Official source map

DORA official sources

Primary DORA sources: official regulation text, ESMA and ESA guidance, ICT risk and third-party register references, and EuroComply checklists.

What official sources should SMEs cite for DORA?

The primary source for DORA is Regulation (EU) 2022/2554, supported by ESA and ESMA technical standards and guidance. Financial entities should retain evidence for ICT risk management, incident reporting, resilience testing, third-party risk management and ICT provider registers.

Chapter II: ICT risk management
Chapter III: Incident reporting
Chapter IV: Resilience testing
Chapter V: Third-party risk

Primary source	Regulation (EU) 2022/2554
EuroComply source page	/sources/dora
Last reviewed	2026-05-11

Source: Regulation (EU) 2022/2554Reviewed: 2026-05-11

Official links

Regulation (EU) 2022/2554Official DORA regulation text.ESMA DORA guidanceESMA DORA implementation and regulatory technical standards.

Key references

Reference	Topic	Why it matters
Chapter II	ICT risk management	Core control framework.
Chapter III	Incident reporting	Major incident reporting duties.
Chapter IV	Resilience testing	Testing and TLPT where applicable.
Chapter V	Third-party risk	ICT provider contract and register duties.

Use the source map with an action plan

Official sources answer what the law says. EuroComply guides turn those references into owners, deadlines, evidence and dashboard-ready actions.

DORA compliance checklist DORA ICT register template DORA for ICT providers DORA compliance guide

EU AI Act official sources GDPR official sources NIS2 official sources Data Act official sources Pay Transparency Directive official sources