DORA Requirements in the Microsoft 365 Tenant

With the EU regulation DORA (EU 2022/2554) coming into force on January 17, 2025, financial companies are facing new regulatory obligations regarding digital resilience. With Entra ID, Purview, Defender and Sentinel, Microsoft 365 offers central tools for technical implementation - but the responsibility for DORA compliance lies with the companies themselves.

DORA (Digital Operational Resilience Act) is an EU regulation to increase digital operational resilience in the financial sector. It affects banks, insurance companies, payment service providers, and their ICT service providers.

The regulation requires comprehensive risk management, reporting obligations, and resilience testing of digital systems. Given the increasing dependence on cloud services such as Microsoft 365, there is an immediate need for action – not least because of the strict testing requirements of the supervisory authority.

The central DORA requirements include:

• Establishment of ICT risk management
• Notification of serious incidents
• Execution of regular resilience tests
• Control of third-party service providers
• Exchange about cyber threats

Further details and a comprehensive overview can be found directly at the German Federal Financial Supervisory Authority (BaFin): To the overview at BaFin

Microsoft has responded to the regulatory requirements and published a DORA-specific contract addendum for financial companies. This supplements existing contracts such as the Enterprise Agreement or the Data Protection Agreement (DPA) with a DORA-compliant addendum that regulates the following points, among others:

1. Transparency in the use of subcontractors and third-party service providers
2. Extended termination rights for critical changes
3. Commitment to DORA-compliant data processing
4. Reporting obligations and control options

The contract addendum is available in the Microsoft Service Trust Portal and should be part of every Microsoft 365 contract in the financial sector.

Implementing the DORA requirements in the Microsoft 365 tenant is complex. The clear delineation of responsibilities between the financial company as the client and Microsoft as the service provider is particularly important. Microsoft provides numerous technical requirements, but the regulatory responsibility remains with the company.

A practical example shows: Service providers must contractually anchor regulatory requirements, but are not themselves responsible for compliance with the DORA requirements. At the same time, companies must regularly analyze and document their operational and technical risks – also with regard to the cloud services provided by Microsoft.

Based on internal projects and Microsoft documentation, we recommend:

• Check contractual coverage: Make sure that the DORA contract addendum is part of your Microsoft contract.
• Review your tenant architecture: Consolidate your Microsoft 365 tenants and establish a centralized governance model.
• Enable compliance tools: Make full use of Microsoft Purview, Entra ID P2 and Defender products.
• Simulate ICT incidents: Develop an incident response plan and test it regularly.
• Documentation & Reporting: Document and audit all measures in a traceable manner.

Arvato Systems supports financial companies from contract review and technical configurations to the implementation of a DORA-compliant Microsoft 365 tenant.

Rely on our expertise and experience in the secure implementation of DORA requirements. Contact us today to strengthen your digital resilience and meet regulatory requirements with confidence.