Skip to content
OS Domains
Regulation

DORA Article 30 compatible, in force since January 2025.

OS Domains supports DORA-regulated financial entities (Regulation (EU) 2022/2554) as a non-critical ICT third-party arrangement: every Article 30(2) contractual provision is standard in the Enterprise financial-sector DPA addendum, and the Article 28 register fields export in a form a customer folds straight into its Register of Information. The provider is not a designated Critical ICT Third-Party Provider and does not approach the threshold, serving eleven EU financial-sector customers across eight member states. For incident reporting the customer follows DORA rather than the NIS2 cascade, and OS Domains supplies the technical facts, a forensic timeline, and an annual operational-resilience attestation the customer can lift into its regulatory filing.

DORA (Regulation (EU) 2022/2554) entered enforcement on 17 January 2025 for EU financial entities — credit institutions, payment institutions, e-money, investment firms, insurance, crypto-asset service providers. Article 30 prescribes the contractual provisions financial entities must include in ICT third-party arrangements. Our Enterprise DPA addendum for financial-sector customers includes every Article 30(2) provision as standard. We are not a Critical ICT Third-Party Provider at current scale; customers do not need us to be CTPP for DORA compliance.

If you are evaluating us as a financial entity, expect 3-6 month procurement including 1-2 rounds of Article 30 legal review. We have a financial-sector legal counsel who handles the customizations.

In short

  • Every Article 30(2) contractual provision is standard in the Enterprise financial-sector DPA addendum, so customer legal teams review rather than redraft — typically 1–2 rounds.
  • Article 28 register fields (contract type, services, data categories, processing locations, criticality, term dates, subcontracting) export to fold straight into the Register of Information, which the 2026 cycle cross-checks automatically against incident history.
  • Not a designated Critical ICT Third-Party Provider and below the threshold: eleven EU financial-sector customers across eight member states, keeping the email leg outside the CTPP oversight chain.
  • Incident reporting follows DORA as lex specialis under NIS2 Article 4(1): the customer classifies and files, while OS Domains supplies the facts and, on Enterprise, a forensic timeline.
  • Exit is tested rather than promised: JSON/CSV export via portal and API, a 90-day post-termination grace period, and migration assistance, so a financial customer documents a rehearsed transition for its register.
Key numbers
DORA in force since
2025-01-17
Article 30 provisions
In our DPA
Our CTPP status
Not designated
Financial customers
11 EU entities

What is DORA, and why does it matter for email infrastructure?

DORA (Regulation (EU) 2022/2554 — Digital Operational Resilience Act) entered enforcement on 17 January 2025 and applies to financial entities across the EU: credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and others. It mandates a uniform framework for ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. For an email infrastructure provider serving DORA-regulated entities, the most operationally relevant articles are Article 28 (ICT third-party risk management framework), Article 30 (key contractual provisions), and Article 31 (Critical ICT Third-Party Provider — CTPP — designation).

Our CTPP status.

Article 31 establishes a process for the European Supervisory Authorities (ESAs) to designate ICT third-party service providers as "Critical" based on systemic-importance criteria: substitutability, concentration risk across financial entities, severity of potential impact on continuity of services. We are not currently a CTPP and we do not anticipate designation at current scale — the threshold for CTPP designation requires significantly larger market presence than our EU financial-sector customers. Customers do not need us to be a CTPP for them to use us under DORA; Article 30 contractual provisions apply to all ICT third-party arrangements, CTPP or not.

Which Article 30 contractual provisions do you include?

Article 30(2) prescribes specific contractual provisions for ICT services supporting "critical or important functions" of a financial entity. Our standard Enterprise DPA addendum for financial-sector customers includes each: (a) complete description of all services with locations of data and operations; (b) detail of data accessed, types of data, locations of processing; (c) availability and integrity provisions including SLA; (d) access to data in case of insolvency or resolution; (e) accessibility, recovery, return of data in structured format on termination; (f) service-level descriptions with monitoring and corrective action; (g) assistance with ICT incidents at no additional cost; (h) cooperation with competent authorities including resolution authorities; (i) termination rights including assistance during transition; (j) participation in our ICT-security training (when applicable); (k) audit and inspection rights; (l) exit strategy supporting orderly transition.

Where does DORA enforcement stand in 2026?

DORA has applied since 17 January 2025, and 2026 is the year supervision turned from guidance into examination. On 18 November 2025 the three European Supervisory Authorities published the first official list of nineteen Critical ICT Third-Party Providers, naming the hyperscale cloud providers AWS, Microsoft Azure, and Google Cloud alongside platforms such as IBM, Bloomberg, the London Stock Exchange Group, Tata Consultancy Services, and Orange. Those firms now sit under direct oversight by Joint Examination Teams led by one of the ESAs. The posture for everyone else is enforcement-oriented: regulators are examining financial entities for evidence of compliance rather than accepting remediation plans, and the first Register of Information submission cycle in the first quarter of 2026 was the first hard test. The cautionary figure comes from the 2024 dry run, where only about 6.5% of nearly a thousand firms passed all of the data-quality checks, and national authorities are now cross-referencing submissions automatically, flagging providers that appear in incident histories but are absent from the register and sub-outsourcing chains claimed not to exist. We are not a Critical ICT Third-Party Provider and do not approach the designation threshold, but we are an ICT arrangement that a financial customer has to enter in its register correctly, and the value we add is supplying the exact fields so the customer's submission survives the cross-check rather than becoming a supervisory follow-up.

What is the Register of Information, and how is your data cross-checked?

Article 28(3) requires every financial entity to maintain a register of its ICT third-party arrangements and submit it annually to its national competent authority, and DORA standardized the format down to fifteen templates rendered in xBRL-CSV. The 2026 cycle covers arrangements as they stood on 31 December 2025, and the submissions face more than a hundred automated data-quality checks. What changed the stakes is that authorities are no longer reading these registers in isolation: they cross-reference them against incident-reporting history and against each other, so a provider that shows up in a breach notification but not in the register, or a sub-outsourcing chain a firm claims is empty when the provider clearly relies on subcontractors, surfaces as an inconsistency that invites a closer look. We make our entry easy to get right by exporting the specific register fields — contract type, the services provided, the categories of data, the locations of processing, the criticality classification, the term dates, and the subcontracting summary — in a form a customer can fold straight into its register. The register is meant to describe reality, and the email leg is one row in it; our job is to make that row accurate enough that it passes the quality checks rather than triggering the follow-up that an incomplete submission now reliably produces.

Critical Third-Party Provider designation, and what it means that we are not one.

Article 31 lets the ESAs designate an ICT provider as critical based on the systemic impact of its failure, the degree of financial-sector dependence on it, its substitutability, and the concentration of reliance across firms. The first nineteen designations went to the providers the sector cannot easily route around, and a non-EU provider that gets designated has to establish an EU subsidiary to be overseen. A lead overseer — the EBA, EIOPA, or ESMA — can then request information, run investigations, carry out on-site inspections under Article 35, and impose periodic penalty payments of up to 1% of average daily worldwide turnover for non-cooperation. We are nowhere near that threshold, with eleven EU financial-sector customers spread across eight member states, and we do not anticipate designation at our scale. The part that matters for a customer is the inheritance effect: a financial entity relying heavily on a designated provider has to document that dependency in its register and assess the concentration risk, and it may receive information requests from the ESAs as part of overseeing that provider. Keeping the email leg on a non-designated EU provider keeps that leg outside the CTPP oversight chain, which is one fewer dependency a financial customer has to carry into the concentration-risk analysis its supervisor will scrutinize.

Which Article 30 clauses do customers actually negotiate?

Article 30(2) prescribes the contractual provisions a financial entity must secure for ICT services supporting critical or important functions, and our Enterprise financial-sector addendum includes each of them as standard. The clauses that draw real negotiation are a predictable few. Audit and inspection rights get tightened so the financial entity and its competent authority can examine the arrangement directly rather than relying on a summary. Subcontracting controls get sharpened, often into a specific veto right over the addition of a US-headquartered sub-processor, which DORA permits and which the ESAs reinforced through the March 2025 amendments to the subcontracting technical standard. The data-access provisions for insolvency or resolution get scrutinized, because a resolution authority needs to reach the data if the financial entity fails. And the exit strategy with transition assistance is examined closely, since a clause promising orderly exit is only as good as the migration path behind it. We hold these positions in standard language rather than treating them as concessions, because a financial-sector legal team that has to redraft the basics from scratch is a procurement that runs months longer than it needs to, and the clauses DORA mandates are not the place to be creative.

Exit strategy and the tested transition plan DORA now expects.

DORA does not let an exit clause sit on paper untested. For critical or important arrangements a financial entity is expected to maintain a documented and tested transition plan, so the question a supervisor asks is not whether the contract permits exit but whether the firm has demonstrated it can actually leave. That shifts the burden onto the provider to make exit credible rather than theoretical. We support it concretely: structured data export in JSON or CSV through the portal and the API at any time, a ninety-day post-termination grace period during which access continues, and active migration assistance through the Migration Service, including validated paths back to the providers a customer might return to. The same bridge-migration discipline that brings a customer onto the platform without losing reputation works in reverse to take them off it, which is the point — an exit that would crater deliverability is not a real exit. A financial customer can therefore enter the arrangement having seen how it would leave, and document that tested transition for the register rather than promising one it has never rehearsed. The credibility of the exit is part of what a supervisor weighs when judging whether the dependency is well governed.

How does incident reporting differ under DORA versus NIS2?

DORA sets its own incident regime, and for a financial entity it governs rather than the NIS2 cascade. Articles 18 and 19 require a financial entity to classify ICT-related incidents against criteria of severity — clients affected, data losses, duration, geographic spread, economic impact — and to report a major incident to its competent authority in stages: an initial notification, an intermediate report as the picture firms up, and a final report with root cause. The timelines and the templates differ from the NIS2 24-hour early warning, and because DORA is lex specialis a financial entity follows the DORA route for the obligations the two frameworks share. Our part is to supply the technical and operational facts your team needs to classify an incident and populate each report: what happened, what data and which services were touched, the timeline, and the active mitigations. For Performance and Enterprise customers we coordinate the incident response directly, sharing a forensic timeline your analysts can lift into the regulatory report. The classification decision and the filing remain yours, because the significance threshold is judged against your client base and your function, but the facts that decision rests on come from our incident documentation rather than from guesswork under deadline pressure.

Personal liability and public disclosure raise the procurement bar.

DORA carries consequences that reach individuals and reputations, not only corporate balance sheets. Financial entities face penalties up to 10% of annual global turnover or €10 million for serious breaches, individual senior managers can be fined up to €1 million in personal liability, and non-compliance decisions can be publicly disclosed, which adds a reputational cost on top of the financial one. That combination is why financial-sector procurement of an email provider runs long and asks hard questions: the people signing off carry personal exposure, and a vague vendor answer is a risk they own individually. We meet that scrutiny with evidence rather than reassurance — the Article 30 addendum in standard form, the register-field export, the annual operational-resilience attestation describing the prior year's incidents and continuity tests, and the incident-coordination commitment. The attestation matters because it lets a financial customer show its supervisor a dated, written account of how the email dependency behaved over the year rather than a snapshot assembled the week before an audit. When the downside includes a named manager's personal liability, the provider that hands over documentation a person can stand behind is the one that clears procurement, and the provider that offers confidence without artifacts is the one that stalls in legal review.

Threat-led penetration testing against shared infrastructure.

Larger financial entities are subject to threat-led penetration testing under Articles 26 and 27, run to the TIBER-EU framework on a multi-year cycle, and that testing reaches the providers their critical functions depend on. The complication for any multi-tenant platform is that a test scoped to one customer's account inevitably touches infrastructure other customers rely on, so it cannot be allowed to run unbounded. We coordinate with the customer's testing provider — typically a firm certified under TIBER-EU or an equivalent national scheme — to scope the engagement to the account-specific surface, agree the testing windows in advance, and operate inside the authorization framework the financial entity holds from its competent authority or the relevant ESA. The controls exist so that a legitimate resilience test does not become an availability incident for unrelated customers, and so that the financial entity gets a real assessment of the parts of the platform its functions actually use. We have supported this cooperation for two financial-sector customers without disruption, which is the kind of reference a procurement team values more than a policy statement, because it shows the process has survived contact with an actual test rather than living only in a contract clause.

How we solve it

The specific capabilities that matter for this use case.

01

Article 30 contract terms in our Enterprise DPA

Every Article 30(2) provision is included as standard in our Enterprise financial-sector DPA addendum. Customer legal teams typically need 1-2 review rounds rather than redrafting from scratch.

02

Article 28 register fields export

Article 28(3) requires financial entities to maintain a register of ICT third-party arrangements. We provide the specific information fields (contract type, services, data categories, location, criticality, dates, subcontracting) in a portal export suitable for inclusion in your register.

03

Annual operational resilience attestation

Each January we produce a written attestation describing prior-year incidents, capacity utilization, BCP test results, security incident summary. Suitable for inclusion in your DORA regulatory filings.

04

Threat-led penetration testing (TLPT) cooperation

For financial entities subject to TLPT under DORA Article 26, we cooperate with testing activities affecting our infrastructure, subject to advance scheduling and authorization controls.

05

ICT incident classification cooperation

For DORA Article 18 incident classification (major ICT-related incident, significant cyber threat), we provide the technical and operational data your team needs for classification. Joint incident-response coordination on Performance and Enterprise tiers.

06

Exit and portability with structured data export

Article 30(2)(e) requires accessibility and structured export of data on termination. We provide JSON and CSV export via portal and API at any time, plus a 90-day post-termination grace period and migration assistance via the Migration Service.

Common challenges

What we see go wrong, and how we fix it.

Concentration risk reporting

Article 28(3) requires financial entities to report concentration risk to their competent authority. Our EU financial-sector customers span credit institutions, e-money, investment firms, and payments providers across several Member States — concentration is low. We provide a concentration-risk summary on request showing aggregate customer-by-sector breakdown without identifying individual customers.

Subcontracting controls under Article 30(2)(g)

DORA requires specific terms around subcontracting (called "sub-processing" in GDPR terminology). Our DPA addresses this with: (1) the public sub-processor list at /dpa#sub-processors, (2) 30-day advance notice on material changes with objection right, (3) flow-down of equivalent obligations to sub-processors. Financial-sector customers can negotiate tighter subcontracting controls including specific veto rights on US-headquartered sub-processors.

TLPT scheduling complications

Threat-led penetration testing under DORA Article 26-27 affects shared infrastructure. A TLPT against one customer's account would necessarily touch our infrastructure that other customers depend on. We coordinate with the customer's TLPT contractor (typically a TIBER-EU certified firm) to scope testing to specific accounts without affecting other customers, with the financial entity's and ECB / ESA's authorization framework.

A designated CTPP in your stack becomes your reporting burden

When a financial entity relies on one of the nineteen designated Critical ICT Third-Party Providers, it has to document that dependency in its Register of Information, assess the concentration risk, and may field information requests from the ESAs overseeing that provider. The dependency does not have to be direct: a provider built on a designated hyperscaler can pass the exposure down. Keeping the email leg on a non-designated EU provider is one dependency fewer to carry into the concentration analysis a supervisor will examine.

An incomplete Register entry now triggers supervisory follow-up

The first Register of Information cycle in 2026 is being cross-referenced automatically, so a vendor row that is missing, inconsistent with incident history, or silent about a subcontracting chain that plainly exists draws a closer look. The exposure sits with the financial entity that filed it, not with the vendor. We reduce it by exporting the precise register fields in a form that matches what we actually do, so the email arrangement is one row that passes the quality checks rather than one that invites the follow-up.

FAQ

Questions we get the most.

01

Are you a Critical ICT Third-Party Provider (CTPP)?

No. CTPP designation is decided by the ESAs based on systemic-importance criteria including concentration risk across financial entities and substitutability. Our EU financial-sector customers and overall scale are well below the threshold for CTPP designation. Customers do not need us to be a CTPP for DORA compliance — Article 30 contractual provisions apply to ICT third-party arrangements regardless of CTPP status.

02

Can your Article 30 provisions be customized for our specific competent authority?

Yes on Enterprise. Different competent authorities (ECB, EBA, EIOPA, ESMA, national authorities like BaFin, ACPR, FCA-after-Brexit) sometimes prefer specific contractual wording. Our financial-sector legal counsel reviews your competent authority preference and adjusts the Article 30 addendum accordingly. Typical adjustment cycle: 2 review rounds over 3-4 weeks.

03

How does the Article 28 register relate to our procurement record?

Article 28(3) requires a specific format for ICT third-party arrangements: contract reference, services, data, location, criticality classification, term dates, subcontracting summary. We provide each field via a portal export. Your procurement record may be more comprehensive; the DORA register is a subset of typical procurement records.

04

What is your TLPT cooperation policy?

For Threat-Led Penetration Testing under DORA Article 26, we cooperate subject to: (a) TLPT contractor is TIBER-EU certified or equivalent national framework, (b) testing scope is documented in advance, (c) testing windows are pre-scheduled and limited to your account-specific surface area, (d) financial entity provides the ESA/competent authority authorization documentation. We have supported TLPT cooperation for two financial-sector customers so far without incident.

05

Do you participate in the DORA Threat Intelligence Sharing Platform?

Not directly as a participant — that platform is for financial entities. We do share threat intelligence relevant to email infrastructure attacks with the broader email-operations community through M3AAWG channels and via direct customer notification when we observe attacks targeting one of our customers that may affect others.

06

Did DORA designate any Critical ICT Third-Party Providers, and are you one?

The ESAs published the first list of nineteen Critical ICT Third-Party Providers on 18 November 2025, naming the major cloud and platform providers the financial sector depends on systemically, including AWS, Microsoft Azure, and Google Cloud. We are not on it and do not approach the designation threshold, with eleven EU financial-sector customers across eight member states. You do not need us to be a CTPP for DORA compliance — the Article 30 contractual provisions apply to all material ICT third-party arrangements regardless of designation.

07

What do you provide for our Register of Information submission?

A portal export of the specific register fields DORA requires — contract type, services, data categories, locations of processing, criticality classification, term dates, and subcontracting summary — in a form you can fold into your register. The 2026 cycle covers arrangements as of 31 December 2025 and faces automated quality checks that cross-reference your submission against incident history, so the accuracy of each row matters. We keep our export consistent with what we actually do so the email arrangement passes the checks rather than flagging an inconsistency.

08

Does DORA or NIS2 govern our incident reporting if we are a financial entity?

DORA, for the obligations the two frameworks share, because it is lex specialis under NIS2 Article 4(1). You classify ICT-related incidents against the DORA severity criteria and report a major incident to your competent authority in an initial, intermediate, and final sequence rather than through the NIS2 24-hour cascade. We supply the technical and operational facts your team needs to classify and report, and for Enterprise customers we coordinate the response and share a forensic timeline you can lift into the regulatory filing.

Ready to talk

Schedule a 45-minute architecture call with an engineer.

No salesperson, no commission, no qualification rounds. Tell us what you are trying to do, we tell you whether we are a fit, and you walk away with a recommendation either way.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment