Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Digital Operational Resilience Act

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation that came into force in January 2025. It sets mandatory requirements for how financial entities and their ICT service providers manage technology risk, respond to incidents, test operational resilience, and govern third-party technology dependencies.

DORA applies directly to regulated financial entities operating in the EU, including crypto-asset service providers (CASPs), banks, payment institutions, investment firms, custodians, and trading venues. It also places specific obligations on ICT third-party service providers that deliver critical technology services to those entities.

For digital asset businesses, DORA raises the bar for how you select, contract with, and oversee your technology vendors, including your compliance infrastructure providers.

Does DORA Apply to Your Business?

DORA applies to you if you are a regulated entity operating in the EU, including:

  • Crypto-asset service providers (CASPs) authorised under MiCA

  • VASPs and other regulated digital asset businesses

  • Payment institutions and e-money institutions

  • Banks, investment firms, and custodians

  • Exchanges and trading venues

If you rely on third-party technology platforms, including compliance software, to deliver regulated services, DORA requires you to ensure those vendors meet specific contractual, operational, and resilience standards set out under Article 28.

Ospree's Position as an ICT Third-Party Provider

Ospree is a technology provider to regulated financial entities. Under DORA, that means your organisation has obligations around how you select, contract with, and oversee us as part of your ICT third-party risk management framework.

We take those obligations seriously, both for your sake and ours.

Ospree's platform, infrastructure, and contractual arrangements are designed to support the expectations DORA places on ICT providers to regulated entities. We do not claim that using Ospree makes your organisation DORA-compliant, compliance is your obligation, and it extends across your full technology estate. What we can do is make sure that Ospree's side of that equation is well-documented, evidenced, and contractually sound.

What Ospree Provides to Support Your DORA Obligations

Ospree supports customers by providing specific measures that help address DORA-related ICT third-party risk obligations, including DORA-aligned contractual documentation, security controls, incident management, business continuity processes, service availability commitments, and ICT third-party risk transparency.

Ospree's Master Services Agreement (MSA) and Data Processing Agreement (DPA) are structured to support these requirements. Customers can request our DORA contractual schedule, a document that maps our standard contract provisions to Article 28 requirements, as part of their vendor due diligence process. To request the DORA contractual schedule, contact your Ospree account manager or reach out to sales@ospree.io

Regulatory References