DORA Compliance FinTech E-Invoicing

DORA and e‑invoicing: assessing criticality

The Digital Operational Resilience Act (DORA) sets uniform rules for digital resilience in the financial sector — what does this mean for e‑invoicing providers?

16. March 2026

5 min read

EU Regulation 2022/2554 entered into force on 17 January 2025. An IT provider can be critical for one client but not for another — the assessment lies with the financial institution itself.

What is DORA and why does it matter?

DORA sets uniform rules for digital resilience in the financial sector. Financial entities must manage ICT risks and reflect specific obligations in contracts with their IT vendors.

DORA distinguishes between standard ICT services and services supporting critical or important functions: if the failure of a service would materially impair a firm's financial performance or regulatory compliance, it triggers additional contractual obligations.

Article 30: basic vs. enhanced requirements

Basic Requirements (Paragraph 2)

Must be included in every contract between a financial firm and an IT provider:

Detailed description of services and permitted subcontractors
Locations of data processing and storage
Availability, authenticity and confidentiality of data
Procedures for data access and return upon termination
SLAs and incident response support at no additional cost
Cooperation with supervisory authorities
Termination rights and minimum notice periods
Participation in client's awareness and resilience programmes

Enhanced Requirements (Paragraph 3)

Additional requirements when a service supports a critical or important function:

Detailed SLAs with quantitative and qualitative metrics
Notifications about events affecting service delivery
Business continuity and disaster recovery plans
Participation in threat-led penetration testing (TLPT)
Unrestricted audit rights for client and regulators
Formal exit plan with transition period and data transfer guarantees

When can e-invoicing be considered non-critical?

In the CAL&F case study, e-invoicing is generally seen as an ancillary process:

Does not directly affect lending or factoring

Can be temporarily replaced by paper invoices

Many alternative providers available

Many financial firms deem e-invoicing non-critical and apply only basic Article 30(2) requirements. However, the final classification always rests with the bank or factoring company.

What is a "negative / non-relevant declaration"?

If a service provider considers its service non-critical, it sends a negative declaration — a statement that:

Describes the service (e.g., electronic invoice exchange)
Explains why the service does not materially affect financial resilience
Notes that the final classification rests with the client

Minimum DORA addendum for an e-invoicing contract

Even if a function is deemed non-critical, the contract must include mandatory Article 30(2) elements:

Cooperation with regulators

Provider agrees to give access to data and liaise with supervisory authorities.

Incident support

Provider helps investigate and resolve ICT incidents at no extra cost.

Data access and return

Rules for retrieving data upon contract termination or provider insolvency.

Participation in resilience programmes

Provider takes part in client's training and testing activities.

Invoice-Portal's logs and data enable clients to meet their monitoring and reporting duties: every event is recorded, documents are preserved in original form, and reports can be produced on demand.

E-invoice decisions of the Ministry of Finance from 15/10/2024

November 21, 2024/in eInvoice News

Invoice transmission: The contracting parties must agree between themselves under civil law which permissible electronic invoice format and which permissible transmission channel is to be used.

Receipt channels: An e-mail inbox is sufficient for the legally compliant receipt of electronic invoices. Alternatively, interfaces or portals are also permitted.

In the long term, the transmission channels will be reviewed as part of the VIDA implementation, with more specific requirements being defined if necessary.

Sanctions: From the start of the obligation (2027 or 2028), ‘other invoices’ (e.g. paper or PDF) will no longer be eligible for input tax deduction. Additional penalties for refusing to accept an e-invoice are currently not envisaged. However, if the recipient refuses to accept the e-invoice even though the sender has demonstrably endeavoured to transmit it correctly, the recipient will be in default.

Writing and Sending Offer in Invoice-Portal

March 29, 2024/in eInvoice News

Peppol and sending of electronic invoices

August 7, 2021/in eInvoice News

What is behind Peppol? Peppol is a network that can be used to transmit electronic documents from suppliers to public authorities. In the future, every European company should be able to exchange messages with every public sector customer, for example invoices or other business documents. How Peppol works, how you can become a Peppol user […]

New features in Invoice Portal

August 7, 2021/in eInvoice News

AI Support Agent ×