The Digital Operational Resilience Act (DORA) came into force on 17 January 2025, applying to financial entities across the EU including banks, investment firms, insurance companies, payment institutions, and crypto-asset service providers. For organisations that use Microsoft as their primary cloud and productivity platform — which describes the majority of EU financial services firms — DORA creates specific obligations around how you manage Microsoft as an ICT third-party provider, how you document that relationship, what contractual provisions you must have in place, and how you demonstrate digital operational resilience using your Microsoft technology stack.
This guide covers three dimensions: (1) what Microsoft products you need to implement DORA's internal ICT risk management requirements, (2) what contractual and governance obligations DORA places on your relationship with Microsoft as a third party, and (3) how Microsoft's DORA compliance posture affects your licensing and EA negotiation strategy. Understanding all three is essential — organisations that focus only on the internal technical implementation while ignoring the contractual and governance obligations are taking on regulatory risk that will surface in supervisory assessments.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →DORA Article Map: Microsoft Products for Each Pillar
DORA's five operational pillars each have specific Microsoft product mappings. The table below reflects the standard Microsoft implementation stack for a mid-size financial entity — it is not exhaustive, and individual organisations will have different requirements based on their regulatory classification and risk profile.
| DORA Pillar | Key Articles | Microsoft Products | Plan/Licence Required |
|---|---|---|---|
| ICT Risk Management | 5–16 | Defender for Cloud, Sentinel, Compliance Manager | E3 + Defender for Cloud ($15/server) + Sentinel |
| ICT Incident Management | 17–23 | Sentinel, Defender XDR, Purview Audit Premium | E5 Security or E5 + Sentinel |
| Digital Operational Resilience Testing | 24–27 | Azure Chaos Studio, Defender for Cloud, ASR | Azure consumption + ASR |
| ICT Third-Party Risk Management | 28–44 | Purview Compliance Manager, manual register | M365 E3 |
| Information Sharing | 45–47 | Microsoft Sentinel threat intelligence | Sentinel (consumption) |
DORA Pillar 1: ICT Risk Management with Microsoft Products
DORA Articles 5–16 require financial entities to maintain a comprehensive ICT risk management framework covering: ICT risk identification and protection, detection, response and recovery, and testing. This framework must be formally documented, approved by management, and subject to annual internal audit.
ICT Risk Identification: Microsoft Defender for Cloud
Microsoft Defender for Cloud provides continuous assessment of Azure infrastructure (IaaS/PaaS) against CIS Benchmarks and Microsoft Security Benchmark — both referenced in DORA's ICT risk framework. Defender for Cloud's Secure Score provides a quantitative ICT risk posture metric that satisfies DORA Article 6(4) requirements for risk measurement. Cost: $15/server/month for server workloads (Defender for Servers Plan 2), or $0.02/core/hour for Azure VMs. For a mid-size financial entity with 200 Azure VMs, Defender for Cloud costs approximately $36K/year — an easily justified DORA compliance cost.
Threat Detection: Microsoft Sentinel
Microsoft Sentinel is the SIEM/SOAR platform most commonly deployed by FS firms for DORA threat detection requirements. DORA Article 10 requires financial entities to detect ICT-related incidents through automated monitoring with defined detection thresholds. Sentinel's Machine Learning-based anomaly detection, Microsoft Threat Intelligence integration, and pre-built analytics rules for financial services (SWIFT, SIEM for Financial Services) satisfy this requirement.
Sentinel pricing is consumption-based: $2.46/GB for security data ingested (pay-as-you-go) or commitment tiers from $123/day (50GB/day) to discounts of 15–50% for higher commitments. For a 1,000-employee financial entity generating 30–50GB/day of security logs, Sentinel costs $27K–$45K/year at pay-as-you-go, or $20K–$33K/year on the 50GB commitment tier. This is the single largest Microsoft licence cost component of a DORA-compliant security stack.
DORA Pillar 2: ICT Incident Management and Reporting
DORA Articles 17–23 require financial entities to: establish an ICT-related incident management process, classify incidents by severity, report major incidents to competent authorities within defined timeframes (initial notification within 4 hours of classification, intermediate report within 72 hours, final report within one month), and maintain post-incident analysis documentation.
Microsoft Sentinel for DORA Incident Classification
DORA Article 18 establishes incident classification criteria including: number of clients affected, duration of incident, data losses, reputational impact, and geographic spread. Microsoft Sentinel's incident management workspace allows custom incident severity classification aligned to DORA thresholds. DORA-specific analytics rules (available in the Sentinel Content Hub) automate initial classification for common financial services incident types: credential compromise, data exfiltration, ransomware, and availability impairment.
The DORA 4-hour initial notification requirement for major incidents demands automated alerting — manual triage is too slow for this SLA. Sentinel's Logic App integration (Azure Logic Apps, consumption-based: $0.000025/action) enables automated alert routing to: competent authority notification workflows, management escalation, and incident response team activation. The Logic App cost for DORA-compliant incident routing is negligible (<$500/year for a typical FS firm).
DORA Pillar 3: Digital Operational Resilience Testing
DORA distinguishes between two testing tiers: basic digital resilience testing (Article 25, required for all financial entities) and advanced Threat-Led Penetration Testing (Article 26, required for significant financial entities every 3 years).
Basic Resilience Testing with Azure
DORA Article 25 requires annual vulnerability assessments, network security assessments, and where applicable, scenario-based testing. Microsoft Azure provides:
- Azure Chaos Studio: Resilience testing through controlled fault injection ($0.016/fault-hour). Supports DORA Article 25 "scenario-based testing" requirements by simulating Azure region failures, network partitions, and virtual machine crashes.
- Azure Site Recovery testing: Non-disruptive test failovers demonstrating recovery capability. Essential for DORA Article 11 BCDR testing requirements. Cost: included in ASR licensing ($16–$25/instance/month).
- Microsoft Defender Vulnerability Management: Continuous vulnerability assessment for Windows/Linux endpoints. Included in Defender for Endpoint P2 (within M365 E5) or available as add-on ($3/user/month).
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →DORA Pillar 4: ICT Third-Party Risk Management — Microsoft as TPSP
This is the most complex DORA pillar for organisations that use Microsoft as their primary cloud and productivity platform. DORA places Microsoft in the category of an ICT Third-Party Service Provider (TPSP) — and specifically, Microsoft is expected to be classified as a Critical ICT Third-Party Provider (CITP) under the European Supervisory Authorities' designation process.
The DORA Addendum: What It Must Contain
DORA Article 30 specifies minimum contractual provisions that financial entities must have with all ICT TPSPs supporting critical or important functions. For Microsoft (M365 and Azure), these provisions must cover:
- Clear description of services and data: Which M365 and Azure services are used, what data they process, and where that data is located geographically.
- Security standards: Microsoft's compliance certifications (ISO 27001, SOC 2, FedRAMP equivalent) and commitment to maintain them.
- Sub-contractors: Microsoft's sub-processor list with geographic distribution — Microsoft publishes this at trust.microsoft.com but it must be incorporated by reference in your contract.
- Business continuity: Microsoft's SLA commitments (99.9% for M365, 99.99% for Azure premium services) and planned maintenance notification requirements.
- Audit rights: Your right to audit Microsoft's compliance with the agreement — in practice, this is exercised through Microsoft's third-party audit reports (SOC 2 Type II) rather than direct audit, but the contractual right must exist.
- Exit provisions: Data portability (formats, timelines), transition support, and data deletion certification on contract termination.
- Termination provisions: Right to terminate if Microsoft fails to remediate a material security incident, materially changes its sub-contractor roster, or is itself subject to regulatory action.
Microsoft's standard EA and Online Services Terms include some but not all of these provisions. The DORA addendum (available from Microsoft on request) fills the gaps — but it must be explicitly requested and attached to your EA before your regulatory submission date.
DORA Cost Model: Microsoft Licensing for a 1,000-Employee Financial Entity
| Component | DORA Article | Microsoft Product | Annual Cost |
|---|---|---|---|
| Core productivity + retention | 5, 10 | M365 E3 (1,000 users) | $432,000 |
| SIEM/threat detection | 10, 17 | Microsoft Sentinel (50GB/day tier) | $44,895 |
| Cloud infrastructure security | 5, 6 | Defender for Cloud (100 servers) | $18,000 |
| Endpoint detection | 10, 25 | Defender for Endpoint P2 (add-on) | $36,000 |
| Identity and access | 9, 10 | Entra ID P2 (1,000 users) | $96,000 |
| BCDR resilience testing | 11, 25 | Azure Site Recovery (50 VMs) | $9,600 |
| Chaos engineering testing | 25 | Azure Chaos Studio (quarterly) | $2,400 |
| Total (list price) | $638,895/year | ||
| After 25% EA discount | $479,171/year |
📄 Free Guide: Microsoft Financial Services Licensing Guide
DORA, Solvency II, MiFID II, and FCA compliance licensing frameworks with EA negotiation tactics for regulated industries.
Download Free Guide →Frequently Asked Questions
Does Microsoft provide DORA contractual provisions in standard EA terms?
No. Microsoft's standard EA and Online Services Terms do not automatically include DORA Article 30 contractual provisions. Microsoft has published a DORA addendum available on request, covering: contractual description of services, security standards, sub-contractor oversight, data location, service continuity, audit rights, and exit provisions. Financial entities must request this addendum explicitly — negotiate it as a mandatory condition of your EA.
What Microsoft products support DORA ICT risk management framework requirements?
DORA's ICT risk management framework maps to: Microsoft Defender for Cloud (infrastructure risk assessment), Microsoft Sentinel (threat detection), Microsoft Defender for Endpoint P2 (endpoint detection), Entra ID P2 (privileged access management), and Microsoft Purview Compliance Manager (compliance assessment). The full DORA risk management product stack for a 1,000-user FS firm costs approximately $480K–$640K/year at list price before EA discounts.
How does DORA's threat-led penetration testing requirement affect Microsoft licensing?
DORA Article 26 requires significant financial entities to conduct Threat-Led Penetration Testing every 3 years. Azure's penetration testing policy permits customer-conducted pen testing on their own Azure deployments without prior Microsoft approval. TLPT in scope of M365 services requires coordination with Microsoft. The TLPT itself does not require specific Microsoft licensing but remediation tooling affects ongoing licensing costs.
What is Microsoft's DORA concentration risk status?
Microsoft is among the cloud providers expected to be designated as a Critical ICT Third-Party Provider (CITP) under DORA's ESA designation process. Financial entities using Microsoft must demonstrate in their ICT third-party risk register that they have assessed Microsoft's CITP status, the concentration risk, and any exit plan requirements — even if exit is theoretically unlikely.
How should financial entities document Microsoft as an ICT third-party provider under DORA?
DORA Article 28(3) requires financial entities to maintain a register of ICT third-party arrangements. For Microsoft, this register entry must include: services and data covered, geographic location of data processing, sub-contractors with access, resilience and continuity arrangements, exit and substitution plan, and audit rights exercised. The register must be submitted to your competent authority annually from January 2025.
Related Microsoft Licensing Guides
- Microsoft Licensing for Financial Services: Complete Guide
- Microsoft 365 Insurance Licensing Guide
- Azure Financial Services Licensing Guide
- Microsoft EA Negotiation for Financial Services: Advanced Tactics
- Microsoft Sentinel Cost Optimization Guide
- Microsoft Identity & Zero Trust Licensing Guide
- Microsoft Business Continuity Licensing Strategy