DORA Compliance: What Financial Institutions Need to Know

Ensuring Digital Resilience

The Digital Operational Resilience Act (DORA) is an EU regulation (EU 2022/2554) that requires financial institutions to demonstrate they can withstand, respond to and recover from ICT disruptions including cyber attacks, system failures and third party outages. DORA has been in force since 17 January 2025, applying to over 21,000 financial entities across the EU with no phase-in period. It covers 20 different types of financial entity, from banks and insurers to payment institutions and crypto-asset providers, along with their critical ICT service providers..

This isn’t just another compliance framework gathering dust on a shelf. DORA fundamentally changes how the financial sector manages digital risk by setting a single, harmonised standard across the EU. Before DORA, operational resilience requirements were fragmented across different national regulations and sector-specific rules. Now there’s one set of requirements that applies to everyone.

The regulation is built around five core pillars: ICT risk management, incident reporting, digital operational resilience testing, third party risk management and information sharing. Each pillar has specific requirements backed by regulatory technical standards from the European Supervisory Authorities (ESAs). What follows is a practical guide to what each pillar requires and what it means for your organisation.

What is DORA and why does it matter?

DORA – the Digital Operational Resilience Act – is an EU regulation designed to strengthen the financial sector’s ability to handle ICT-related disruptions. It recognises a simple reality: financial services now run on technology. Banks depend on cloud platforms, insurers rely on digital claims systems, payment firms process transactions through third party infrastructure. When that technology fails, the consequences can be severe – not just for individual firms, but for the stability of the financial system as a whole.

Before DORA, there was no single EU-wide framework covering digital operational resilience for the financial sector. Different countries had different rules. Different regulators had different expectations. DORA replaces that patchwork with a consistent set of requirements that apply across all EU member states.

The regulation doesn’t just apply to the financial institutions themselves. It also brings critical ICT third party service providers – including major cloud providers and software vendors – under direct regulatory oversight through the ESA oversight framework. This is a significant shift. For the first time, regulators can directly supervise the technology providers that the financial sector depends on.

Who does DORA apply to?

DORA applies to 20 types of financial entity as defined in Article 2 of the regulation. This includes banks and credit institutions, investment firms, insurance and reinsurance companies, payment institutions, electronic money institutions, central securities depositories, trading venues, fund managers, crypto-asset service providers and crowdfunding platforms, among others.

It also applies directly to ICT third party service providers designated as critical by the European Supervisory Authorities. This means large cloud providers, data centre operators and other technology companies serving the financial sector can fall under direct regulatory oversight.

The scope is deliberately broad. If your organisation provides financial services in the EU, or provides critical technology services to those that do, DORA almost certainly applies to you. There are limited proportionality provisions for microenterprises, but the core requirements apply regardless of size.

What are the five pillars of DORA compliance?

DORA is structured around five core pillars, each covering a different aspect of digital operational resilience. Together, they create a comprehensive framework that addresses how financial institutions identify risk, respond to incidents, test their defences, manage their supply chain and share intelligence with the wider sector.

What does DORA require for ICT risk management?

ICT risk management is the foundation of DORA compliance and the most extensive pillar, covered in Chapter II of the regulation (Articles 5-16). Financial entities must establish and maintain a comprehensive ICT risk management framework that is documented, regularly reviewed and fully integrated into their overall risk management approach.

In practical terms, this means maintaining a complete inventory of all ICT assets and their dependencies, conducting risk assessments at least annually or whenever significant changes occur, implementing measures to protect against and detect ICT threats in real time and establishing robust business continuity and disaster recovery plans that are regularly tested.

The framework must be approved by your management body, which retains ultimate responsibility for ICT risk management. This isn’t something that can be delegated entirely to the IT department. DORA explicitly requires board-level engagement and oversight.

There is a simplified framework available for entities that qualify as microenterprises under Article 16, but even this requires documented risk management processes, incident handling procedures and business continuity planning.

What are the DORA incident reporting requirements?

Chapter III of DORA (Articles 17-23) sets out requirements for ICT incident management, classification and reporting. Financial entities must establish a structured incident management process that can detect, manage, record and report all ICT-related incidents.

All ICT incidents must be classified using defined criteria including the number of affected clients, the duration of the disruption, the geographic spread, data losses involved and the criticality of the services affected. When an incident is classified as major, it must be reported to the relevant competent authority through a structured, phased reporting process: an initial notification, an intermediate report and a final report.

The initial notification must be submitted promptly – within hours, not days. The regulation also requires financial entities to inform affected clients about major incidents and the measures taken to mitigate their impact.

Financial entities can also voluntarily report significant cyber threats to their competent authority, even when those threats haven’t yet resulted in an incident. This feeds into the broader intelligence-sharing aims of the regulation.

What does DORA require for digital operational resilience testing?

Chapter IV (Articles 24-27) requires financial entities to establish and maintain a comprehensive digital operational resilience testing programme. The aim is straightforward: you need to prove your systems can actually withstand disruptions, not just claim they can.

The testing programme must be risk-based and proportionate to the entity’s size and risk profile. All critical ICT systems and applications must be tested at least annually. Testing should cover a range of methods including vulnerability assessments, network security assessments, scenario-based testing, performance testing and penetration testing.

For larger, systemically important financial entities, DORA requires advanced threat-led penetration testing (TLPT) at least every three years. This involves simulating real-world attack scenarios against live production systems, conducted by qualified external testers following recognised frameworks such as TIBER-EU. Smaller firms are explicitly exempted from the TLPT requirement.

Testing alone isn’t enough. DORA requires that identified weaknesses, deficiencies and gaps are promptly addressed, with remediation actions documented and validated.

What does DORA require for ICT third party risk management?

Chapter V (Articles 28-44) covers ICT third party risk management and is widely considered the most challenging pillar to implement. Financial entities must manage third party ICT risk as an integral part of their overall risk management framework, not as a separate compliance exercise.

The requirements include maintaining a register of all contractual arrangements with ICT third party providers, conducting thorough due diligence before entering into arrangements, ensuring contracts include specific provisions covering audit rights, incident reporting, data location, exit strategies and business continuity and continuously monitoring provider performance and risk throughout the relationship.

DORA also establishes an oversight framework for critical ICT third party providers, giving the ESAs direct supervisory powers over the most important technology vendors serving the financial sector. This includes the power to conduct inspections, request information and impose penalties for non-compliance.

For a detailed guide to third party contract requirements and practical implementation challenges, see our guide to DORA third party compliance.

How does DORA encourage information sharing?

The fifth pillar, covered in Article 45, encourages (but does not mandate) financial entities to participate in voluntary information-sharing arrangements. These arrangements allow organisations to exchange cyber threat intelligence including indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools.

The intent is collaborative defence. When one institution detects a new threat or attack pattern, sharing that intelligence quickly across the sector helps others prepare before they’re targeted. Financial entities must notify their competent authority when they join or leave information-sharing arrangements.

While this pillar is voluntary, regulators clearly expect the sector to take it seriously. Institutions that actively participate in threat intelligence sharing are better positioned to demonstrate the proactive approach to risk management that DORA requires.

What has changed since DORA came into force?

DORA has been fully applicable since 17 January 2025, with no transitional period. Financial entities and their ICT providers were expected to have the necessary frameworks, processes and contractual arrangements in place from day one.

In practice, the implementation picture across the sector is mixed. Some organisations prepared early and had their frameworks, contracts and testing programmes ready well before the deadline. Others are still working through the requirements, particularly around third party contract renegotiations with large providers who have been slow to adjust their standard terms.

Regulators are taking a pragmatic approach to enforcement in this early period, focusing on evidence of genuine progress rather than demanding perfection immediately. However, that window won’t stay open indefinitely. Financial entities that haven’t yet made meaningful progress on their DORA compliance programmes should be accelerating their efforts now.

The regulatory technical standards (RTS) and implementing technical standards (ITS) continue to be finalised and published by the ESAs, providing more detailed guidance on specific requirements. Keeping track of these updates is essential for maintaining compliance.

What are the penalties for DORA non-compliance?

DORA penalties work differently depending on who is in breach. For financial entities, administrative penalties and remedial measures are set by individual EU member states under Article 50 of the regulation. This means penalties vary by country, but turnover-based ceilings typically range from 5% to 10% of annual turnover depending on the jurisdiction, with some member states also imposing absolute monetary caps.

For critical ICT third party providers under the ESA oversight framework, the penalties are more prescriptive. The regulation allows for periodic penalty payments of up to 1% of average daily worldwide turnover, accumulating daily for up to six months until compliance is achieved.

Beyond financial penalties, competent authorities have powers to publicly disclose breaches, restrict business activities and in severe cases suspend operations. Individual senior managers can also face personal fines. The reputational impact of public enforcement action is often a greater concern for financial institutions than the financial penalties themselves.

How does DORA relate to NIS2 and GDPR?

DORA operates alongside both the NIS2 Directive and GDPR, but the relationships are different.

DORA is considered lex specialis (sector-specific law) in relation to NIS2. This means that for financial entities covered by DORA, its provisions on ICT risk management, incident reporting and third party risk take precedence over the equivalent NIS2 requirements. If your organisation falls under both, you comply with DORA’s requirements for those areas rather than duplicating effort under NIS2.

GDPR continues to apply in parallel. DORA covers operational resilience; GDPR covers data protection. The two overlap in areas like incident notification (a major ICT incident may also be a personal data breach requiring GDPR notification) and third party management (your ICT provider may also be a data processor). Your compliance programmes need to account for both sets of requirements.

How should organisations approach DORA compliance?

If you’re still in the early stages of DORA compliance, the most effective approach is to start with a gap analysis against the five pillars. Understand where your existing frameworks, processes and contracts already meet the requirements and where the gaps are.

Assess your ICT risk management framework: Does it meet the documentation, governance and testing requirements of Chapter II? Is it approved at board level?

Review your incident management processes: Can you detect, classify and report major ICT incidents within the timeframes DORA requires?

Evaluate your testing programme: Are you testing critical systems at least annually? If you’re a significant entity, are you prepared for TLPT requirements?

Audit your third party arrangements: Do your contracts include the specific provisions DORA mandates? Do you have a complete register of ICT service provider arrangements?

Consider information sharing: Are you participating in any threat intelligence sharing arrangements within the financial sector?

The investment required for DORA compliance is significant, particularly for smaller entities with limited resources. But the regulation isn’t just about compliance for its own sake. Organisations that implement DORA’s requirements properly will be genuinely more resilient – better at detecting threats, faster at responding to incidents and more prepared for the disruptions that will inevitably come.

For more information on DORA compliance and how Razorthorn can help, visit our DORA Compliance Service [link to /dora-compliance/] or get in touch to discuss your requirements [link to /contact-us/].

DORA compliance resources

DORA guidance continues to evolve as the ESAs publish regulatory technical standards and implementation guidance. Key resources to monitor include the European Banking Authority (EBA) for regulatory technical standards and supervisory expectations, ESMA for investment firm and market infrastructure guidance, EIOPA for insurance sector implementation materials and the official DORA regulation text at EUR-Lex.

Related reading from Razorthorn:

Blog: DORA Third Party Compliance: Essential Requirements for Financial Services

Razorthorn’s DORA Compliance Service

Razorthorn’s Third Party Risk Management

Podcast: DORA Compliance Made Clear: Safeguarding Financial Institutions

Frequently asked questions about DORA compliance

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is EU Regulation 2022/2554, which establishes a harmonised framework for digital operational resilience across the EU financial sector. It requires financial institutions to manage ICT risks, report incidents, test their operational resilience, oversee third party ICT providers and participate in information sharing. DORA has been in force since 17 January 2025.

Who needs to comply with DORA?

DORA applies to over 21,000 financial entities across the EU, covering 20 types of financial institution including banks, credit institutions, investment firms, insurance companies, payment institutions, electronic money institutions, crypto-asset service providers and crowdfunding platforms. It also applies directly to ICT third party service providers designated as critical by the European Supervisory Authorities.

When did DORA come into force?

DORA came into force on 17 January 2025 with no phase-in or transitional period. Financial entities were expected to have the required frameworks, processes and contractual arrangements in place from that date. The regulation was adopted on 14 December 2022 and published in the Official Journal of the EU on 27 December 2022, giving entities approximately two years to prepare.

What are the five pillars of DORA?

The five pillars of DORA are ICT risk management (Chapter II, Articles 5-16), ICT incident management, classification and reporting (Chapter III, Articles 17-23), digital operational resilience testing (Chapter IV, Articles 24-27), ICT third party risk management (Chapter V, Articles 28-44) and information sharing arrangements (Article 45). Together, these pillars create a comprehensive framework for managing digital operational resilience.

What are the penalties for failing to comply with DORA?

For financial entities, administrative penalties are set by individual EU member states under Article 50, with turnover-based ceilings ranging from 5% to 10% of annual turnover depending on the jurisdiction. For critical ICT third party providers under the ESA oversight framework, periodic penalties can reach up to 1% of average daily worldwide turnover, accumulating daily for up to six months. Competent authorities can also publicly disclose breaches, restrict business activities and impose personal fines on senior managers.

Does DORA replace NIS2 for financial institutions?

DORA does not replace NIS2 entirely, but it takes precedence for financial entities in areas where the two overlap. DORA is considered lex specialis (sector-specific law) in relation to NIS2, meaning its provisions on ICT risk management, incident reporting and third party risk override the equivalent NIS2 requirements for financial entities. Other NIS2 obligations may still apply depending on the entity’s classification.

What is threat-led penetration testing (TLPT) under DORA?

Threat-led penetration testing (TLPT) is an advanced form of security testing required under Articles 26-27 of DORA for larger, systemically important financial entities. It involves simulating real-world cyber attacks against live production systems using qualified external testers, typically following the TIBER-EU framework. TLPT must be conducted at least every three years. Smaller entities are exempted from this requirement.

What is the DORA Register of Information?

The Register of Information is a mandatory record required under Article 28(3) of DORA. Financial entities must document all contractual arrangements with ICT third party service providers, distinguishing between those supporting critical or important functions and those that do not. The register must be maintained at entity, sub-consolidated and consolidated levels and reported to competent authorities at least annually.

USEFUL LINKS

SERVICE: DORA Compliance Service

SERVICE: Compliance Frameworks

PODCAST: DORA Compliance Made Clear: Safeguarding Financial Institutions