DORA: what Mauritian ICT providers must deliver to their European financial clients

The EU's DORA regulation has applied since 17 January 2025 to nearly the entire European financial sector: banks, insurers, asset managers, payment institutions, fintechs. It does not directly regulate a Mauritian ICT provider — but it forces your clients to record you in a register, rewrite your contract, and prove that their resilience does not stop at your door. In 2026 the observation phase is closing, so it pays to know exactly what will be asked of you.
DORA in short, and why 2026 is the pivotal year
DORA (the Digital Operational Resilience Act) imposes four blocks of obligations on European financial entities: ICT risk management, major incident reporting, operational resilience testing and — the part that concerns you — managing the risks posed by third-party ICT service providers. Software vendor, hosting company, service centre, managed services provider, processing operator: if your service touches the information system of a European financial client, you are an ICT third party within the meaning of the text, and often a tier-1 ICT subcontractor in its mapping.
2026 brings a concrete tightening: supervisors are consolidating the Register of Information that every financial entity must keep on its providers. The European supervisory authorities set 30 April 2026 as the deadline for submitting registers as at 31 December 2025, and the first measures for non-compliance have been announced. The immediate result: your clients' compliance teams are right now chasing missing or inconsistent data — including yours.
One useful caveat: this article is an operational summary, seen from the infrastructure side; it is not legal advice.
The register of information: your identity sheet at every client
Each financial client must keep an exhaustive register of its ICT contractual arrangements. For every provider, it must be able to record:
- the precise identity of the contracting legal entity: registered name, country, identifiers;
- a description of the service and its link to the client's functions, especially whether they are "critical or important";
- where the service is delivered and where the data is processed and stored;
- your subcontracting chain: who hosts, who intervenes, from which country;
- possible alternatives and how hard it would be to replace you.
Expect very precise information requests, sometimes as spreadsheets to return within days. An incomplete or contradictory entry becomes your client's problem with its supervisor — and therefore a commercial problem for you. A standard register sheet, kept continuously up to date, turns this recurring chore into a formality.
The contract clauses you will have to accept
DORA imposes minimum contractual content for ICT services, reinforced when the service supports a critical or important function. The clauses that come up in every negotiation:
- a full description of the service, with measurable service levels;
- data processing locations, with prior notification of any change;
- incident notification: alerting the client within short deadlines and assisting them throughout the incident;
- access, inspection and audit rights for the client — and for its supervisor;
- subcontracting conditions: information, or even prior approval, regarding your own subcontractors;
- participation in the client's resilience testing, including advanced tests for critical functions;
- termination and exit strategy: the client must be able to leave without service disruption.
The golden rule is the same as for NIS2 questionnaires: never sign a notification deadline or an RTO your infrastructure has not demonstrably met. An untenable clause engages your liability at the worst possible moment.
Exit strategy and reversibility: the most negotiated point
This is often the most uncomfortable discovery: your client must document how it would do without you. The regulation requires an exit strategy for critical services, and your client will pass those requirements down to you: a written reversibility plan, data returned in usable formats, transition assistance for a defined period, and a deletion certificate at the end of the contract.
Paradoxically, handling reversibility well is a commercial argument. A provider that documents the exit inspires confidence at the entrance; one that locks clients in raises alarms. Standard architectures, documented exports and a genuinely tested disaster recovery plan are the best proof that your commitments are not theoretical.
Build your DORA file before it is demanded
Everything above converges on one deliverable: a permanent evidence file, ready to share. A pre-filled register sheet, standard contracts, dated DR test reports, an incident notification procedure with measured deadlines, a subcontractor map, a reversibility plan. Providers who already have it answer in days while their competitors answer in weeks — and in a sector where operational resilience has become a purchasing criterion, the difference shows in tenders. It is the kind of file a partner like SOVALYX builds and maintains with its clients: the infrastructure produces the evidence itself — exercise reports, monitoring metrics, incident logs.
Checklist: are you ready for the DORA wave?
- We know which of our clients fall within DORA's scope, and whether our service supports a critical or important function.
- Our register sheet is ready: legal entity, services, data processing locations, tier-2 subcontractors.
- Our incident notification deadlines are defined, contracted and achievable.
- Audit rights for the client and its supervisor are organised: scope, notice, hosting arrangements.
- Our DR plan is documented and tested, with reports dated within the last year.
- A written reversibility plan exists: return formats, transition assistance, data deletion.
- Our own critical subcontractors are listed, assessed and contractually managed.
- A named contact can answer DORA requests within days.
If your first DORA questionnaire has already arrived, the timeline is no longer in your hands: an operational compliance assessment lets you close the gaps before your client's next deadline.
How SOVALYX can help
SOVALYX helps Mauritian providers meet their financial clients' DORA requirements: a complete and accurate register entry, an automated disaster recovery plan with dated test reports, 24/7 monitoring under SLA to hold incident notification deadlines, and a documented reversibility plan. You arrive at the contract negotiation with measured evidence, not promises.
Talk compliance with an engineer🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.
Reviewed and optimised by AI.