We supply banks, does DORA hit us?
DORA has applied since 17 January 2025. It targets financial entities, but via the critical ICT third-party regime and contract terms it cascades to suppliers.
Try this first
- 1Confirm whether your customer is a financial entity under DORA: bank, insurer, investment firm, payment institution, credit institution. Then DORA reaches you contractually.
- 2Expect contract updates: incident reporting within fixed windows, supervisor audit rights, exit strategy, transfer requirements.
- 3Build incident detection and logging at a level where you can produce facts in hours, not days. SLA reporting alone is too slow.
- 4Document concentration risk. If you use sub-suppliers for core function, your customer needs to know.
- 5Keep test evidence. Pen tests, scenario tests, business-continuity drills will be requested.
When to bring us in
Designated as a "critical ICT third party" by the ESAs? You are directly supervised. Different game; bring in legal and compliance specialists.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.