EuroComply
Zarejestruj się
Back to blog
DORA 7 min read

What Is DORA? A Complete Guide for Financial Entities

What Is DORA? A Complete Guide for Financial Entities?

DORA (Regulation 2022/2554) has applied since January 2025. This guide covers who it applies to, the five pillars of ICT risk management, incident reporting, third-party provider rules, and fines.

Source: EuroComply Editorial (2026-04-14)Reviewed:
EuroComply Team
EU regulatory specialistsContent reviewed against official EUR-Lex texts
EuroComply Editorial Team
0 views

The Digital Operational Resilience Act (Regulation 2022/2554) entered into application on 17 January 2025. It establishes a uniform framework for the digital operational resilience of the EU financial sector — requiring financial entities and their critical ICT third-party service providers to manage ICT risk in a consistent, comprehensive way.

DORA is not a voluntary standard or a soft-law guidance document. It is directly applicable EU law, enforceable by national competent authorities and, for significant institutions, by the European Central Bank.

What Is DORA?

DORA's objective is to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. Before DORA, EU financial regulation addressed operational resilience only fragmentarily across sector-specific directives. DORA unifies these obligations into a single, technology-neutral framework.

The regulation covers five main areas — known informally as the five pillars — across 64 articles.

Who Does DORA Apply To?

DORA has broad scope across the financial sector. It applies to:

| Entity Type | Examples | |-------------|---------| | Credit institutions | Banks, building societies | | Payment institutions | Payment processors, e-money issuers | | Investment firms | Brokers, portfolio managers | | Insurance and reinsurance undertakings | Life and non-life insurers, reinsurers | | Crypto-asset service providers (CASPs) | Exchanges, custodians under MiCA | | Central counterparties (CCPs) | Clearing houses | | Trade repositories | | | Managers of alternative investment funds (AIFMs) | | | Management companies (UCITS) | | | ICT third-party service providers | Cloud providers, data analytics, software vendors serving financial entities |

Micro-enterprises (fewer than 10 employees and annual turnover/balance sheet below €2M) benefit from simplified requirements under the proportionality principle.

ICT third-party service providers are covered directly under DORA when designated as critical by the Joint Committee of the European Supervisory Authorities (ESAs: EBA, ESMA, EIOPA). Critical third-party providers are subject to an EU oversight framework and can receive binding recommendations.

The Five Pillars of DORA

Pillar 1: ICT Risk Management Framework (Articles 5–16)

Financial entities must have a comprehensive, documented ICT risk management framework maintained by the management body (board-level accountability). The framework must:

  • Identify and classify ICT assets, functions, and dependencies
  • Implement protection and prevention measures for identified risks
  • Establish detection mechanisms for anomalous activities
  • Define response and recovery procedures
  • Include post-incident review processes
  • Be reviewed at least annually and after major incidents

Senior management bears direct responsibility. DORA explicitly requires that the management body define, approve, oversee, and bear responsibility for the ICT risk management framework — it cannot be entirely delegated.

Pillar 2: ICT-Related Incident Management and Reporting (Articles 17–23)

Financial entities must implement an ICT-related incident management process to detect, classify, and report incidents.

Classification: Incidents are classified using criteria set by the ESAs — impact on data, services affected, geographic spread, criticality, duration, and economic impact.

Reporting timelines for significant ICT incidents:

| Report | Deadline | Content | |--------|----------|---------| | Initial notification | 4 hours after classification as major | Basic facts, classification, preliminary impact | | Intermediate report | 72 hours after initial notification | Updated analysis, mitigation measures taken | | Final report | 1 month after incident closure | Root cause, permanent fixes, lessons learned |

Reports go to the relevant competent authority (e.g. national financial regulator). The competent authority may then notify other authorities (ECB, ESMA, EBA) as appropriate.

Financial entities may also voluntarily notify significant cyber threats — even before they materialise into incidents.

Pillar 3: Digital Operational Resilience Testing (Articles 24–27)

All covered financial entities must conduct basic resilience testing at least annually: vulnerability assessments, open-source analyses, network security assessments, gap analyses, physical security reviews, and scenario-based testing.

Significant entities — those identified as such by competent authorities based on systemic importance — must additionally conduct Threat-Led Penetration Testing (TLPT) at least every 3 years. TLPT must:

  • Use threat intelligence to simulate real adversary tactics
  • Cover live production systems (not just test environments)
  • Be conducted by accredited external testers
  • Follow the TIBER-EU or equivalent framework

Results of TLPT, including identified vulnerabilities and remediation plans, are shared with the competent authority.

Pillar 4: ICT Third-Party Risk Management (Articles 28–44)

This pillar addresses the dependency of financial entities on external ICT providers — cloud platforms, data centres, software vendors, outsourced processing.

Key obligations:

  • Maintain a register of all ICT third-party contracts, including information on criticality, sub-outsourcing chains, and exit strategies
  • Conduct pre-engagement due diligence and ongoing monitoring of all ICT service providers
  • Ensure contracts with ICT third parties include mandatory clauses: service level agreements, audit rights, security requirements, incident notification, data location, termination rights
  • Implement documented exit strategies for all critical or important ICT functions — to avoid lock-in and ensure operational continuity if a provider fails or is withdrawn

For critical ICT third-party providers (designated by the ESAs), a direct EU oversight framework applies. Lead overseers (EBA, ESMA, or EIOPA depending on the provider's primary sector) conduct oversight visits, request information, and can issue binding recommendations. Financial entities may not use a critical third-party provider that does not comply with the lead overseer's recommendations.

Pillar 5: Information Sharing (Article 45)

Financial entities may (and are encouraged to) participate in information sharing arrangements on cyber threats, vulnerabilities, indicators of compromise, and attack techniques with trusted peers — within EU law and without prejudice to GDPR obligations.

Relationship to NIS2

NIS2 (Directive 2022/2555) also applies to financial entities as operators of essential services. However, DORA functions as lex specialis: where a financial entity is subject to both NIS2 and DORA for the same ICT risk management obligations, DORA takes precedence. Financial entities comply with DORA, not NIS2, for those overlapping requirements.

Member states must ensure that their NIS2 transpositions do not impose additional obligations on financial entities covered by DORA for the same subject matter.

Fines and Enforcement

DORA leaves specific penalties to Member State law. Each national competent authority sets and applies administrative sanctions within its jurisdiction. However:

  • The ECB can impose sanctions of up to 10% of total annual worldwide turnover on significant supervised institutions that breach DORA requirements
  • Periodic penalty payments can be imposed on critical third-party providers to compel compliance — up to 1% of average daily worldwide turnover, applied for up to 6 months

Beyond fines, competent authorities can impose: temporary prohibition of activities, public reprimands, orders to cease conduct, and requirements to notify customers of incidents.

Five-Step Practical Checklist for Financial Entities

  1. Assign board ownership — appoint a senior executive accountable for ICT risk and present DORA programme status to the management body quarterly
  2. Build your ICT asset register — map all ICT systems, functions, and dependencies; classify by criticality
  3. Audit your third-party contracts — identify all ICT service providers, check contracts against DORA's mandatory clause requirements, establish an exit strategy for each critical function
  4. Implement incident classification — build a triage process that can determine whether an incident meets the "significant ICT incident" threshold within 4 hours
  5. Schedule resilience testing — run basic tests annually; if you are a significant entity, initiate TLPT preparation (lead time is typically 6–12 months)

Last updated: April 2026. For informational purposes only — not legal advice.

EC

EuroComply Editorial Team

EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.

For informational purposes only. Consult qualified legal counsel.

Share:

Ready to check compliance?

Start auditing your AI systems and tech stack today.

← Back to blog