Well, our beloved EU bureaucrats and their Dora directive put emphasis on “ICT Providers” - sometimes called TPPs (Third Party Providers). Copy past from ESAs guidelines:
With regard to ICT third-party risk management, financial entities will have to maintain, at
entity, sub-consolidated and consolidated level, a register of information on all their
contractual arrangements on the use of ICT services provided by ICT TPPs. The requirement to
maintain a register will oblige financial entities to gather a certain amount of information
about their contracts with the ICT TPPs and about the ICT TPPs themselves
Unfortunately, eramba might fall under the TPPs definition as per the following incredibly boring document: https://www.eiopa.europa.eu/system/files/2023-09/ESAs%20report%20on%20the%20landscape%20of%20ICT%20TPPs.pdf
ESAs report on the landscape of ICT TPPs.pdf (288.5 KB)
Our recommendation here is to mitigate some of the problematic by using eramba on-prem. This will remove all the availability (since you host it), integrity (since you manage the data) and confidentiality (since you decide who can access). There is still the application (its updates, inner workings, support, etc) to deal with but is in the general view of the customers we have worked so far (which are affected by DORA) something that can be handled with far more flexibility.
Because we get this question here and there we thought it would be easier to just write here our general recommendation on this issue.