DORA (Financial Sector)

DORA considers: impact on service continuity if provider fails, difficulty of substitution, data sensitivity, and geographic concentration. Cloud infrastructure providers are almost always critical.

Article 30 specifies mandatory contractual provisions: SLAs, data location requirements, audit rights, breach notification timelines, exit strategies, and sub-outsourcing restrictions. We gap-check your existing contracts.

When your ICT provider outsources to their own providers. Example: you use a fintech SaaS that runs on AWS — AWS is a sub-outsourcing dependency. DORA requires transparency into these chains.

CR-SOC-07 covers general vendor risk for SOC 2. This service adds DORA-specific requirements: critical provider classification, DORA Article 30 contractual review, concentration risk, and sub-outsourcing analysis specific to financial regulation.

Yes. CR-NIS2-07 covers software supply chain and NIS2 requirements. This service adds DORA's financial-sector requirements. If subject to both, we recommend doing them together.