DORA FAQ

Effective: June 10, 2025

The Digital Operational Resilience Act (Regulation (EU) 2022/2554), or DORA, is an EU Regulation that took effect on January 17, 2025. It aims to establish a high level of digital operational resilience across the financial services sector in the EU. DORA primarily applies to financial entities as defined in Article 2(2) of the Regulation.

Amplitude is not a financial services entity and is not directly subject to DORA. However, we may provide information communication technology (ICT) services to financial entities, or to companies providing ICT services to financial entities, within the EU. DORA and its implementing regulations require certain contractual provisions between financial entities and ICT service providers.

Article 30(2) sets forth the contractual requirements for any ICT service provider, and Article 30(3) provides additional requirements for ICF services providers “supporting critical or important functions.”

Amplitude provides industry-leading digital analytics solutions, but it does not provide a “critical and important function” as defined in DORA. DORA defines a “critical or important function” as “a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.”

Therefore, Amplitude adheres to the requirements outlined in Article 30(2) of DORA for non-critical and non-important ICT service providers.

For Amplitude Customers that are EU financial entities only Article 30(2)’s requirement apply. Article 30(2)(a) states that financial entities must state in their contracts with ICT service providers whether subcontracting of ICT services supporting critical or important functions is permitted, and any conditions.

To help such customers satisfy these requirements, our DORA Addendum can be incorporated by reference into our Main Services Agreement or Order Form, as applicable, and will then apply between you and Amplitude.

For Amplitude customers that are vendors to EU financial entities, the European Supervisory Authorities have issued draft Regulatory Technical Standards (RTS) on subcontracting ICT services under DORA. The RTS further clarified that the obligations for subcontracting only apply to subcontractors “providing ICT services supporting critical or important functions or material parts thereof.” (E.g., RTS on Subcontracting, Article 3.) Moreover, the RTS states that financial entities should focus on subcontractors that “effectively underpin” the ICT service supporting critical or important functions.” (RTS, Recital 6.)

As stated above, Amplitude’s services do not meet these standards. However, we do offer this DORA Addendum, which addresses the requirements of Article 30(2).

As a SaaS platform provider to thousands of customers, Amplitude is unable to review and sign individual customer templates of DORA clauses due to scalability and operational considerations.

Amplitude’s DORA Addendum sets out provisions regarding compliance with DORA whilst reflecting the specifics of Amplitude’s Services.