DORApp Blog
DORA Fundamentals

Microsoft DORA Addendum (2026 Guide)

M
ByMatevž Rostaher

Microsoft contract changes marketed as a “DORA addendum” can be useful, but they do not automatically make your Microsoft cloud stack “DORA compliant.” Under the Digital Operational Resilience Act (DORA), financial entities remain accountable for ICT risk management and for demonstrating that ICT third-party service provider (ICT TPP) arrangements meet specific contractual and oversight expectations. If you are reviewing a Microsoft DORA addendum, your task is typically to confirm that the addendum meaningfully supports your Article 28 of DORA obligations, integrates with your internal governance, and is operationally usable in audits and supervisory reviews. This article provides a practitioner-focused evaluation framework, with a checklist you can apply to Microsoft cloud contracts and supporting documentation, starting from what is dora.

Contents

  • What a “Microsoft DORA addendum” should achieve
  • What DORA requires for cloud and other ICT contracts
  • DORA Article 30 and subcontracting RTS: what to look for in hyperscaler contract stacks
  • Commercial evaluation criteria for a Microsoft DORA addendum
  • Practical checklist: clauses and evidence to confirm
  • Strengthen auditability with contract stack mapping (what supervisors typically expect to see)
  • Strengths and Challenges
  • Who this evaluation approach is for
  • Where Dorapp can help (practically)
  • Selection guide: how to judge contract sufficiency under DORA
  • Frequently Asked Questions
  • Key Takeaways

    • What a “Microsoft DORA addendum” should achieve

    In most institutions, “Microsoft DORA addendum” refers to an add-on set of contractual terms, data protection and security commitments, audit and information rights language, and sometimes operational commitments related to incident notification and subcontracting. The exact content varies by product family and contracting model (direct contract, reseller, group agreement, public sector style terms, and so on), so your evaluation should treat the addendum as one part of a broader dora third party risk control environment.

    From a DORA standpoint, the objective is not to “have an addendum.” The objective is to demonstrate that your arrangement for Microsoft-delivered ICT services supports:

  • Contractual safeguards and enforceable rights aligned to DORA Article 28 (general contractual requirements) and DORA Chapter V expectations for ICT third-party risk management.
  • Ongoing oversight of service performance, resilience, security measures, and concentration risk for the specific services you consume.
  • Evidence that you can operationalize those rights (for example, obtaining the right information on demand, executing exit plans, and handling major ICT-related incidents).

    • That means a good “DORA addendum” outcome is typically measurable in governance terms: clearer accountability, auditable evidence, and fewer exceptions that require compensating controls. A weak outcome is one where the addendum exists but does not map cleanly to your ICT risk framework, vendor oversight cadence, or supervisory evidence expectations.

    What DORA requires for cloud and other ICT contracts

    For cloud services, the relevant DORA obligations usually sit at the intersection of:

  • ICT risk management (DORA Articles 5 to 15): how you identify, protect, detect, respond, and recover, including governance and control monitoring.
  • ICT third-party risk management (DORA Chapter V, including Article 28): what your contracts must cover and how you oversee ICT TPP performance and risk.
  • Incident management and reporting (DORA Articles 17 to 23): your ability to classify incidents and report major ICT-related incidents to competent authorities based on the applicable RTS on incident classification and reporting.
  • Digital operational resilience testing (DORA Articles 24 to 27): assurance testing expectations that may influence contractual audit, access, and information rights.

    • Most Microsoft DORA addendum reviews concentrate on DORA Article 28 of DORA because it sets the baseline topics that should be addressed in contractual arrangements with ICT TPPs. In practice, you also need to consider the European Supervisory Authorities (ESAs) technical standards (European Banking Authority (EBA), European Securities and Markets Authority (ESMA), European Insurance and Occupational Pensions Authority (EIOPA)) because the RTS and ITS define additional detail and supervisory expectations may evolve.

    Two practical reminders that often get missed:

  • DORA applies from 17 January 2025, but supervisory expectations for “how much detail is enough” may vary by sector and by competent authority, especially for cloud and complex supply chains.
  • Your contracting perimeter must reflect your real service usage. A “one-size” addendum can still leave gaps if your specific Microsoft services have different operational dependencies, support models, or subcontracting chains than your legal paperwork assumes.

    • If you need a plain-language regulatory refresher before contract work, use dora regulation explained and the broader digital operational resilience act dora overview as context.

    DORA Article 30 and subcontracting RTS: what to look for in hyperscaler contract stacks

    Here’s the thing: many cloud providers structure DORA contracting as a “contract stack” rather than a single, standalone addendum. You may see a master agreement plus product terms, security and privacy terms, a data protection addendum, service level commitments, and service-specific documents. Your review needs to treat the Microsoft DORA addendum as only one layer, then confirm that the overall stack meets the DORA contracting expectations for ICT third-party service providers supporting your services and, where relevant, your critical or important functions.

    From a regulatory standpoint, DORA Article 30 is often the practical focal point for contract drafting, especially for arrangements supporting critical or important functions. Article 30 sits within DORA’s ICT third-party risk management chapter and works together with Article 28’s baseline contractual expectations. In addition, the ESAs have developed more detailed requirements through Regulatory Technical Standards, including RTS on subcontracting arrangements. Those RTS are commonly referenced in industry as “the subcontracting RTS” and may appear in provider documentation as “RTS 53” depending on the publication and numbering context.

    In most institutions, the gaps are not in whether “subcontracting is mentioned.” The gaps show up in whether you can operationalize subcontracting oversight without breaking your governance model. When evaluating a Microsoft DORA addendum and the surrounding contract stack, pay attention to the topics below.

    1) Material subcontractors and material changes: what is disclosed, how, and when

    DORA expects you to manage subcontracting risk, including the ability to react to changes that could materially affect your risk profile. In provider contract stacks, disclosures may be delivered through online lists, portals, or standard notices. Your task is to confirm whether the disclosure mechanism is stable and auditable, and whether change notifications are sufficiently actionable for your internal review and approvals.

    2) Your rights in practice: objection, escalation, and decision-making paths

    Some contract stacks provide limited room to object to subcontractor changes, or they frame changes as a standard operational practice. DORA does not require a single specific contractual mechanism in all cases, and outcomes may be subject to supervisory interpretation. What the regulation actually requires is that you can identify, assess, and manage the risk, including documenting decisions and applying compensating controls where direct control is constrained.

    3) Flow-down requirements: do subcontractors inherit the same obligations

    For DORA purposes, you typically need confidence that key obligations flow down to subcontractors, especially around security measures, access and audit enablement (at least through indirect assurance), incident cooperation, and data handling. If the addendum relies heavily on “policies” or “available on request” materials, confirm whether that is enforceable and stable enough to support multi-year auditability.

    4) Cross-border delivery and group entities

    Cloud delivery often involves multiple Microsoft entities, regional operations, and subcontractors across jurisdictions. DORA does not prohibit cross-border delivery, but it raises practical questions for oversight, evidence, and exit planning. You should confirm that your contract stack clearly identifies the contracting party, the relevant service delivery entities, and where to obtain information about the supply chain that supports your in-scope services.

    This content is for informational purposes only and does not constitute legal advice. Contract sufficiency and enforceability can vary based on your contracting model, the Microsoft service family, and your competent authority’s expectations. In most cases, financial institutions should seek qualified legal or regulatory counsel for institution-specific DORA contracting guidance.

    Commercial evaluation criteria for a Microsoft DORA addendum

    A Microsoft DORA addendum is worth treating like any other high-impact ICT TPP contract component: it should be evaluated against specific DORA outcomes and your institution’s operating model. The criteria below are designed for compliance officers, ICT risk managers, and CISOs who need an auditable rationale for “accept,” “accept with compensating controls,” or “negotiate/escalate.”

    1) Contractual completeness against DORA Article 28 topics

    Map the addendum and the master agreement to a clause-by-clause DORA Article 28 checklist. Look for unaddressed topics, ambiguous commitments, and areas where Microsoft offers “policies” instead of enforceable contractual rights.

    2) Operational usability of rights (audit, access, information, and assurance)

    Many contracts contain rights that are difficult to execute in reality. Evaluate how you would actually obtain evidence, how often, and through which portals, reports, attestations, or engagement processes.

    3) Supply chain transparency and subcontractor control

    DORA expects oversight of subcontracting, including material changes. Review how subcontractors are disclosed, how changes are notified, and how you can assess downstream risk. This is where “contract is fine” can still fail operationally if the supply chain is opaque or change notifications are not actionable.

    4) Incident and outage alignment with DORA reporting workflows

    Your contract should support your incident classification and reporting obligations, including timely notifications and relevant data. “Timely” is not the same as “at Microsoft’s discretion.” Confirm what is notified, how quickly, and what technical and business impact details are provided.

    5) Exit and resilience: realistic termination, portability, and continuity

    DORA emphasizes resilience and the ability to manage disruptions, including third-party failures. Your addendum should support exit planning (including data portability, support obligations, and transition assistance) in a way that is feasible for your workload and architecture.

    Practical checklist: clauses and evidence to confirm

    This checklist is intentionally framed as “what you should be able to evidence,” not only “what the contract says.” Supervisory reviews often focus on whether you can demonstrate effective oversight, not whether a clause exists somewhere in a document repository.

    A. Service scope and ICT TPP identification

  • Clear identification of the contracting Microsoft entity and any resellers, with the exact services in scope (including optional features you actually use).
  • Accurate classification of Microsoft as an dora ict service provider for your purposes, including the service’s support of critical or important functions where applicable.
  • A traceable mapping from service to business function and criticality (this usually feeds your Register of Information and your internal risk classification).

    • B. Security and resilience commitments (measures, standards, and change control)

  • Contractual commitments for security measures and operational resilience controls that are specific enough to assess.
  • Clear responsibilities for shared responsibility areas (identity, configuration baselines, logging, backup, encryption, key management).
  • Change notification expectations for changes that could affect availability, confidentiality, integrity, or service performance.

    • C. Audit, access, and information rights (practical execution)

  • Rights to obtain information needed for DORA oversight (for example, security documentation, assurance reports, testing results, and relevant policies).
  • Clear process for requesting evidence, timelines for response, and what format it comes in (attestations, audit reports, portals).
  • Any limitations that could prevent effective oversight (for example, “industry standard reports only,” heavy reliance on third-party attestations, restrictions on on-site audit). Limitations are not automatically non-compliant, but they may require compensating controls and stronger risk acceptance governance.

    • D. Incident notification and cooperation duties

  • Defined incident notification triggers and timelines (security incidents, outages, data breaches, and near-misses if relevant).
  • Commitments to provide sufficient detail for your classification of major ICT-related incidents under the applicable RTS (impact metrics, affected services, duration, remediation status, and customer-specific impact where possible).
  • Cooperation language: escalation paths, incident coordination, and post-incident reporting support.

    • E. Subcontracting and supply chain oversight

  • Disclosure model for subcontractors supporting the in-scope services and how updates are communicated.
  • Material change notification, objection rights (where available), and the practical ability to evaluate downstream changes without excessive lead time risk.
  • Evidence you can maintain a current view of dependencies, which is often necessary for concentration risk analysis.

    • F. Termination, exit, and transition assistance

  • Termination rights and triggers that reflect operational risk needs, not only commercial defaults.
  • Data portability commitments, data deletion terms, and realistic timelines for extraction at scale.
  • Transition support: whether it is included, priced, or limited, and whether it is sufficient for your exit plan assumptions.

    • G. Governance and evidence: can you defend your decision?

  • Documented approval workflow and risk acceptance decisions for deviations, including decision rationale.
  • Linkage between contract review findings and ongoing monitoring (KPIs, service review cadence, reassessment triggers).
  • Audit-ready recordkeeping: version control of contract documents, evidence, and assessments over time.

    • All of this sits within the broader concept of what is digital resilience, where resilience is demonstrated through governance and repeatable operating processes, not only “security features.”

    Strengthen auditability with contract stack mapping (what supervisors typically expect to see)

    What many compliance teams overlook is that a “DORA addendum review” often fails in audits for a simple reason: the institution cannot produce a single traceable narrative that ties (1) DORA requirements, (2) the applicable clause across the contract stack, and (3) the evidence source that demonstrates oversight in operation.

    Large ICT providers often publish their own clause mappings or “stack mappings” that align their standard terms to DORA contractual topics. Those artifacts can be helpful as an orientation tool, but your institution still needs its own mapping because your contract stack, purchasing channel, and services in scope may differ. A provider-side mapping also does not replace your obligation to assess whether the rights are usable for your criticality classification and ICT Risk Management Framework.

    Build a DORA-ready contract stack map (minimum viable version)

    From a practical standpoint, a defensible mapping table typically includes:

  • DORA reference: the relevant requirement topic from DORA Article 28, and where relevant Article 30 for critical or important functions.
  • Contract stack location: master agreement clause, the DORA addendum section, product terms, service level terms, data protection terms, and any service-specific attachments that create obligations.
  • Operational artifact: what you will actually present in an audit, such as assurance reports, third-party attestations, vulnerability management summaries, service health communications, incident communications, and documented governance minutes.
  • Owner and cadence: who retrieves the evidence and how often, aligned to your vendor oversight cycle and audit calendar.
  • Known limitations and compensating controls: where standardized assurance replaces direct audit, where notice periods are tight, or where subcontractor transparency is limited, and what compensating steps you apply.

    • Common contract stack mapping failure points

  • “Policy substitution” without enforceability: the mapping cites a policy URL or general statement, but it is not clearly incorporated into the contract, or it can change unilaterally without a governance trigger on your side.
  • Evidence that cannot be refreshed: the institution can show a one-time pack, but cannot demonstrate that evidence is periodically updated, retained, and reviewed.
  • Service scope drift: the contract mapping covers Microsoft services you no longer use, but misses services that have become operationally critical through organic adoption.
  • Misalignment with incident reporting workflows: the contract provides notifications, but not with the data you need to classify and report major ICT-related incidents under DORA Articles 17 to 23 within the applicable RTS-defined timelines.

    • This content is for informational purposes only and does not constitute legal advice. The form and depth of contract mapping that is appropriate for your institution may depend on your sector, risk profile, and supervisory expectations. In most cases, you should validate your mapping methodology with qualified legal or regulatory counsel and align it with your internal governance.

    Strengths and Challenges

    Strengths

  • Creates a structured negotiation baseline for DORA-relevant topics (audit rights, incident communication, subcontractor transparency), which can reduce ad hoc contracting across business units.
  • Improves internal alignment by forcing your institution to map Microsoft services to DORA-relevant artifacts: Register of Information entries, criticality, and oversight cadence.
  • Can accelerate evidence collection when the addendum clearly references standardized assurance materials (attestations and reports), reducing repeated back-and-forth with account teams.
  • Enables clearer risk acceptance decisions because gaps and limitations become visible, allowing you to document compensating controls where needed.
  • Supports operational resilience planning by anchoring exit, continuity, and cooperation expectations in contract language that can be referenced during incidents and transition planning.

    • Implementation Considerations

  • “Addendum present” is not “gap closed.” Some DORA Article 28 topics may still be partially met through policies, external attestations, or cross-referenced documents that are hard to validate and maintain.
  • Operationalization can be the limiting factor. Even where audit or information rights exist, internal teams may struggle to execute them at scale without tooling, clear ownership, and recurring workflows.
  • Supply chain transparency may remain imperfect. Hyperscaler ecosystems can involve complex subcontracting, and downstream participation and completeness may require repeated follow-up cycles.
  • Reseller and group-contract structures can create ambiguity. Your enforceable rights may depend on whether you contract directly with Microsoft, through a reseller, or via a group procurement framework.

    • Who this evaluation approach is for

    This evaluation approach is designed for EU-regulated financial entities that rely on Microsoft cloud services for business processes, customer-facing systems, productivity platforms, identity, or security controls. It is most relevant where Microsoft services support critical or important functions or where the institution’s risk profile requires deeper third-party oversight.

    Roles that typically benefit most include:

  • Compliance officers coordinating DORA Chapter V implementation and evidence readiness.
  • ICT risk managers accountable for third-party risk assessments, concentration risk, and Register of Information accuracy.
  • CISOs and security governance leads validating security responsibilities, evidence availability, and incident cooperation mechanisms.
  • Procurement and vendor management teams who need to translate DORA requirements into contracting and renewal workflows.

    • Where Dorapp can help (practically)

    If your main challenge is not understanding DORA, but running a repeatable, audit-ready third-party oversight process, Dorapp is designed to operationalize that work. Based on verified platform documentation, Dorapp is a modular DORA-focused platform with a dedicated DORApp ROI (Register of Information) module and a DORApp TPRM (Third-Party Risk Management and Questionnaire Automation) module. It also provides an Execution Governance Engine with configurable review gates and single- or multi-user sign-off, plus an Audit Trail that records workflow transitions, approvals, timestamps, and decision rationale.

    In practice, that combination can support a Microsoft DORA addendum review by helping you maintain structured records of: which Microsoft services are in scope, how they map to functions and contracts, what evidence was collected, what gaps were accepted or remediated, and who approved the decision. If you want to see how this works in your own contracting reality, you can Book a Demo or review the DORApp Modules to understand which module aligns to your immediate DORA third-party risk priorities.

    Selection guide: how to judge contract sufficiency under DORA

    Even with a hyperscaler, DORA contracting is rarely a binary “pass/fail.” A defensible decision typically combines contractual coverage, operational evidence, and governance around residual risk. The guide below outlines four criteria you can apply to Microsoft’s DORA addendum (or any major cloud provider contracting package) and the common pitfalls to watch for.

    Criterion 1: DORA Article 28 coverage with a traceable mapping

    Create a mapping table that links each DORA Article 28 topic to:

  • the exact contract clause reference (master agreement, addendum, service-specific terms),
  • the operational artifact that proves it (report, portal output, policy, process), and
  • your internal owner (procurement, security, IT operations, vendor management).

    • Common issue: the clause exists, but the “proof” is a generic statement that does not allow you to assess service-specific risk or does not remain available over time.

    Criterion 2: Evidence availability and refresh cadence

    DORA oversight is ongoing. Ask: what evidence can you obtain today, and what evidence will you reliably obtain during the next audit cycle? For Microsoft, this often involves standardized assurance artifacts and service communications. Your evaluation should confirm:

  • what is available self-service versus on request,
  • how evidence changes are communicated, and
  • how you will archive evidence to support multi-year traceability.

    • Common issue: institutions collect a one-time evidence pack but cannot demonstrate ongoing monitoring and governance.

    Criterion 3: Incident cooperation that supports DORA reporting

    DORA Articles 17 to 23 create pressure on your ability to classify and report major ICT-related incidents within supervisory timelines defined by RTS. Your Microsoft contract package should support incident cooperation by clarifying:

  • notification triggers (what constitutes an incident for notification purposes),
  • timelines and escalation paths, and
  • data quality (impact detail, service components affected, customer-specific implications where feasible).

    • Common issue: notification is framed as “best efforts” without clarity on content, leading to gaps in your incident classification evidence.

    Criterion 4: Subcontracting and concentration risk defensibility

    Microsoft services often rely on extensive internal and external dependencies. DORA expects you to understand and manage concentration and dependency risk, especially for critical services. Your evaluation should confirm:

  • how subcontractors are disclosed and updated,
  • whether you get notice of material changes that affect risk, and
  • how you will use that information in your risk assessments and board reporting.

    • Common issue: disclosures exist but are not integrated into your ongoing monitoring, so concentration risk reporting becomes a narrative rather than evidence-based.

    Criterion 5: Exit planning that matches technical reality

    Exit is not just a legal clause. It is a technical and operational plan. Confirm that your contractual rights, support commitments, and data portability terms match:

  • your application architecture and identity dependencies,
  • your data volumes and extraction methods, and
  • your continuity and recovery assumptions.

    • Common issue: the contract allows termination, but the institution has not validated feasibility, timelines, or transition support, creating an exit plan that is not operationally credible.

    Frequently Asked Questions

    Does a Microsoft DORA addendum make Microsoft services “DORA compliant” for my institution?

    Typically not by itself. DORA places accountability on the financial entity, not the ICT third-party service provider. A Microsoft DORA addendum can help address contractual topics in DORA Article 28, but you still need risk assessments, governance, monitoring, incident processes, and evidence that the arrangement is effectively overseen. Your competent authority may also have specific expectations.

    Which DORA article is most relevant when reviewing a Microsoft DORA addendum?

    DORA Article 28 is usually the core contractual reference for ICT third-party arrangements because it sets out what contracts should address. In practice, you should also align the addendum with your broader DORA program, including ICT risk management (DORA Articles 5 to 15) and incident reporting (DORA Articles 17 to 23), because contract terms must be usable in those operational workflows.

    What evidence should we retain after signing a Microsoft DORA addendum?

    You generally want an audit-ready package: final executed agreements, service scope mapping, subcontractor disclosure approach, assurance reports or attestations you rely on, your risk assessment and residual risk decision, and a record of approvals. Retain a traceable mapping between DORA requirements and the evidence source, since supervisory reviews often test whether oversight is demonstrable over time.

    How do we handle audit rights if the provider offers standardized assurance reports only?

    This is common in large cloud arrangements. It may still be workable, but you should assess whether standardized reports and other evidence are sufficient for your risk profile, criticality, and supervisory expectations. Where direct audit is constrained, institutions often rely on layered assurance (attestations, contractual information rights, performance reporting, and compensating internal controls) with clear governance and documented risk acceptance.

    How does subcontracting under hyperscalers affect DORA compliance?

    Subcontracting and complex dependency chains can make oversight more challenging, especially if changes are frequent or disclosures are not granular. Under DORA, you may need a defensible approach to tracking subcontractors that support in-scope services, assessing material changes, and reflecting those changes in concentration and dependency risk analysis. The precise criteria are informed by RTS and supervisory practice.

    What is the relationship between the DORA addendum and the Register of Information?

    The addendum itself is not the Register of Information, but it should support the data you must maintain about ICT services, providers, contracts, and dependencies. A good practice is to ensure that the contract scope, services, and entities in the agreement map cleanly to your Register of Information entries and are updated consistently during renewals, service expansions, and provider reorganizations.

    Should we treat Microsoft as supporting critical or important functions under DORA?

    It depends on your service usage and business function mapping. If Microsoft services underpin customer-facing systems, core processing, identity and access management, or other essential operations, they could be linked to critical or important functions. You should base the classification on your internal methodology and the DORA definitions, and document the rationale and resulting oversight intensity accordingly.

    What are common red flags when reviewing a Microsoft DORA addendum?

    Common red flags include vague commitments that are hard to evidence, notification timelines that do not support incident classification needs, limitations that materially reduce effective oversight without compensating controls, and unclear subcontracting disclosures. Another frequent issue is mismatch between contract scope and actual service usage, which can lead to incomplete Register of Information entries and weak audit trails.

    How can we make the contracting work auditable without overburdening teams?

    Most institutions benefit from standardizing the workflow: a DORA clause mapping, a repeatable evidence pack, defined approval gates, and a recurring reassessment cadence triggered by renewals or material changes. Tooling can help maintain a single source of truth for contracts, services, assessments, and approvals. The goal is a controlled process that produces evidence as a byproduct of operating, not as a last-minute audit exercise.

    Is a provider “DORA addendum template” sufficient as a contract on its own?

    Typically not. A template can be a useful starting point, but DORA expectations are applied to your actual arrangement, including the master agreement, product terms, service descriptions, and any referenced policies that are contractually incorporated. You should validate that the final executed contract stack is internally consistent, applies to the services you use, and creates enforceable rights you can evidence during audits and supervisory reviews.

    Where do financial institutions typically obtain a Microsoft DORA addendum?

    In many cases, it is provided through your contracting channel, such as a Microsoft account team, licensing channel, or reseller, rather than being publicly downloadable as a single PDF. Availability and process can vary by product family, entity, and region. If your contracting route makes it difficult to obtain the correct document version, treat that as a governance issue: without a controlled document trail, it becomes harder to demonstrate contract completeness and version control under audit.

    Does DORA require a specific “DORA addendum” label in the contract?

    No. DORA focuses on whether the contractual arrangement includes the required topics and supports effective oversight, not on document names. In practice, however, a clearly scoped addendum can reduce ambiguity by making DORA-relevant terms easier to find and govern. Your institution should still confirm that the addendum is integrated into the enforceable contract stack and not contradicted by other terms.

    How does ESA oversight of critical ICT third-party providers affect our Microsoft contracting review?

    DORA provides an oversight framework for ICT third-party providers that may be designated as critical, with oversight conducted at EU level by the ESAs (EBA, EIOPA, ESMA) through their joint work. This oversight is separate from your institution’s responsibilities. Even if a provider is overseen, you typically still need to demonstrate that your own arrangement meets DORA Chapter V expectations, including contract completeness, evidence collection, and operational oversight for the services you consume.

    Key Takeaways

  • A Microsoft DORA addendum can support DORA compliance, but it does not transfer accountability away from the financial entity.
  • Evaluate the addendum against DORA Article 28 and confirm you can operationalize audit, information, incident, subcontracting, and exit rights.
  • Focus on evidence and governance: what you can demonstrate consistently matters as much as what the contract states.
  • Supply chain and subcontracting transparency are often the hardest areas to make “audit-proof” without structured tracking and reassessment triggers.
  • Repeatable workflows and an audit trail reduce renewal risk and improve supervisory defensibility for major cloud providers.

    • Conclusion

    A Microsoft DORA addendum is best treated as a structured input to your ICT third-party risk program, not as a compliance outcome on its own. The practical test is whether your institution can evidence DORA-aligned oversight: traceable contractual coverage, usable information and cooperation rights, supply chain visibility, and realistic exit planning. If you want to reduce manual effort while strengthening audit readiness, consider using a dedicated DORA workflow approach that connects your Register of Information, third-party risk assessments, approvals, and evidence retention. You can explore Dorapp’s modular approach via DORApp Modules or Book a Demo to discuss how your institution could structure Microsoft contract oversight in an auditable, repeatable way.

    Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. DORA compliance obligations vary depending on the classification and size of your financial institution. Consult qualified legal or regulatory counsel to assess your specific obligations under the Digital Operational Resilience Act and applicable regulatory technical standards.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.