Skip to content
Enterprise
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial
Datargo OneEnterprise Single-pane-of-glass cockpit for enterprises. All modules from one source. Learn more
Flagships
Datargo Monitor Availability and security posture. Datargo CRM Support hub for every brand.
Operations & commerce
Datargo ID SSO and MFA for the whole suite. Datargo ERP GoBD-compliant commercial core.
Trust & crypto
NextPKINew Certificate lifecycle, 47-day ready.
Bundle of the month
Reliability Bundle

Datargo Monitor + NextPKI as a single billed package. NIS2 evidence and certificate lifecycle from one cockpit.

Learn more
By outcome
Reliability & security NIS2 evidence from monitoring + incident. Customer service hub Live chat, tickets, multi-brand. Identity & SSO One identity for all modules.
By compliance
NIS2-Evidence Evidence at the press of a button. DORA resilience Financial sector, register of information. ISO 27001 & GoBD Annex A controls and e-invoicing.
By size
Solo & indie team Productive in 5 minutes. Mid-market SSO, audit trail, multi-brand. Enterprise & public sector Hundreds of seats, region pinning.
Sovereignty Kit
NIS2 evidence package

Ready-made Datargo Monitor and Datargo CRM controls, mapped against NIS2 obligations. Start straight into the pilot.

Read the NIS2 whitepaper
Learn
Documentation Module guides, API reference, quick start. Best-practice guides NIS2 setup, multi-brand Datargo CRM, SSO rollout. Blog Release notes, compliance news, roadmap.
Trust
Trust Center Hosting, certificates, sub-processors. Status-Page Live availability of all Datargo modules. Legal & privacy DPA, sub-processor list.
Customers
Customer stories Case studies from finance, public, tech. Partner program System integrators, implementers, MSPs. Events & webinars it-sa, EIC, NIS2 roadshows.
From the cockpit
47-day TLS from 2029

NextPKI is already prepared for the new CA/B Forum reality. Whitepaper and migration guide available now.

Read the whitepaper
Platform Datargo Monitor Datargo CRM Datargo ID Datargo ERP NextPKI
Datargo One Pricing Compliance
Language
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial Book a call
Skip to content
DORA & Financial Sector

DORA for ICT Providers: Third-Party Risk and Incident Reporting

09.12.2025 · 3 min read

Since January 2025, DORA applies in the financial sector, with consequences for every supplier. What the register of information, reporting chains and the first critical designations mean.

DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), has applied to the European financial sector since 17 January 2025. Since 19 November 2025, oversight has become concrete: the European Supervisory Authorities EBA, EIOPA and ESMA published the first official list of 19 ICT third-party providers designated as critical, among them AWS, Google Cloud, Microsoft, Oracle, SAP, IBM and Deutsche Telekom. The list is updated annually.

The instinctive reaction of many IT providers is: this does not concern me, I am not a bank. That is a fallacy. DORA travels down the supply chain.

Why the regulation reaches every supplier

Financial entities carry the risk of their ICT outsourcing themselves and must manage it demonstrably. By 30 April 2025 they had to report their register of information, a complete record of all contractual arrangements with ICT third-party providers. With that, every outsourcing is visible to the regulator, including those to non-critical providers.

Whatever obligations the financial entity carries, it passes on contractually to its providers. In practice, financial customers now demand:

  • DORA-compliant contract clauses with clear performance, security and termination terms.
  • Audit and access rights, so that the customer and the regulator can inspect.
  • Transparency over sub-outsourcing, that is, who else sits behind the provider.
  • Reporting chains for incidents, fast enough for the financial customer to meet its own deadlines.
  • Exit and continuity plans, along with evidence from resilience testing.

Incident reporting is a chain, not a form

For major ICT incidents, DORA requires staggered reporting: an initial notification within a few hours of classification, an intermediate report and a final report within one month. For suppliers this means: the incident must not only be detected internally, the financial customer must be informed in time to keep its own regulatory clock. Whoever reports too late or too vaguely endangers the customer’s compliance, and with it the business relationship.

Designated critical means direct oversight

Whoever is named a critical ICT third-party provider falls under the direct oversight of a lead overseer at EU level. Because the list is updated annually, the designation is not a static state: whoever is not listed today may be listed as their importance to the financial sector grows.

What makes sense now

For ICT providers with financial customers, it pays to review your own contracts for DORA clauses, document sub-outsourcing cleanly, and rehearse incident reporting so that the chain up to the financial customer holds within hours. In our Datargo Monitor module, monitoring, an incident engine and an append-only audit trail interlock so that the evidence for such reporting chains can be produced. The point itself, though, is independent of any tool, namely to document your own resilience so that the financial customer can rely on it.

DORA is not a banking topic alone. It is the requirement your financial customers now pass on to you.

Back to the blog

Datargo Datargo

The European Business Operations Platform. Monitoring, customer service, identity, accounting, and certificates in one sovereign suite. Auditable by design. Made in Germany.

EU hosting, Frankfurt GDPR-native Made in Germany
Platform
  • Datargo One
  • Datargo Monitor
  • Datargo CRM
  • Datargo ID
  • Datargo ERP
  • NextPKI
Solutions
  • Reliability & Posture
  • Customer service hub
  • Identity & SSO
  • Commerce & GoBD
  • Scaling
Compliance
  • NIS2 evidence
  • DORA resilience
  • ISO 27001 mapping
  • GoBD & e-invoicing
  • Sovereignty
Industries
  • Financial services
  • Public sector
  • Health & pharma
  • Industry & TISAX
  • SaaS & tech
Resources
  • Trust Center
  • Documentation
  • Status page
  • Customer stories
  • Partner program
  • Blog
Company
  • Datargo One for enterprises
  • Start your 90-day trial
  • Book a call
  • Contact
  • Careers
© 2026 Datargo GmbH. All rights reserved.
Imprint Privacy Terms DPA SLA Sub-processorsDORA / NIS2
Germany · English

Datargo® and Databurg® are registered trademarks of Datargo GmbH. All other product names, logos, and trademarks mentioned are the property of their respective owners.

Cookies & optional features. Datargo uses technically necessary cookies. Optionally we enable comfort features such as our live-chat support, an in-house Datargo service that processes personal data in the process. You can accept everything or keep only the necessary cookies.

More in the privacy policy