TL;DR: DORA went live on January 17, 2025. Financial entities across the EU now face strict digital resilience requirements. The regulation flows downstream to their suppliers. Small businesses providing IT services to banks, insurance companies, or fintechs will see new contract terms, audit clauses, and incident reporting requirements in their agreements. You’re part of their compliance chain whether you’re ready or not.
Core Answer:
- DORA covers over 22,000 financial entities across the EU, including banks, insurance companies, and investment firms
- Financial entities must demand specific contractual terms from technology suppliers, including audit rights, data access provisions, and incident notification clauses
- Small businesses providing IT services to financial institutions become part of their compliance risk
- Financial entities must report major ICT-related incidents to regulators within 24 hours of detection
- Suppliers must build incident response systems, business continuity plans, and audit readiness now
What Is DORA and Why Does It Matter for Small Businesses?
DORA went live on January 17, 2025. The Digital Operational Resilience Act covers over 22,000 financial entities across the EU. Banks, insurance companies, investment firms face the same mandate: prove your digital operational resilience or face consequences.
The regulation doesn’t stop at banks. It flows downstream to every supplier, every vendor, every small business that touches a financial institution’s IT infrastructure.
I’ve been watching this shift in the Netherlands since mid-January. The pattern emerged fast.
How Does DORA Create Compliance Pressure for Suppliers?
DORA requires financial entities to maintain strict control over their ICT risk. They must demand specific contractual terms from every technology supplier:
- Audit rights
- Data access provisions
- Exit strategies
- Incident notification clauses
Suppliers outside the EU must accept these terms or lose their EU clients.
In the Netherlands, De Nederlandsche Bank and the AFM have been preparing the financial sector since 2023. DNB requires financial entities to submit their ICT registers by April 30, 2025.
This is enforcement infrastructure being built in real time. Not a soft deadline.
Bottom line: Financial entities transfer compliance obligations to their suppliers through contractual requirements.
What Are Small Businesses Seeing in Their Contracts?
Larger organizations now demand that their suppliers prove DORA-aligned compliance. Contract liability terms are changing. Financial institutions take ownership of compliance requirements and push them down the supply chain.
Expat entrepreneurs running micro and small businesses in the Netherlands provide IT services, software integration, data processing, or cloud infrastructure support to larger clients. They’re receiving contract amendments with new terms, new audit clauses, new incident reporting requirements.
The Hidden Liability
Financial entities must report major ICT-related incidents to regulators within 24 hours of detection. If you’re a supplier and your system fails, your client faces immediate reporting obligations.
You become part of their compliance risk.
Key insight: Your operational failure becomes your client’s regulatory problem within 24 hours.
What Is the Cybersecurity Reality for Small Businesses in Europe?
The timing is brutal. Small businesses in Europe face mounting pressure:
- 43% of SMBs experienced at least one cyber attack in the past 12 months
- Ransomware attacks accounted for 87% of victims in early 2023
- Only 28% of small businesses rate their threat mitigation capabilities as strong
The gap between exposure and control is wide. DORA doesn’t create that gap. It exposes it.
The cybersecurity market for SMEs in Europe grows at 14.6% annually. Regulations like DORA and NIS2 expand coverage to businesses previously outside critical-infrastructure categories.
This creates pressure and opportunity. The pressure is real. The opportunity belongs to businesses that build structure early.
Reality check: Most small businesses lack strong cybersecurity controls while facing increasing attack frequency and regulatory scrutiny.
Does DORA Apply to You as an Expat Entrepreneur?
You’re not a financial entity. DORA doesn’t apply to you.
Wrong.
When you provide IT services to a bank, an insurance company, a fintech, or any entity under DORA’s scope, you’re part of their compliance chain.
What Your Clients Will Demand
Your clients will demand proof of:
- Incident detection and response systems
- Business continuity plans
- Data backup and recovery protocols
- Third-party risk management
- Audit readiness
You can’t fake this. You can’t promise it. You must build it.
Direct impact: DORA applies to you through your client relationships, not through direct regulation.
What Controls Should You Install Now?
Reduce exposure before it becomes expensive. Install these controls:
1. Document Your Incident Response Process
Create a simple protocol: who gets notified, what gets logged, how you escalate, how you communicate with clients. Make it repeatable.
2. Separate Duties in Your IT Operations
One person should not approve, execute, and verify critical changes. Add a second approval step. Add a change log.
3. Test Your Backup and Recovery System
You need proof that your backups work. Schedule a recovery test. Document the result. Store it where auditors can find it.
4. Map Your Third-Party Dependencies
List every external service you rely on: cloud providers, SaaS tools, subcontractors. Identify what breaks if they fail. Build contingency plans.
5. Create an Audit Trail for IT Decisions
Record who made the decision, why, and when. This is not bureaucracy. This is proof that you have control.
Action step: These five controls create audit readiness and reduce your client’s compliance risk.
What Should You Do Next?
DORA is not a distant regulation. It’s active enforcement infrastructure. The banks and financial institutions you work with are adjusting their contracts now. They’ll demand proof of resilience from their suppliers.
Build structure now, or explain its absence later.
The system doesn’t read intentions. It reads proof.
Structure is cheaper than recovery.
Final decision: Build controls now or explain their absence when your client demands proof.
Frequently Asked Questions
When did DORA go into effect?
DORA went live on January 17, 2025. Financial entities across the EU must now comply with digital operational resilience requirements.
Does DORA apply to small businesses that are not financial entities?
DORA applies indirectly. When you provide IT services, software integration, data processing, or cloud infrastructure to banks, insurance companies, or fintechs, you’re part of their compliance chain. Your clients will demand proof of DORA-aligned controls.
What happens if a supplier’s system fails and impacts a financial entity?
Financial entities must report major ICT-related incidents to regulators within 24 hours of detection. Your operational failure becomes your client’s regulatory problem immediately.
What specific controls do financial entities demand from suppliers?
Financial entities demand incident detection and response systems, business continuity plans, data backup and recovery protocols, third-party risk management, and audit readiness.
What is the deadline for Dutch financial entities to submit ICT registers?
De Nederlandsche Bank (DNB) requires financial entities to submit their ICT registers by April 30, 2025.
How many financial entities does DORA cover?
DORA covers over 22,000 financial entities across the EU, including banks, insurance companies, and investment firms.
What percentage of small businesses experienced cyber attacks recently?
43% of SMBs in Europe experienced at least one cyber attack in the past 12 months. Ransomware attacks accounted for 87% of victims in early 2023.
Do suppliers outside the EU need to comply with DORA requirements?
Yes. Suppliers outside the EU must accept DORA-aligned contractual terms or lose their EU clients. The regulation applies to any supplier serving EU financial entities.
Key Takeaways
- DORA went live on January 17, 2025, covering over 22,000 financial entities across the EU
- Financial entities transfer compliance obligations downstream to technology suppliers through contractual requirements
- Small businesses providing IT services to financial institutions face new audit clauses, incident reporting requirements, and liability terms
- Financial entities must report major ICT-related incidents within 24 hours, making supplier failures immediate regulatory problems
- 43% of European SMBs experienced cyber attacks in the past 12 months, but only 28% rate their threat mitigation as strong
- Suppliers must build five core controls: incident response documentation, duty separation, backup testing, third-party dependency mapping, and audit trails
- Structure is cheaper than recovery. Build controls now or explain their absence when clients demand proof
