DORA Compliance: How Platform.sh supports our financial services customers

The Digital Operational Resilience Act (DORA) is set to reshape how financial institutions in the EU manage and contract with their technology providers. Since January 17, 2025, DORA requires financial entities to meet stricter rules for managing digital risks, especially when it comes to the third-party ICT (Information and Communication Technology) service providers they rely on.

While Platform.sh is not directly subject to DORA–we are a Platform-as-a-Service (PaaS) provider, not a regulated financial entity, some of our customers are, and for them, the new regulation creates real contractual and operational obligations.

We are ready to help!

Why DORA matters to you and how we support it

DORA was introduced to strengthen the financial services industry’s ability to withstand IT-related disruptions. It applies not just to outsourcing, but to all ICT services. This includes cloud platforms like Platform.sh, where our infrastructure and deployment automation plays a key role in the digital delivery chain for banks, insurance firms, investment funds, and other financial entities.

One of DORA’s central requirements is that contracts with third-party ICT service providers must contain specific clauses to help financial entities manage digital risk, maintain oversight, and cooperate with regulators. These provisions vary depending on whether the ICT services are deemed to support “critical or important functions.”

To assist our customers in meeting these new expectations, our legal team has prepared a DORA Contractual Addendum. This addendum aligns with requirements under Articles 28 and 30 of DORA and reflects the key areas DORA covers, including service levels, data handling, subcontracting, termination rights, and incident response.

This DORA Contractual Addendum is available upon request and is designed to easily integrate with our standard agreements, helping customers close any regulatory gaps quickly and without unnecessary complexity.

Do Platform.sh services support a “critical or important function”?

One of the distinctions DORA introduces is between standard third-party ICT services and those that support “critical or important functions.” These are functions where a disruption could severely impact a financial entity’s ability to operate or remain compliant with applicable laws.

At Platform.sh, our default is that our services will not necessarily fall into this category. That said, we understand that each customer’s setup is unique. If you believe our platform supports critical or important functions within your organization, we’re happy to have that conversation. We will work with you to ensure the DORA Addendum reflects the heightened standards required for such services.

What you need to do

For our part, Platform.sh is committed to being a proactive and responsible partner. If you’re an existing customer and need DORA-compliant terms, your account manager or legal contact can provide you with our DORA Contractual Addendum.

Together, we’ll ensure your digital operations remain resilient, compliant, and ready for the future.

For questions or to request the Dora Contractual Addendum, kindly contact us via Support, or by visiting the Platform.sh Trust Center to contact customer care.