Since DORA applied on 17 January 2025, a software contract inside a regulated bank is a resilience artifact an examiner can test, not a procurement document the legal team files and forgets.
Prepared by Redress Compliance · June 2026 · Representative regulated bank estate (benchmark scenario, not a quote). Benchmark ranges drawn from engagements Morten Andersen led across regulated firms in 2024 to 2025.
In a regulated firm the cheapest contract is often the most expensive one. A discount that ships without exit, portability, and audit rights leaves a gap the supervisor makes the bank answer for, not the vendor. We have watched that gap cost far more than any price concession saved.
Three rule sets now sit on top of every material vendor deal. The EU Digital Operational Resilience Act applied on 17 January 2025. The EBA outsourcing guidelines have bound European banks since 30 September 2019.
The US Interagency Guidance on Third Party Relationships became final in June 2023. Each rule set wants the same four things in writing: exit, audit access, concentration limits, and a credible alternative.
Across roughly 40 to 60 regulated firm engagements benchmarked in 2024 to 2025, the firms that negotiated price and compliance terms in one pass held renewal uplift to a single digit. In our representative bank, that discipline avoided $1.86M of vendor opening uplift across five critical vendors in one renewal cycle.
This paper covers the four moves a regulated buyer owns: govern concentration and resilience, hold an audit baseline per vendor across Oracle, Microsoft, IBM, and SAP, price cloud exit and portability into the deal, and run licensing as part of the operational risk framework rather than beside it.
Because a supervisor can examine it. In a regulated bank the contract has to satisfy the regulator as well as procurement. A clause that is routine for a manufacturer can become a compliance gap that the firm, not the vendor, has to defend at the next inspection.
Four rule sets shape the terms. They overlap on the same demands, so a single well drafted contract can satisfy all of them at once.
| Rule set | In force | What it forces into the contract |
|---|---|---|
| DORA (EU) | 17 Jan 2025 | Register of information on every ICT arrangement, exit plans, and audit and access rights for the firm and the regulator over the provider. |
| EBA outsourcing guidelines | 30 Sep 2019 | Stricter terms for critical or important functions, documented exit strategies, and concentration monitoring at the provider level. |
| US Interagency Guidance | Jun 2023 | Risk based management across planning, due diligence, contract negotiation, monitoring, and termination of the relationship. |
| FFIEC examiner guidance | Standing | Examiner expectations on outsourced technology, including the right to review the provider and a tested exit. |
Operational resilience and outsourcing rules drive the terms, not the procurement template. Read the EBA pages on DORA and the US Interagency Guidance before you finalize any material vendor contract.
Treat concentration as a board level number, not a procurement footnote. Concentration risk is now examined directly. The licensing strategy has to show that alternatives exist and can be reached inside the resilience plan.
The first move is to classify every vendor by regulatory materiality, then measure how much of the critical estate sits with each one. In our representative bank the critical software spend splits as follows.
Representative regulated bank. Shares sum to 100%. Benchmark scenario, not a quote.
| Vendor tier | Materiality | Share of critical spend | Resilience requirement |
|---|---|---|---|
| Core banking | Material | 34% | Tested exit and a named alternative provider. |
| Oracle | Material | 22% | Entitlement baseline and portability of data. |
| Microsoft | Important | 18% | Exit assistance period and BYOL clarity. |
| SAP | Important | 14% | Indirect access mapped, named alternative for analytics. |
| IBM | Supporting | 12% | Sub capacity reporting current, second source for middleware. |
| Total | 100% |
Audit and access rights that run the right way. A standard software contract grants the vendor the right to audit the customer. DORA and the EBA guidelines require the reverse as well: the firm and its competent authority must hold audit and access rights over the provider. Most enterprise templates omit this, so the regulated buyer has to add it.
Hold a verified entitlement baseline per vendor before any audit notice arrives. A clean baseline turns an audit from a threat into a routine reconciliation. Without one, the vendor sets the number and the clock.
Each publisher has a different trigger and a different mechanic. The defense is the same shape every time: know your true position first.
| Vendor | Common trigger | The mechanic that bites | Buyer side defense |
|---|---|---|---|
| Oracle | Cloud migration or a ULA exit | Java SE is priced per employee since January 2023, and a data request usually wants a response in 30 to 45 days. | Baseline deployments before notice, and certify the ULA before any cloud count. |
| IBM | Virtualized hosts without reporting | Sub capacity needs ILMT installed inside 90 days, or licensing reverts to full capacity across every core. | Keep ILMT current and reconcile quarterly against Passport Advantage. |
| Microsoft | Annual true up or a SAM engagement | The Enterprise Agreement true up captures growth once a year, and the audit clause runs on short notice. | Reconcile before the anniversary order, not after the audit letter. |
| SAP | Digital and indirect access | Third party systems that read SAP data can be counted as documents, outside the named user count. | Map every integration to a license type before renewal. |
The audit clock starts at notice, not when it suits you. Ask early and an extension to roughly 90 days is common.
When IBM sub capacity reporting lapses, every core in the virtualized host is counted. The multiplier tracks the host size.
The cost difference between a defended audit and an undefended one is not marginal. Our engagement file puts a settled audit without a verified baseline at 8 to 15% of annual vendor spend. With a clean baseline it falls to 1 to 3%.
Benchmark ranges, midpoints shown. Source: Redress Compliance advisory engagement file, 2024 to 2025.
| Scenario | Settlement, share of annual vendor spend | Midpoint used in chart |
|---|---|---|
| No verified baseline | 8 to 15% | 11% |
| Verified baseline | 1 to 3% | 2% |
For the mechanics behind these numbers, see the vendor pages for IBM License Metric Tool and the Oracle Java SE subscription.
Portability and a tested exit, priced into the deal. Cloud licensing is where regulated firms most often sign terms that breach resilience rules without noticing. The discount is visible. The missing exit clause is not.
Three mechanics move the real cost well after signature. Each one is routine for the vendor and easy for the buyer to miss.
The standard advice is to negotiate the lowest price and treat compliance terms as legal boilerplate. We disagree, and the engagement data is clear on why.
In the regulated engagements we ran, the missing exit and audit clauses cost far more than any discount saved. A cheap contract that breaches operational resilience rules is the expensive contract, because the firm carries the regulatory exposure long after the saving is booked.
The buyer side move is to negotiate price and compliance terms together, in one pass, so resilience, exit, and audit rights are priced into the deal from the start. Splitting them is where regulated firms lose the most, because the compliance clauses are almost impossible to retrofit once the deal is signed.
Here is the representative bank carried through one renewal cycle across its five critical vendors. The vendor opening uplift is what the account teams asked for. The governed outcome is what a price and compliance negotiation in one pass delivered.
| Vendor | Annual spend | Vendor opening uplift | Governed outcome | Uplift avoided |
|---|---|---|---|---|
| Core banking | $8.0M | +12% ($0.96M) | +4% ($0.32M) | $0.64M |
| Oracle | $5.3M | +9% ($0.48M) | +0% ($0.00M) | $0.48M |
| Microsoft | $4.3M | +10% ($0.43M) | +3% ($0.13M) | $0.30M |
| SAP | $3.4M | +8% ($0.27M) | +2% ($0.07M) | $0.20M |
| IBM | $3.0M | +9% ($0.27M) | +1% ($0.03M) | $0.24M |
| Total | $24.0M | $2.41M | $0.55M | $1.86M |
Representative regulated bank. Rows and totals reconcile. Benchmark scenario, not a quote. Source: Redress Compliance advisory engagement file, 2024 to 2025.
The lever that moved every line: price and compliance were negotiated in the same conversation, so the bank never had to choose between a discount and a clause an examiner would later demand.
Map the regulatory exposure first, then negotiate. The exposure sets the must have clauses, and the clauses set the floor you defend on price. Run the sequence as three phases around the renewal date.
Classify vendors by regulatory materiality and build a verified entitlement baseline for each one. Update the DORA register.
List the exit, portability, and audit clauses you require, and document a credible alternative for each critical vendor.
Negotiate price and compliance terms in a single pass, and hold the baseline against the renewal uplift.
Recommendation: run licensing inside the operational risk framework, not beside it.
We can walk your baseline and your three biggest levers in a short call. We are glad to tie a meaningful part of the fee to delivered value.
Contact Redress Compliance · Financial services licensing pillar · More white papers
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.