NIS2 and DORA: Double Compliance for Indian Financial BPOs
Country Manager, India
AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking
NIS2 and DORA: Double Compliance for Indian Financial BPOs
Indian financial BPOs serving EU banks, insurers, and asset managers now face two EU regulations simultaneously. NIS2 applies broadly to supply chains of essential and important entities. DORA (Digital Operational Resilience Act) applies specifically to ICT third-party service providers of EU financial entities, effective January 2025 (Regulation (EU) 2022/2554, 2022). According to EBA (2024), over 22,000 EU financial entities fall under DORA, and their ICT providers, including Indian BPOs, face rigorous new obligations.
Key Takeaways
- DORA applies to ICT providers of 22,000+ EU financial entities (EBA, 2024)
- NIS2 and DORA overlap on incident reporting, risk management, and supply chain security
- DORA adds specific ICT testing, contractual, and oversight requirements beyond NIS2
- Indian financial BPOs need a unified compliance framework covering both regulations
- "Critical" ICT providers may face direct EU oversight under DORA's oversight framework
How Does DORA Differ From NIS2 for Indian BPOs?
DORA is a sector-specific regulation that sits alongside NIS2 as lex specialis for the financial sector. According to European Commission (2024), where DORA provisions are more specific than NIS2, DORA takes precedence for financial entities and their ICT providers. For Indian financial BPOs, this means DORA's stricter requirements override NIS2's general provisions.
DORA's Unique Requirements
ICT risk management framework (Articles 5-16): DORA prescribes a detailed ICT risk management framework that financial entities must implement and require from their ICT providers. This goes beyond NIS2's general risk management expectations.
Digital operational resilience testing (Articles 24-27): DORA mandates regular testing of ICT systems, including threat-led penetration testing (TLPT) for significant financial entities. Your EU financial client may require you to participate in or support these tests.
ICT third-party risk management (Articles 28-44): DORA imposes specific contractual requirements for ICT service agreements with financial entities. These requirements are more prescriptive than NIS2's general supply chain provisions.
ICT incident reporting (Articles 17-23): DORA's incident reporting aligns with NIS2's timelines but adds financial-sector-specific classification criteria and reporting formats.
Where They Overlap
Both regulations require:
- Systematic risk assessment and management
- Incident detection, classification, and reporting
- Business continuity and disaster recovery
- Supply chain security assessment
- Regular testing and validation
The overlap is substantial. Building compliance for one regulation covers significant ground for the other.
Citation capsule: DORA applies as lex specialis for the financial sector alongside NIS2, imposing specific ICT risk management, resilience testing, and third-party contractual requirements on providers serving 22,000+ EU financial entities (EBA, 2024).
What Specific DORA Obligations Affect Indian Financial BPOs?
DORA's Chapter V (Articles 28-44) defines ICT third-party risk management requirements. According to EIOPA (2024), these provisions create direct obligations that EU financial entities must embed in contracts with their ICT providers, including Indian BPOs.
Mandatory Contractual Provisions
DORA Article 30 specifies key contractual provisions that must appear in agreements with ICT providers:
- Service level descriptions with quantitative and qualitative performance targets
- Provisions on accessibility, availability, integrity, security, and protection of personal data
- Guaranteed service levels and remediation when targets aren't met
- Obligations to provide assistance in case of ICT incidents at no additional cost or at pre-agreed cost
- Participation in the financial entity's security awareness programmes
- Rights of access, inspection, and audit by the financial entity and its regulators
Subcontracting Restrictions
DORA Article 29 restricts subcontracting of ICT services supporting critical or important functions. If your Indian BPO uses subcontractors for any part of the service delivery to an EU financial client, you must:
- Obtain prior consent for subcontracting arrangements
- Ensure subcontractors meet the same security requirements
- Maintain a register of subcontracting arrangements
- Notify the financial entity of any changes to subcontractors
Exit Strategies
DORA requires pre-defined exit plans. Your contract must specify how services will be transitioned if the relationship ends, including data return, migration support timelines, and continued service during transition periods.
[PERSONAL EXPERIENCE] Indian financial BPOs often underestimate the exit strategy requirement. In our experience, building a credible exit plan takes 4-8 weeks and requires coordination between operations, legal, and technology teams. Starting this work before contract negotiations gives you a stronger position.
Need expert help with nis2 and dora: double compliance for indian financial bpos?
Our cloud architects can help you with nis2 and dora: double compliance for indian financial bpos — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Could Your Indian BPO Be Classified as a "Critical" ICT Provider?
DORA introduces a direct oversight framework for "critical" ICT third-party service providers. According to ESAs Joint Committee (2024), the European Supervisory Authorities designate critical providers based on systemic importance criteria, and designated providers face direct EU regulatory oversight.
Designation Criteria
The ESAs consider:
- The systemic impact of the ICT services provided
- The degree of substitutability of the provider
- The number and significance of financial entities relying on the provider
- The provider's importance to the financial system of the EU or individual member states
What "Critical" Designation Means
If your Indian BPO is designated as critical, you'll face:
- Direct oversight by a Lead Overseer (one of the ESAs)
- Regular assessments of your ICT risk management practices
- Recommendations that carry enforcement weight
- Potential restriction of services to EU financial entities if deficiencies aren't addressed
Likelihood for Indian BPOs
Large Indian IT and BPO providers serving multiple major EU banks or insurers could potentially be designated. The threshold is high, but it's not impossible. Providers like the major Indian IT services companies handling core banking operations for multiple EU financial institutions should assess their exposure.
For mid-sized Indian BPOs, direct designation is unlikely. However, your EU financial clients may still treat you as "critical" in their own risk assessments, applying similar rigour even without formal ESA designation.
As of early 2026, no Indian BPO has been formally designated as a critical ICT provider under DORA. However, preliminary assessments by the ESAs are underway, and large Indian IT companies with significant EU financial sector exposure are monitoring the process closely.
Citation capsule: DORA's oversight framework for "critical" ICT providers enables direct EU regulatory supervision of systemically important service providers, designated by the European Supervisory Authorities based on substitutability, systemic impact, and financial sector reliance (ESAs Joint Committee, 2024).
How Should Indian Financial BPOs Build a Unified NIS2-DORA Compliance Framework?
A single framework covering both regulations prevents duplication. According to McKinsey (2025), financial institutions and their ICT providers that build unified compliance frameworks spend 30-40% less on implementation compared to addressing each regulation separately.
Step 1: Map Requirements to Controls
Create a control matrix mapping NIS2 Article 21 and DORA Articles 5-44 to your existing controls. Identify:
- Controls that satisfy both (target these for maximum efficiency)
- Controls that satisfy NIS2 only
- Controls that satisfy DORA only
- Missing controls that need implementation
Step 2: Prioritise DORA-Specific Requirements
Since DORA takes precedence as lex specialis for financial sector providers, address DORA-specific gaps first:
- ICT risk management framework documentation
- Resilience testing participation capabilities
- Contractual provisions alignment
- Subcontracting register and consent processes
- Exit strategy documentation
Step 3: Align Incident Reporting
Build a single incident classification and reporting process that satisfies:
- CERT-In's 6-hour timeline
- NIS2's 24/72-hour/one-month structure
- DORA's financial sector incident classification and reporting requirements
- Your EU financial client's internal notification expectations
Step 4: Prepare for Audit and Oversight
Both regulations require audit readiness. Build a documentation package covering:
- Risk assessments and treatment plans
- Business continuity and disaster recovery test results
- Incident response procedures and past incident reports
- Vendor management records
- Training completion evidence
What Are the Penalty Implications of Non-Compliance?
The financial exposure is significant under both frameworks. NIS2 penalties for essential entities reach EUR 10 million or 2% of global annual turnover (European Parliament, 2022). DORA adds separate enforcement mechanisms specific to the financial sector.
NIS2 Penalties (Indirect)
As an Indian BPO, you won't face NIS2 fines directly. Your EU financial client will. But your client's regulatory exposure becomes your commercial exposure. If your non-compliance contributes to their penalty, you'll face contractual liability claims and contract termination.
DORA Enforcement
For "critical" ICT providers under direct oversight, the Lead Overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance (Article 35, 2022).
For non-critical providers, enforcement flows through the financial entity. Your EU client's regulator can require them to terminate or restrict services from non-compliant ICT providers.
Combined Commercial Risk
The real risk isn't regulatory fines. It's losing EU financial sector clients. European banks and insurers are investing heavily in ICT third-party risk management. Providers that can't demonstrate NIS2 and DORA compliance will be replaced.
[UNIQUE INSIGHT] Indian financial BPOs face an asymmetric risk. The EU client absorbs regulatory penalties. The Indian BPO absorbs commercial consequences. This means your compliance investment protects revenue, not avoids fines. Frame the business case accordingly when seeking budget approval from Indian leadership.
Frequently Asked Questions
Does DORA apply to all Indian BPOs serving EU financial clients?
DORA applies to ICT third-party service providers of EU financial entities. If your Indian BPO provides ICT services (technology, data processing, software development, managed services) to EU banks, insurers, or investment firms, DORA's requirements will flow through your contracts. Non-ICT services like pure voice-based customer support may be less directly affected.
Can the same compliance framework cover both NIS2 and DORA?
Yes, and it should. The two regulations share substantial overlap in risk management, incident reporting, and business continuity. Build a unified framework with DORA as the primary standard (since it's stricter for financial sector providers) and map NIS2 requirements to ensure full coverage. According to McKinsey (2025), this approach saves 30-40% versus parallel implementations.
What's the timeline for DORA compliance?
DORA became applicable on 17 January 2025. EU financial entities should already be incorporating DORA requirements into ICT service agreements. Indian BPOs should expect updated contract terms, audit requests, and compliance questionnaires throughout 2025-2026.
How does DORA's incident reporting differ from NIS2?
DORA's incident classification is specific to the financial sector, considering factors like client impact, geographic spread, and transaction disruption. Reporting goes through the financial entity to its national competent authority. The timelines align closely with NIS2 (initial notification, follow-up, final report), but the classification criteria and reporting formats differ.
Should Indian BPOs invest in DORA-specific certifications?
No DORA-specific certification exists yet. Focus on ISO 27001:2022 as your baseline, add SOC 2 Type II for monitoring and access control evidence, and build a DORA compliance evidence package. Monitor the EU cybersecurity certification landscape for emerging financial-sector-specific schemes.
Key Takeaways on NIS2 DORA Double Compliance Indian
Indian financial BPOs face a dual compliance reality with NIS2 and DORA. The overlap is significant enough to build a unified framework, but DORA's sector-specific requirements add obligations that NIS2 alone doesn't cover.
Prioritise DORA-specific requirements: ICT risk management frameworks, resilience testing capabilities, contractual alignment, subcontracting registers, and exit strategies. Build incident reporting processes that satisfy CERT-In, NIS2, and DORA simultaneously.
The Indian financial BPOs that achieve dual compliance fastest will retain EU financial sector clients and win new mandates. Those that lag will face contract restructuring or termination.
Your next step: review your existing EU financial sector contracts against DORA Article 30's mandatory contractual provisions.
For hands-on delivery in India, see NIS2 obligations for Indian IT.
About the Author
Country Manager, India at Opsio
AI, Manufacturing, DevOps, and Managed Services. 17+ years across Manufacturing, E-commerce, Retail, NBFC & Banking
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.