Since DORA came into force — on 17 January 2025 — the topic of financial outsourcing has returned to management boards' desks with renewed urgency. This time, however, the discussion is not about cost savings or access to talent. It is about a question we regularly hear from our clients and partners: after the implementation of DORA, can we still outsource financial processes at all? And will working with an external provider become a source of regulatory risk for us?
The short answer is: yes, financial outsourcing still makes sense. But the conditions under which it should be carried out have changed significantly enough to deserve a thorough discussion — without marketing gloss and without creating unnecessary fear of bureaucracy. That is the purpose of this article.
1. What DORA is — and what it is not
DORA, the EU Regulation 2022/2554 on digital operational resilience for the financial sector, is a regulation aimed at harmonising ICT risk management rules across the European financial industry. It covers a very broad range of entities: banks, insurance companies, payment institutions, investment funds, crypto-asset service providers and — importantly — third-party ICT service providers supporting these entities.
The key point to understand at the outset is this: DORA is not a regulation that prohibits outsourcing. Quite the opposite — it assumes that financial institutions will use external providers and regulates how such cooperation should be managed.
The centre of gravity of the regulation is primarily:
- ICT third-party risk management strategy,
- a register of all contractual arrangements relating to ICT services,
- requirements concerning the content of contracts with providers,
- the obligation to retain the right to audit and supervise the provider,
- exit plans for terminating cooperation,
- operational resilience testing — both internal testing and advanced testing, including TLPT.
Important principle: a financial institution that uses ICT services provided by an external entity never waives its responsibility for compliance with DORA. Responsibility remains with the financial institution — regardless of how well the contract with the provider is structured.
2. When does your financial provider become an ICT provider?
This question turns out to be more difficult than it may seem. Modern outsourcing of financial processes — accounting, controlling, payroll, management reporting — is almost always based on IT systems. This means that your BPO partner may fall within the definition of a third-party ICT service provider under DORA.
DORA defines ICT services broadly: as digital and data services provided on an ongoing basis through ICT systems. At the same time, the regulation includes the principle of proportionality — the intensity of obligations depends on whether a given service supports functions that are critical or important to the operations of the financial entity.
In practice, this means that before signing your next outsourcing agreement, you should answer several fundamental questions:
- Does this service rely on ICT systems — and who owns those systems?
- Does it support a function whose disruption would have a significant impact on business continuity or the company's financial performance?
- What does the provider's subcontracting chain look like — and who controls the infrastructure on which your data operates?
This is where one of the most common practical problems appears: companies do not have full visibility of their own ICT supply chain. They do not know which services are truly critical and which can be managed in a simplified way. This lack of a map is the first issue worth addressing.
3. What does DORA change in contracts with providers?
One of the more practical requirements of DORA is the catalogue of elements that must be included in every contract concerning ICT services. These are not theoretical requirements — their absence from a contract may become a direct issue during supervisory inspection.
Basic requirements for every contract
Every contract concerning ICT services — regardless of whether it relates to a critical function or not — should include, among other things:
- a precise description of the ICT functions and services provided, including the scope of permitted subcontracting,
- the location where services are provided and data is processed — country, region — as well as the procedure for notifying the client of any change in that location,
- guarantees regarding the availability, authenticity, integrity and confidentiality of data,
- rules for data recovery and return in the event of termination of cooperation or the provider's insolvency,
- SLA clauses — clear, measurable and supported by an update procedure,
- the right to terminate the contract in strictly defined situations, such as regulatory breaches, deterioration in service quality or loss of supervisory capability,
- the provider's obligation to fully cooperate with supervisory authorities.
Additional requirements for critical or important functions
If the outsourced service supports a function classified as critical or important, the requirements go further. The contract must also include:
- unrestricted rights of access, inspection and audit — both by the financial institution itself and by the supervisory authority,
- the provider's obligation to participate in threat-led penetration testing, or TLPT, carried out by the institution,
- detailed ongoing monitoring indicators, such as KPI/KRI, with a corrective action procedure in the event of SLA breaches,
- a mandatory exit plan: a plan for transition to another provider or an internal solution, with a sufficient transition period and a guarantee of service continuity.
An exit plan is not a formality. DORA requires you to be able to terminate cooperation with a provider without operational disruption, without compromising regulatory compliance and without reducing the quality of services provided to clients. It is worth building this plan together with the provider already at the contract-signing stage — not when something starts to go wrong.
4. Three risks worth keeping on your radar
Based on our experience in working with regulated entities, we identify three areas where companies most often encounter difficulties when implementing DORA in the context of financial outsourcing.
Risk 1: Concentration on one or several infrastructure providers
DORA directly regulates ICT concentration risk — a situation in which a financial institution is so heavily dependent on one provider, such as a single cloud platform or one ERP system, that its failure or unavailability could threaten the institution's ability to operate. The regulator expects institutions to assess this risk before signing the contract and to keep it monitored throughout the entire cooperation period.
Risk 2: Subcontracting chains
Your BPO provider uses a cloud-based accounting system. That system runs on another provider's infrastructure. Your financial data is processed there. This is what a typical subcontracting chain looks like — and DORA requires you to have visibility and control over it. In the case of services supporting critical or important functions, the contract must regulate the possibility of further subcontracting, and you have the right to object to the addition of a new subcontractor.
Risk 3: No up-to-date register of ICT services
DORA imposes an obligation to maintain and update a register of all contractual arrangements concerning ICT services — divided into those supporting critical or important functions and all others. This register must be ready to be presented to the supervisory authority. In practice, many companies are only now discovering that they do not have a full list of the services they use — nor a precise mapping of those services to business processes.
5. What does safe financial outsourcing under DORA look like?
Safe means compliant with regulatory requirements while still delivering business value. These two things are not contradictory. A good financial outsourcing model in the world of DORA is based on three pillars.
Pillar 1: The provider understands its place in your risk management system
A good outsourcing partner does not talk only about SLA. It can indicate which ICT systems it uses, what its subcontracting chain looks like, which security standards it applies and how its incident management process works. It is ready to enter discussions with your compliance, IT security and internal audit teams — not only with operations.
Pillar 2: The contract is structured consciously
The point is not for the contract to be long. The point is for it to contain all the elements required by DORA — described precisely, not merely listed to tick a box. The right to audit must be genuinely enforceable, not only written down. The exit plan must be realistic, not merely formal.
Pillar 3: You have real oversight, not only documentation
You maintain and update a register of ICT services. You have a cyclical process for assessing provider risk. You test emergency scenarios. You know what will happen if your payroll system provider is unavailable for 48 hours. This is not bureaucracy — this is operational maturity.
6. A practical plan for CFOs and COOs — where to start
If you are only beginning to organise the DORA topic in the context of financial outsourcing, below is a sequence of actions that, in our experience, provides the best starting point.
- Step 1. Map all financial processes carried out by external providers — BPO providers, accounting firms, shared service centres and freelancers working on your systems.
- Step 2. For each provider, determine whether its services are based on ICT systems and whether they support critical or important functions. This is a key classification step.
- Step 3. Conduct due diligence on providers: ask about the systems they use, their subcontractors, security standards such as ISO 27001 and similar frameworks, and incident handling procedures.
- Step 4. Build or update your register of ICT contracts — divided into critical and non-critical arrangements. This is a document you must be ready to show to the supervisory authority.
- Step 5. Assess existing contracts against DORA requirements: do they include audit rights, incident reporting rules, subcontracting clauses and an exit plan?
- Step 6. If you are planning a new financial outsourcing project, design it according to DORA logic from the very beginning. Involve compliance and IT security before the contract reaches the lawyer.
7. A few words about how we approach this at Pomerico
At Pomerico, we have been building financial outsourcing models for European companies for years — including regulated entities operating in the financial sector. We know these questions well because they are asked by our clients: CFOs, Heads of Finance and Heads of Back Office who are looking for a partner capable of working in a regulated environment.
In practice, this means that our clients can expect from us, among other things:
- transparency regarding the ICT systems we use and our subcontracting chain,
- readiness to speak with compliance and IT security teams at the cooperation design stage,
- contracts that include audit rights, incident-related clauses and exit plans built jointly with the client,
- financial teams with low turnover — because workforce continuity has a direct impact on the operational continuity required by DORA,
- support in creating or updating the ICT services register and classifying services as critical or important.
We do not claim that compliance is our competitive advantage. We claim that it is a necessary condition for being a credible partner for regulated entities.
Summary
DORA changes financial outsourcing — but it does not end it. It changes the conditions under which outsourcing should be designed and managed. A good provider in the world of DORA is one that understands these conditions and helps you navigate them without unnecessary headaches.
If you want to review your current contracts from a DORA perspective, assess the providers you work with or design a new financial outsourcing model — we are ready to talk.
This article was prepared on the basis of an analysis of the DORA regulation, EU Regulation 2022/2554, and the RTS/ITS implementing acts. It does not constitute legal advice. For matters requiring legal assessment, we recommend consulting a law firm specialising in financial market law.
