger, more resilient relationships with their European financial clients while differentiating themselves in an increasingly competitive market.
This article is intended for informational purposes only and does not constitute legal advice. Indian SaaS companies should consult with their legal advisors regarding their specific obligations when serving European financial institutions.
