DORA Compliance Is Here: Why Every SaaS Vendor Is Now a Regulatory Liability

Key Takeaways

DORA is live. As of January 17, 2025, EU financial services firms must manage ICT risk across every third-party provider — including every SaaS tool in your stack.

Each SaaS vendor = a compliance line item. You need contracts, risk assessments, exit strategies, and ongoing monitoring for each one. The average mid-size firm has 100+ SaaS subscriptions. That's 100+ third-party risk files.

Custom-built tools on your infrastructure eliminate third-party dependencies. Fewer vendors means fewer audits, fewer contracts to negotiate, and a simpler compliance posture.

This isn't just DORA. NIS2, GDPR, SOC 2, and the EU AI Act all get easier when you own your stack.

What DORA Actually Requires

The Digital Operational Resilience Act isn't a suggestion. It's binding regulation for banks, insurance companies, investment firms, payment processors, and crypto-asset service providers operating in the EU. Penalties for non-compliance include fines up to 1% of average daily worldwide turnover — per day — until the issue is resolved.

Here's what DORA demands regarding your technology providers:

1. ICT Risk Management Framework

Every firm must maintain a comprehensive framework for identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents. That framework must cover every system you depend on — including every SaaS tool your teams use.

2. Third-Party Risk Management

This is where it gets painful. DORA Article 28 requires financial entities to:

Maintain a register of all ICT third-party service providers

Conduct pre-contract due diligence on each provider

Include specific contractual provisions (data location, audit rights, exit clauses, subcontracting limits)

Perform ongoing monitoring and risk assessment

Have documented exit strategies for every critical provider

3. Incident Reporting

Major ICT incidents must be reported to competent authorities within 4 hours of classification. If a SaaS vendor goes down and it affects your operations, the clock starts ticking on your end — not theirs.

4. Resilience Testing

Firms must conduct regular testing of their ICT systems, including threat-led penetration testing. Good luck getting your SaaS vendor to participate in that.

How SaaS Sprawl Makes DORA Compliance a Nightmare

The average organization runs 130+ SaaS applications. In financial services, that number is often higher because of specialized tools for compliance, risk, reporting, and client management.

Under DORA, every one of those tools is a third-party ICT provider. Every single one needs:

A risk assessment. How critical is this tool? What happens if it goes down? Where is the data stored? What's the vendor's incident response plan?

A compliant contract. Standard SaaS terms of service won't cut it. DORA requires specific contractual clauses around audit rights, data location, subcontracting, and exit provisions. Try getting Salesforce to renegotiate their standard agreement for your 50-seat deployment.

An exit strategy. For every critical provider, you need a documented plan for migrating away if the relationship ends. That means understanding data export capabilities, alternative providers, and transition timelines. For a SaaS tool you've used for five years with deeply embedded workflows, that exit plan is fiction.

Ongoing monitoring. Not a one-time check. Continuous assessment of the provider's risk profile, financial stability, and operational resilience.

Multiply that by 100+ vendors. Now staff it.

The Cloud Act Problem

Here's a detail that makes European compliance officers lose sleep: the US CLOUD Act allows the US government to compel US-based SaaS providers to hand over data regardless of where it's stored. Your data might be in an EU data center, but if your SaaS vendor is headquartered in San Francisco, US authorities can demand access.

Under DORA's data sovereignty requirements, that's a problem. It creates a direct conflict between your regulatory obligations and your vendor's legal obligations. And you're the one who gets fined.

The Concentration Risk

DORA explicitly addresses concentration risk — the danger of too many financial entities depending on the same ICT providers. When half the banking sector runs on the same handful of SaaS platforms, a single outage becomes a systemic risk. Regulators know this. They're watching.

How Custom-Built Tools Simplify Compliance

Here's the fundamental shift: a tool running on your own infrastructure is not a third-party provider.

When you replace a SaaS tool with a custom-built alternative deployed on infrastructure you control, you eliminate an entire compliance line item. No third-party risk assessment. No contract negotiation. No exit strategy documentation. No ongoing vendor monitoring.

The tool is yours. It runs on your servers (or your cloud account). You control the data, the access, the uptime, and the incident response.

What This Looks Like in Practice

Before (SaaS stack for a mid-size financial firm):

12 SaaS vendors classified as critical ICT providers

45+ SaaS vendors classified as important ICT providers

60+ additional SaaS tools requiring basic risk assessment

Estimated compliance overhead: 2-3 full-time staff just for third-party ICT risk management

After (replacing highest-risk SaaS with custom tools):

4 critical ICT providers (down from 12)

20 important ICT providers (down from 45+)

30 additional tools requiring basic assessment (down from 60+)

Compliance overhead reduced by roughly 60%

The math isn't complicated. Fewer vendors, fewer audits, fewer contracts, fewer exit strategies, fewer incident reports that start with "our vendor..."

Data Sovereignty — Solved

Custom tools on your infrastructure mean your data stays where you put it. No CLOUD Act conflicts. No guessing which AWS region your SaaS vendor actually stores data in. No hoping their subprocessor in a third country has adequate protections.

You pick the data center. You control the encryption. You own the keys. DORA's data governance requirements become straightforward instead of adversarial.

Incident Response — Your Timeline, Not Theirs

When a SaaS tool goes down, you're at the mercy of the vendor's status page. Under DORA's 4-hour incident reporting window, "waiting for the vendor to respond" isn't an acceptable answer.

With custom tools, your team owns the monitoring, the alerting, and the fix. You control the response timeline. You have the logs. You can demonstrate to regulators exactly what happened and what you did about it.

Beyond DORA: The Broader Regulatory Case

DORA isn't the only regulation that gets easier when you own your stack.

[NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) — Expanded cybersecurity requirements across a broader range of sectors. Same third-party risk management headaches. Same solution: fewer third parties, simpler compliance.

GDPR — Data processor agreements, data protection impact assessments, cross-border transfer mechanisms. Every SaaS vendor is a data processor. Every custom tool on your infrastructure is one fewer processor to manage.

SOC 2 — If your organization pursues SOC 2 certification, every third-party tool is a potential scope item. Auditors ask about vendor management. The fewer vendors you have, the cleaner the audit.

EU AI Act — The newest regulatory burden. If your SaaS vendors embed AI features (and they all are), you may inherit compliance obligations for AI systems you didn't choose, don't control, and can't audit. Building your own tools means you decide if and how AI is used — and you can demonstrate that to regulators.

The Cost Comparison

"But custom tools cost more." Do they?

A Core Replacement build runs $15K–$45K. Annual maintenance is typically 10–20% of the build cost. Over three years, you're looking at $21K–$63K.

Now add up the compliance cost of managing that SaaS vendor for three years under DORA: risk assessments, contract renegotiation, exit strategy documentation, ongoing monitoring, incident response coordination. Conservative estimate: $15K–$30K per critical vendor per year in staff time and legal fees. That's $45K–$90K over three years — just for compliance. On top of the subscription fee.

The custom build is cheaper before you even count the subscription savings.

The Practical Path Forward

You don't need to replace everything at once. Start with the tools that create the most compliance friction:

Audit your SaaS stack. Identify every tool, classify by criticality, and map the compliance burden for each. (Start with a free SaaS audit — we'll do this for you.)

Target the high-risk, low-complexity tools first. Internal admin dashboards, reporting tools, workflow automation, and form builders are typically the easiest to replace and carry disproportionate compliance overhead.

Build on infrastructure you control. Your cloud account, your data center, your rules. The tool runs where you decide.

Document the compliance benefit. When your regulator asks about third-party ICT risk management, "we reduced our third-party dependencies by 60%" is a very good answer.

The SaaS tax is real and it's getting worse. But for regulated firms, the compliance tax on top of the SaaS tax is the part that should worry you. DORA didn't create the problem — it just made ignoring it illegal.

Want to see which tools in your stack are creating the most regulatory exposure? Get your free SaaS audit. We'll map your third-party risk and show you where custom builds would simplify compliance.