BG Beter Geregeld ICT
Compliance · 2 min leestijd · 10 December 2025

DORA for SMB Suppliers to Financial Institutions

From January 2025, every bank, insurer, or investment fund expects its suppliers to be DORA-compliant. As an SMB supplier, those requirements will land in your contracts.

DORA (Digital Operational Resilience Act) is an EU regulation that requires banks, insurers, investment funds, and payment service providers to meet stricter IT-resilience standards. If you supply software to that sector as an SMB, those requirements will flow down to you through your contracts.

What does this mean in practice for suppliers?

  • Contractual security requirements are getting stricter. Clients in the sector will ask for ISO 27001 or SOC 2 Type II certification, plus additional clauses.
  • Incident reporting obligations: you must report incidents to your financial clients within fixed timeframes.
  • Risk management covering third-party suppliers — including you as a vendor — must be explicit.
  • Testing regime: your clients may expect the right to conduct penetration tests or resilience tests against your systems.

Action steps

  1. ISO 27001 as your foundation (pillar).
  2. An incident reporting procedure that distinguishes between general notification obligations and the sector-specific DORA reporting obligation.
  3. A subcontractor register — which of your own suppliers indirectly touches your financial clients.
  4. Review your contract templates for financial clients.

Related topics: ISO vs SOC 2 and processing register.

Onderwerpen

#compliance #dora #financiele-sector #europa

Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores

Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Compliance

ISO 27001 for SMBs without €50k in consultancy fees

ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.

2 min
Compliance

NIS2 and SMEs: does your business fall under the directive?

NIS2 is the successor to NIS1 and significantly widens the scope. Many SMEs in "ordinary" sectors now suddenly qualify as essential or important entities.

2 min
Compliance

ISO 27001 or SOC 2? Which one fits your Dutch SMB?

ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.

2 min
Compliance

NEN 7510 for healthcare businesses: a step beyond ISO 27001

Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.

2 min
AVG & privacy

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

2 min
Tools & checks uitgelegd

VIES VAT number check: what it is, why it matters, and how to do it quickly

When you invoice a business in another EU country, you are often legally required to verify their VAT number via VIES. What is VIES, what does it check (and what doesn't it), and how do you maintain a proper audit trail?

4 min
← Alle artikelen in "Compliance"