FREE CONSULTATION
CONSULTATION

HR Outsourcing Partner

DORA vs Outsourcing. Is Financial Outsourcing Safe in the World of DORA?

With the entry into force of DORA (Digital Operational Resilience Act), many boards and CFOs ask themselves one question:

“Is it even appropriate to outsource financial processes, given that regulators are pushing so hard on technology and third-party provider risks?”

The answer is: yes, financial outsourcing still makes sense – but the way you design it and manage the provider relationship changes.

DORA does not prohibit cooperation with external partners. On the contrary, it assumes that you use them but imposes very specific obligations regarding:

  • ICT risk management,
  • Classification of services and providers,
  • Contract content,
  • Maintaining a service register,
  • Resilience testing (OOC, TLPT),
  • Oversight of the subcontractor chain.

In this article, I explain:

  • what DORA really changes for financial outsourcing,
  • where the risks lie,
  • when outsourcing is safe,
  • which criteria to use when choosing a provider,
  • how we at Pomerico design services to support your DORA compliance.

 

1. DORA in a Nutshell – What Does It Really Regulate?

DORA (EU Regulation 2022/2554) applies from January 17, 2025, covering thousands of financial sector entities and ICT providers servicing them, including:

  • Banks and brokerage houses,
  • Insurance and reinsurance companies,
  • Payment and electronic money institutions,
  • Investment funds,
  • Crypto service providers (CASP),
  • Key ICT providers 

Its main goals are:

  • Standardizing digital operational resilience rules across the financial sector,
  • Covering multiple types of institutions under a single regime,
  • Structuring risk management for external ICT providers, including those performing business processes based on IT systems, e.g., financial and accounting outsourcing.

A key section for outsourcing is DORA, which requires institutions to:

  • Adopt a third-party risk strategy,
  • Maintain a register of all ICT service agreements 
  • Distinguish critical/important functions from others,
  • Review provider risks and contracts,
  • Implement testing programs (e.g., OOC, TLPT) and remedial plans,
  • Have an exit plan for disengagement, data recovery, and process resumption. 

All this must be proportionate – regulator expectations depend on:

  • Nature and scale of ICT dependency,
  • Criticality of the functions supported,
  • Potential impact of service failure on financial operations continuity.

2. Financial Outsourcing under DORA – Where is the Risk?

Modern financial outsourcing (accounting, controlling, reporting, treasury support) almost always relies on ICT systems – cloud-based or on-premise at the provider.

This means:

  • Your BPO/outsourcing partner can be classified as an ICT provider or part of the chain (e.g., accounting firm + cloud provider).
  • You, as a financial institution, never relinquish compliance responsibility – you remain accountable to the regulator. 

From DORA implementations and market analysis, major risks appear in four areas:

Lack of full ICT supply chain visibility

  • Companies may not know which ICT services are used, which support critical functions, or the full subcontractor/process chain.
  • DORA requires a register linking all ICT service agreements to critical functions.

Contracts not aligned with DORA

  • Agreements often lack audit rights (including regulator inspections), incident reporting rules, resilience testing requirements, subcontracting controls, and detailed exit plans.

High concentration of risk in a few cloud “giants”

  • Dependence on one or two infrastructure/application providers without proper backup plans is a key regulator concern.

“Soft” approach to provider monitoring

  • No regular risk assessments,
  • No KPI/KRI reviews,
  • No scenario testing.

This does not mean financial outsourcing is inherently risky – it means you need to raise the bar in selecting partners and managing the relationship.

3. When is Financial Outsourcing Safe in the DORA World?

Safe financial outsourcing under DORA meets three conditions:

3.1. DORA Compliance Built Into the Cooperation Model

  • Provider understands they are part of your risk management system,
  • Supports regulatory obligations beyond just delivering SLA,
  • Has processes, procedures, and documentation that integrate into your ICT service control system. 

In practice, the BPO/outsourcer collaborates not only with operations but also with:

  • Compliance/legal,
  • Risk,
  • IT security,
  • Internal audit.

3.2. The Contract is “DORA-Ready”
Agreements should include:

  • Detailed description of services and ICT systems,
  • Audit and inspection rights (including regulator),
  • ICT incident and breach reporting rules,
  • Clear subcontracting rules and veto rights,
  • Continuity requirements (BCP/DRP) and test scope,
  • Exit plan – data migration, formats, timelines, responsibilities

Without these, you cannot effectively control risk.

3.3. Real Oversight and Monitoring
DORA requires a risk-based approach to providers: segmentation, KPIs/KRIs, periodic assessments, and tests.

Safe outsourcing means:

  • Maintaining a register of all ICT services and agreements,
  • Cyclic risk assessment of providers (financial, operational, cyber),
  • Scenario testing (e.g., invoicing system loss, payroll delays),
  • Demonstrating records, assessment results, remediation plans, and tests to the regulator.
  •  

4. What to Consider When Choosing a Financial Outsourcing Provider

Checklist for CFOs, COOs, Heads of Finance/Back-Office:

4.1. Location and Jurisdiction

  • Provider operates in the EU/EEA and is subject to DORA?
  • Subcontractor chain mapped and transparent?
  • Can the provider show data flow and system locations?
  •  

4.2. ICT and Security Maturity

  • Security standards (ISO, NIST, internal policies),
  • Incident management and reporting process,
  • Resilience tests (pen-tests, continuity, scenario) and frequency.
  •  

4.3. DORA-Ready Contracts

  • Contract templates covering audit, reporting, exit plan, subcontracting.

4.4. Subcontractor Transparency

  • Updated register of ICT subcontractors,
  • Ability to veto new subcontractors outside EU.
  •  

4.5. Financial Sector Experience

  • Works with regulated entities (banks, insurers, fintechs)?
  • Fluent in compliance and risk language, not just accounting or IT?
  •  

5. How Pomerico Meets DORA Requirements

Pomerico builds models for financial process outsourcing, BPO, EOR, and body leasing for European and regulated entities.

5.1. Services Designed for Regulations

  • BPO/finance process outsourcing,
  • Payroll & HR: full payroll, contracts, benefits, social contributions, leave,
  • HR/legal/tax advisory: clauses and structures compliant with regulations.

5.2. Audit-Ready Contracts

  • Audit and inspection rights included,
  • Clear system, subcontractor, and data flow descriptions,
  • Exit plan designed from the start.
  •  

5.3. Registers and Monitoring

  • Creation/update of ICT/outsourcing agreement registers,
  • Service classification (critical/important/other),
  • KPI/KRI definition for financial services, including continuity metrics

5.4. Financial Teams Built for Regulated Sector

  • Highly specialized teams with very low turnover.
  • Ensures knowledge retention, operational continuity, and audit reliability.

6. Practical Approach for Your Company

Steps for the board/CFO:

  • Map all outsourced financial processes (BPO, accounting, service centers, freelancers).
  • Identify which rely on ICT and support critical functions – these fall under DORA.
  • Ask providers for: system lists, subcontractors, DORA-ready contract templates, and security/incident processes.
  • Update outsourcing/ICT register to show the regulator.
  • Verify current contracts meet DORA: audit, incident reporting, subcontracting, exit plan.
  • Design new outsourcing with DORA in mind: choose providers familiar with the regulation, engage compliance/IT security early.

7. Is Financial Outsourcing Safe in the DORA World?

Yes – outsourcing can be very safe and even enhance operational resilience if:

  • Partner has mature security and compliance processes,
  • Contract is consciously built around DORA,
  • You maintain real oversight of the relationship and subcontractor chain.

DORA is not the end of financial outsourcing. The right provider will help you navigate DORA seamlessly and work with your CFO, Compliance Head, and IT Security at one table.

If you want to discuss how to make your financial outsourcing both cost-effective and DORA-proof, we can review your current agreements and cooperation model and show concrete improvement scenarios.

 

  • Details

Date: 24/02/2026

  • Author
  • Sebastian Kunc
Pomerico-logo

See also other entries written

by our experts

POMERICO GROUP

Your next step starts here.

Ready to reduce costs, scale your team or enter a new market? One conversation is enough to know if we’re the right fit.
  • We act as your internal team - We are not an agency. We take full responsibility for people and processes.
  • Scale when you need it - Hire faster, more flexibly, and without long-term commitments.
  • Efficiency proven by numbers - 2 500+ projects delivered, 85% of clients in long-term cooperation.

Book your free consultation

No commitment · Reply within 24h
  • Company
  • Services
  • Industry
  • Contact us
  • Wiktoria Wierzbicka

    HR Project & Operations Manager
          Your first point of contact 
 Available Mon–Fri, 9:00–17:00 CET

Linkedin