Skip to content
OS Domains
Industry

Email infrastructure for DORA-regulated entities.

EU banking and fintech email infrastructure is a regulated operational concern: under DORA, your email provider is an ICT third party supporting an important function, with prescribed contract terms (Article 30), audit rights and incident-reporting obligations. OS Domains serves EU financial-sector customers under custom Enterprise contracts that spell out the specific DORA provisions, the Register of Information entries and the exit terms, for credit institutions, e-money institutions, investment firms and payment providers that need email infrastructure their regulator will accept.

EU banking and fintech email infrastructure is a regulated operational concern, not a generic SaaS decision. DORA Article 30 prescribes contract terms; NIS2 Article 21 raises the bar on security risk management; ECB and EBA inspections review your third-party arrangements. We serve EU financial-sector customers under custom Enterprise contracts with the specific DORA provisions and audit rights spelled out — credit institutions in Austria and Germany, e-money institutions in Belgium, Ireland, Luxembourg, investment firms in France, Italy, Spain, payments providers in the Netherlands and Estonia.

If you are evaluating us as your transactional and security-alert email infrastructure, expect a 3-6 month procurement process. That is appropriate to the risk, and we provide a dedicated procurement support contact to keep it on track.

In short

  • Treated as an ICT third party under DORA: Article 30 contract terms, audit rights and subcontracting controls written into the contract.
  • DORA incident reporting runs on a fixed clock, and the email provider’s obligations sit inside that timeline.
  • We supply the Register of Information entries and the exit-and-portability terms before you need them.
  • One control set answers DORA, NIS2 (Article 21) and PCI DSS where they overlap on email.
  • EU-resident infrastructure under an EU entity, not a US hyperscaler, which is what an ECB or EBA inspection expects; expect a 3-6 month procurement.
Key numbers
EU banking customers
11
DORA Article 30 ready
Yes
Single-country residency
Available
Annual resilience attestation
Provided

Why is banking and fintech email a regulated concern?

For an EU bank, e-money institution, or licensed fintech, the email infrastructure that delivers transaction confirmations, fraud alerts, KYC notifications, and statement-ready emails is in scope for DORA (Digital Operational Resilience Act), in scope for NIS2 Article 21 as an "important entity" supplier, and routinely audited under EBA SREP and ECB on-site inspections. The infrastructure choices that work for a B2C SaaS do not work here, because the operational resilience, third-party risk management, and contractual provisions required by financial supervisors are specific and prescriptive.

What does DORA require from your email infrastructure provider?

DORA Article 30 mandates that contracts with ICT third-party service providers include specific provisions: complete description of services, locations of data and operations, service-level agreements, monitoring and reporting requirements, business continuity provisions, sub-contracting controls, audit rights, exit-and-portability rights. Article 28 requires that financial entities maintain a register of ICT third-party arrangements with specific information fields. Article 31 covers Critical ICT Third-Party Provider designation. We are not currently a CTPP (designation threshold is significantly above our customer footprint), but our standard Enterprise DPA addendum includes every Article 30(2) requirement and we provide the Article 28 register fields in a customer-portal export.

EU banking customers we currently serve.

We serve regulated EU financial-sector senders — credit institutions, e-money institutions, investment-services firms, and payment-services providers. They use us for combinations of transactional banking emails (statements, transaction confirmations), security alerts (fraud detection, login anomalies), regulatory communications (PSD2 SCA prompts, MiFID II disclosures), and operational notifications (compliance officer alerts, internal escalation). All under custom Enterprise contracts with the specific DORA Article 30 provisions and audit rights spelled out.

How does DORA incident reporting affect your email provider?

DORA requires you to classify a major ICT incident within 24 hours of becoming aware of it, then file an initial notification with your competent authority within four hours of that classification, an intermediate report within 72 hours, and a final report with root-cause analysis within one month. The clock starts at classification, not detection, so the classification decision itself has to be fast and documented. RTS 2024/1772 sets six criteria — clients affected, data losses, reputational impact, duration and downtime, geographic spread, and economic cost with a €100,000 threshold — and an incident is major when it crosses two of them, or one severely. Here is why that matters for an email provider. If transaction confirmations or SCA prompts stop arriving and you cannot tell whether the cause is your side or ours, you cannot classify, and the four-hour window is already running. Our incident handling for financial-sector customers is built to feed that window rather than compete with it: a named CSM contact within 30 minutes of detection, a written initial assessment within two hours, and a written incident report within 24 hours — the document you attach to your initial and intermediate filings. You file through your national authority signed with your own qualified eIDAS certificate; we supply the technical facts in the order the RTS 2025/301 template asks for them.

Transactional email is an ICT service supporting an important function.

A recurring mistake in fintech procurement is filing email under marketing tooling. Under DORA the test is functional: does the service support a critical or important function? Email that carries strong customer authentication prompts, fraud and login-anomaly alerts, payment confirmations, and statement delivery supports functions a supervisor will read as important, because a sustained delivery failure has direct customer and prudential impact. That places your email provider inside the third-party ICT arrangements Articles 28 and 30 govern — the same register and contract regime you apply to your core banking platform vendor, scoped to its actual risk. The practical consequence is that the agreement cannot be a click-through SaaS contract. It needs the Article 30(2) provisions: service description, data and processing locations, service levels, monitoring and reporting, business continuity, subcontracting controls, audit rights, and exit and portability terms. Our Enterprise DPA addendum carries each of these as standard clauses rather than as a per-customer negotiation, which is what keeps legal review to one or two rounds instead of a quarter of back-and-forth. We are equally clear about what we are not: we are not a Critical ICT Third-Party Provider, since that designation is made by the European Supervisory Authorities on systemic-importance grounds and our footprint is far below it. Your Article 30 obligations apply regardless of our CTPP status, so the terms are what matter, not the label.

What do you need for the DORA Register of Information?

DORA Article 28 requires every financial entity to keep a Register of Information describing its ICT third-party arrangements, and to submit it to the competent authority each year, with the deadline falling on 30 April. The register is not a free-text inventory. The European Supervisory Authorities publish a structured template with defined fields: provider legal identifiers including LEI, the function supported and whether it is critical or important, data and processing locations, the start and end dates of the arrangement, the subcontracting chain, and a substitutability assessment. Filling those fields for an email provider that hides its infrastructure behind a generic "global cloud" description is painful, because half the fields are unanswerable. We give financial-sector customers a portal export pre-mapped to the register fields: our legal entity and LEI, the precise EU datacenter locations in use for that account, the subprocessor list with roles, and the contractual start date. When your GRC team assembles the annual submission, the email row is filled from our export rather than reconstructed from old support tickets. It reads like a small thing until the 30 April deadline is two weeks out and the register has a blank where the email vendor should be.

Subcontracting controls, and the chain you are actually signing.

The 2024 RTS on subcontracting ICT services that support critical or important functions tightened what financial entities must know and control about their providers' own suppliers. You are entitled to see the subcontracting chain, to be notified of material changes before they take effect, and to object. For an email provider the chain is short but not empty: upstream connectivity, the CDN in front of the customer portal, the payments processor for billing, and any third-party seed or reputation data feeds. Our standard chain for financial-sector accounts is written into the DPA addendum rather than buried in a sub-processor page that changes without notice. Where a national supervisor restricts US-headquartered subprocessors for sensitive workloads, we can route around the usual US defaults with an alternate CDN and EU-only payments handling, for an additional €499 per month and roughly two weeks of setup. We would rather quote that honestly than pretend the default configuration already satisfies a residency restriction it does not.

How do DORA, NIS2 and PCI DSS overlap on email?

Most regulated senders are not subject to DORA alone. NIS2 Article 21 adds supply-chain security and incident-handling obligations for important and essential entities, and a bank email supplier is part of that supply chain. PCI DSS v4.0 made DMARC handling a requirement for organizations that process payment-card data, which pulls email authentication into the cardholder-data conversation. The useful part is how much these regimes share. One set of controls — enforced DMARC at p=reject, EU-pinned processing, documented incident timelines, an audited subprocessor chain, and annual resilience evidence — answers the email-relevant parts of all three at once. We structure the financial-sector account so the same artifacts serve each filing: the resilience attestation we produce every January maps to DORA testing and reporting expectations, supports the NIS2 risk-management narrative, and gives your PCI assessor the email-authentication evidence in one place. The point is to stop the same questions being answered three times, in three formats, for three different auditors.

What breaks when a regulated bank uses a US hyperscaler for email?

The honest comparison is worth making, because procurement teams ask for it. SendGrid, Amazon SES, Mailgun, and Postmark are competent senders, and for an unregulated consumer product they are reasonable defaults. The problem inside a regulated EU financial entity is structural rather than technical. Each runs under a US corporate parent, which makes Schrems II a live transfer question your DPO has to document rather than wave away, and which keeps the CLOUD Act and FISA 702 in scope for your transfer impact assessment. Their standard contracts are click-through and do not carry DORA Article 30(2) provisions; getting those terms added, where it is possible at all, becomes a custom negotiation their legal team is not built to move quickly. Support is tiered and ticket-based, which is fine for a configuration question and a poor fit when a four-hour DORA clock is running and you need an engineer who knows what a DKIM selector is and what happens when an IP lands on a Spamhaus list. None of this makes those providers bad. It means the regulatory and operational profile of a supervised financial entity is a different problem from the one they were built to solve, and the migration we see most often is a bank moving its regulated, customer-facing streams to EU infrastructure while leaving low-risk internal mail where it already is.

Exit and portability, written down before you need it.

DORA Article 30 and the EBA outsourcing guidelines both require that a contract for an important function spells out an exit strategy: how you get your data and operations back, and how you move to another provider or in-house, without an unacceptable continuity gap. For email that means three concrete things. Your sending domains and DKIM selectors stay yours and move with you. Your suppression lists, templates, and historical event data export in open formats. And the reputation you built on dedicated IPs does not evaporate on the way out. Our standard financial-sector contract documents a 90-to-180-day exit window with defined handover steps: a full export of configuration and data, a parallel-run period where the incoming provider warms its own IPs while we keep delivering, and a documented cutover. We put this in writing at signing rather than at termination, because an exit clause negotiated while you are already leaving is worth very little. A supervisor reviewing your third-party arrangements will ask to see the exit plan, and you should be able to hand it over without drafting it on the spot.

How we solve it

The specific capabilities that matter for this use case.

01

Single-country EU data residency

Pin all data and processing to a specific EU country (Austria, Germany, France, Netherlands, Ireland, Belgium, Italy, Spain) and prohibit any non-EU PoP routing. Required by some national banking regulators.

02

DORA Article 30 contract terms

Our Enterprise DPA addendum includes complete Article 30(2) provisions: detailed service description, monitoring, BCP, sub-contracting, audit rights, exit assistance, data portability. Customer legal teams typically need 1-2 review rounds.

03

Annual operational resilience attestation

For financial-sector customers, we produce a written attestation each January describing: prior-year incident summary, capacity utilization, BCP test results, security incident summary. Suitable for inclusion in your regulatory filings.

04

Audit rights with NDA

Annual on-site audit rights for Enterprise customers, plus access to ISO 27001:2022 control-mapping evidence, pre-certification control evidence (SOC 2 criteria), penetration test summary, and Transfer Impact Assessments under NDA.

05

Custom escalation paths

Named CSM and named technical account manager with 30-minute response in incidents. Direct phone line to engineering on-call during regulatory inspections or supervisory reviews. War-room call within 1 hour for material incidents.

06

Statement-ready email rendering

Customer-portal templates support precise typographic and accessibility requirements for statement-ready emails: WCAG 2.2 AA-compliant tables, locale-correct currency and date formatting, machine-readable structured data for downstream parsing.

07

Incident comms wired to the DORA clock

Named-CSM contact within 30 minutes of detection, a written assessment within two hours, and a 24-hour written incident report, timed to feed the four-hour initial notification and 72-hour intermediate report you owe your competent authority.

08

Register of Information export

A portal export pre-mapped to the DORA Article 28 register fields: our legal entity and LEI, the EU datacenter locations in use for your account, the subprocessor chain, and contractual dates. It drops into your 30 April submission.

09

Reports in template order

You file with your national authority using your own qualified eIDAS certificate. We supply the technical facts in the order the RTS 2025/301 template asks for them, so the form fills without a reconstruction exercise.

Common challenges

What we see go wrong, and how we fix it.

Customer onboarding through bank procurement

EU bank procurement runs 3-6 months for a new ICT vendor. The path we have learned to navigate: 1 month for technical assessment, 1 month for security questionnaire and audit report review, 1 month for legal redlines and DPA negotiation, 1 month for board-level sign-off. We do not push back on this timeline because it is appropriate to the risk; we provide a dedicated procurement support contact to keep it moving.

Regulator-driven sub-processor restrictions

Some national supervisors restrict use of US-headquartered sub-processors for sensitive workloads. We can route around Cloudflare and Stripe for customers who need it (alternate CDN and EU-only payments), but it adds €499/month and 2 weeks of setup.

Statement email accessibility under EAA

The European Accessibility Act Article 4 brings consumer-facing banking communications in scope. Statement-ready emails must be WCAG 2.2 AA accessible — tables readable by screen readers, color contrast, semantic structure. We provide template patterns that pass the EAA bar; banks who rolled their own templates often need to redo them.

Classifying an email incident inside four hours

The DORA clock starts at classification, and an email delivery failure is hard to classify when you cannot yet see whether the cause is your configuration or the provider. Our written initial assessment within two hours exists so your classification decision is informed before the four-hour notification window closes.

FAQ

Questions we get the most.

01

Are you a Critical ICT Third-Party Provider (CTPP) under DORA?

No. The CTPP designation is decided by the European Supervisory Authorities based on systemic importance criteria (concentration risk across financial entities, substitutability). Our footprint of regulated financial-sector customers is well below the threshold for CTPP designation. We provide DORA-compatible contract terms regardless because individual financial-entity customers are still subject to Article 30 requirements when contracting with us.

02

Can we audit you on-site?

Yes. Enterprise customers in financial services have annual on-site audit rights, scheduled with 30 days notice, conducted during business hours, with auditors under NDA. Most customers exercise this via desk audit (reviewing our ISO 27001 control-mapping evidence, pre-certification control evidence (SOC 2 criteria), BCP test results, and security questionnaire responses) rather than physical on-site, but the on-site option is available.

03

Do you support data residency in our specific country?

Yes for Austria, Germany, France, Netherlands, Ireland, Belgium, Italy, Spain. Add €499/month for single-country residency configuration. For other EU countries, we can typically accommodate with custom datacenter selection during onboarding — talk to sales.

04

What is your incident notification SLA to financial-sector customers?

Named-CSM contact within 30 minutes of incident detection. Detailed initial assessment within 2 hours. Written incident report within 24 hours (this is the document you would attach to a regulatory incident notification under DORA Article 19). Final RCA within 5 business days, more detailed than our public RCAs because financial sector customers need the depth.

05

Can you provide a Letter of Comfort / Statement of Reliance for our regulators?

Yes, on a case-by-case basis and after legal review. We do not issue blanket letters of comfort that financial supervisors sometimes ask for (committing to specific behaviors beyond contract terms), but we have negotiated specific assurance letters for several customers — DPO conferences with our DPO, written confirmation of specific operational practices, annual attestations on resilience measures.

06

What are the DORA incident reporting timelines, and where do you fit?

Classify a major incident within 24 hours of awareness, file an initial notification within four hours of that classification, an intermediate report within 72 hours, and a final report within one month. The clock starts at classification, not detection. Our role is upstream of yours: a 30-minute named-CSM contact, a two-hour written assessment, and a 24-hour incident report. You file with your competent authority using your own qualified eIDAS certificate.

07

Is transactional email actually in scope under DORA?

When it carries SCA prompts, fraud alerts, payment confirmations, or statements, yes. It supports functions a supervisor reads as important, which puts the provider inside the Article 28 register and the Article 30 contract regime. Email used purely for low-risk internal messaging is a lighter case, and we scope the contract to the actual risk rather than applying the heaviest terms to every message.

08

Do you help populate our Register of Information?

Yes. We provide a portal export pre-mapped to the Article 28 register fields: legal entity and LEI, EU processing locations for your account, the subprocessor chain, contractual dates, and the critical-or-important classification of the function. It is built so the email row of your 30 April submission comes from our data rather than from manual reconstruction.

Ready to talk

Schedule a 45-minute architecture call with an engineer.

No salesperson, no commission, no qualification rounds. Tell us what you are trying to do, we tell you whether we are a fit, and you walk away with a recommendation either way.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment