DORA for Financial-Services Virtual Data Rooms

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, in force from 17 January 2025) creates a binding ICT risk-management framework for the EU financial sector. It applies to 20 categories of financial entity — banks, investment firms, insurers, asset managers, payment institutions, e-money institutions, crypto-asset service providers, and others — and to their critical ICT third-party service providers.

Virtual data rooms used by financial entities are ICT third-party service providers under DORA. This makes the relationship subject to DORA's contractual minimum content (Article 30), oversight expectations, exit-and-substitutability planning, and incident-reporting flow-up.

This page summarises DORA's five pillars and explains the practical implications for VDR procurement by EU banks, asset managers, and insurers in 2026.

Last updated: May 2026.

The Five DORA Pillars

  1. ICT risk management. Comprehensive framework, governance, identification, protection, detection, response, recovery, learning.
  2. ICT-related incident reporting. Standardized classification, timely reporting to competent authorities.
  3. Digital operational resilience testing. Periodic testing including TLPT (threat-led penetration testing) for significant entities.
  4. ICT third-party risk management. Pre-contractual due diligence, contractual minimum content, ongoing monitoring, exit strategy.
  5. Information sharing arrangements. Voluntary information sharing on cyber threat intelligence.

Article 30 — Contractual Minimum Content for VDRs

Article 30 sets the contractual baseline for ICT third-party arrangements supporting critical or important functions. Key items for VDR procurement:

  • Description of services and locations. Specify the data centres and sub-processors.
  • Service levels with defined SLAs and KPIs.
  • Audit and information rights for the financial entity, the competent authority, and the financial entity's auditor.
  • Cooperation with authorities in supervision, investigations, and resolution.
  • Notification of changes that may materially affect ICT services.
  • Termination rights without penalty in defined circumstances.
  • Exit strategy and transition assistance to prevent vendor lock-in.
  • Data return / deletion at end of services with certified evidence.
  • Insurance, sub-outsourcing, and security requirements.

Critical ICT Third-Party Provider Designation

The European Supervisory Authorities (EBA, ESMA, EIOPA) jointly designate critical ICT third-party service providers (CTPPs) under DORA. Designation triggers direct EU oversight rather than indirect supervision through the financial entity. As of 2026 the major hyperscale cloud providers and certain core financial-market infrastructure providers are candidates; large VDR providers serving systemically important banks could fall in scope over time.

The Register of ICT Third-Party Arrangements

Article 28 requires every financial entity to maintain a register of all ICT third-party arrangements, distinguishing those supporting critical or important functions. The register must be available to the competent authority on request. Practically this means every VDR engagement involving regulated client data is logged with provider identity, service description, contractual key terms, sub-processors, country of data storage, and criticality classification.

Incident Reporting Under DORA

Major ICT-related incidents must be reported to the competent authority. Reporting templates and timings are harmonized across the EU under regulatory technical standards. Significant cyber threats may be reported voluntarily.

Frequently Asked Questions

Does DORA apply to all VDR providers?

DORA itself binds financial entities. The VDR provider is bound through the financial entity's contractual flow-down. Where the provider is large enough to be designated a critical ICT third-party service provider, DORA's oversight regime applies directly.

Is DORA compatible with FINMA Circular 2018/3?

Yes for Swiss banks operating in the EU through subsidiaries — they apply both. Swiss-only banks apply FINMA Circular 2018/3; the Circular's substance is broadly aligned with DORA but not identical.

Can a non-EU VDR provider serve EU financial entities under DORA?

Yes, but the financial entity must use an EU establishment of the provider where required (Article 31), apply Chapter V GDPR transfer rules to any non-EEA data flow, and observe the higher information / audit / oversight expectations.

What incident timeline does DORA require?

Initial notification "as soon as possible" once a major ICT-related incident is classified; intermediate update where information evolves; final report after root-cause analysis. The exact timings are set in the joint regulatory technical standards.

Further Reading