DORA Compliance: Complete Guide to the Digital Operational Resilience Act
Everything financial entities need to know about DORA compliance — ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management under Regulation (EU) 2022/2554.
DORA Compliance: Complete Guide to the Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — is the EU's dedicated framework for ICT risk management in the financial sector. It applies from 17 January 2025 and affects virtually every regulated financial entity in the European Union.
Unlike NIS2, DORA is a regulation, not a directive. It applies directly across all Member States without requiring national transposition. If you're in the financial sector, DORA compliance is not optional.
What Is DORA?
DORA establishes a comprehensive framework to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. It covers five key pillars:
- ICT risk management — Governance framework for managing ICT risks
- ICT-related incident reporting — Standardised reporting of major incidents
- Digital operational resilience testing — Regular testing of ICT systems
- ICT third-party risk management — Oversight of critical ICT service providers
- Information sharing — Voluntary sharing of cyber threat intelligence
The regulation recognises that the financial sector's increasing dependence on technology creates systemic risks that go beyond individual institutions. A single ICT failure or cyberattack can cascade through interconnected financial systems.
Who Must Comply With DORA?
DORA applies to 21 categories of financial entities:
| Category | Examples |
|---|---|
| Credit institutions | Banks |
| Payment institutions | Payment processors, PSPs |
| Electronic money institutions | E-money issuers |
| Investment firms | Brokers, asset managers |
| Crypto-asset service providers | Exchanges, custodians |
| Insurance and reinsurance undertakings | Insurers, reinsurers |
| Insurance intermediaries | Brokers, agents |
| Institutions for occupational retirement | Pension funds |
| Central counterparties | Clearing houses |
| Trade repositories | Transaction reporting |
| Central securities depositories | Securities settlement |
| Trading venues | Stock exchanges, MTFs |
| Securitisation repositories | ABS data |
| Credit rating agencies | Rating providers |
| Crowdfunding service providers | Crowdfunding platforms |
| Data reporting service providers | APAs, ARMs |
| Managers of alternative investment funds | Hedge fund managers, PE managers |
| Management companies | UCITS managers |
| Account information service providers | Open banking providers |
Additionally, critical ICT third-party service providers (CTPPs) — such as major cloud providers serving the financial sector — are subject to a new oversight framework.
Proportionality
DORA applies the principle of proportionality. Requirements scale based on:
- Size and overall risk profile of the entity
- Nature, scale, and complexity of services
- The entity's ICT risk exposure
Microenterprises (fewer than 10 employees and less than €2M turnover) benefit from a simplified ICT risk management framework.
The Five Pillars of DORA
Pillar 1: ICT Risk Management (Articles 5-16)
Financial entities must establish a comprehensive ICT risk management framework that includes:
Governance:
- Management body retains ultimate responsibility for ICT risk
- Dedicated ICT risk management function (independent from operational ICT)
- ICT risk management strategy reviewed at least annually
- Management must complete ICT risk training
Identification:
- Identify, classify, and document all ICT-supported business functions
- Map ICT assets and their dependencies
- Identify all sources of ICT risk
- Conduct risk assessments at least annually
Protection and Prevention:
- Implement ICT security policies and procedures
- Patch management with defined timelines
- Network security and access controls
- Data protection and encryption measures
Detection:
- Continuous monitoring of ICT systems
- Anomaly detection mechanisms
- Multiple layers of control
Response and Recovery:
- ICT business continuity policy
- Disaster recovery plans with recovery time objectives
- Crisis communication procedures
- Post-incident reviews
Learning and Evolving:
- Gather threat intelligence
- Post-incident root cause analysis
- Continuous improvement of the framework
Pillar 2: ICT-Related Incident Reporting (Articles 17-23)
DORA standardises incident classification and reporting across the financial sector:
Incident Classification:
Incidents are classified as major if they meet thresholds across criteria including:
- Number of clients/counterparties affected
- Duration of the incident
- Geographical spread
- Data losses
- Impact on critical services
- Economic impact
Reporting Timeline:
| Timeline | Report Type | Content |
|---|---|---|
| Within 4 hours of classification | Initial notification | Basic facts and classification |
| Within 72 hours | Intermediate report | Updated assessment and impact |
| Within 1 month | Final report | Root cause analysis, remediation measures |
Financial entities must also notify affected clients when incidents impact their financial interests.
Pillar 3: Digital Operational Resilience Testing (Articles 24-27)
All financial entities must conduct regular testing:
Basic Testing (all entities):
- Vulnerability assessments and scans
- Open source analyses
- Network security assessments
- Gap analyses
- Physical security reviews
- Scenario-based testing
- Compatibility testing
- Performance testing
- End-to-end testing
Advanced Testing (significant entities):
- Threat-Led Penetration Testing (TLPT) at least every three years
- Must follow recognised frameworks (TIBER-EU or equivalent)
- Conducted by qualified external testers
- Covers critical ICT systems supporting critical functions
- Results reported to competent authorities
Pillar 4: ICT Third-Party Risk Management (Articles 28-44)
DORA creates a comprehensive framework for managing outsourcing and third-party ICT risk:
Pre-contractual Requirements:
- Risk assessment before entering ICT service contracts
- Due diligence on potential providers
- Concentration risk assessment (avoiding over-dependence on single providers)
Contractual Requirements:
- Mandatory provisions in ICT service contracts
- Right to audit and access
- Clear SLAs and incident reporting obligations
- Exit strategies and transition plans
Ongoing Management:
- Maintain a register of all ICT third-party arrangements
- Regular risk reassessment
- Monitoring of provider performance and risk posture
Oversight of Critical ICT Third-Party Providers:
- European Supervisory Authorities designate CTPPs
- Lead Overseers conduct inspections and assessments
- Can impose recommendations and, ultimately, periodic penalty payments
Pillar 5: Information Sharing (Article 45)
DORA encourages (but does not mandate) financial entities to share cyber threat intelligence:
- Share indicators of compromise, tactics, techniques, and procedures
- Exchange information on cyber threats within trusted communities
- Participate in information sharing arrangements
- Notify competent authorities about participation
DORA vs NIS2: Understanding the Relationship
For financial entities, both DORA and NIS2 may be relevant. DORA is lex specialis — it takes precedence where its requirements are more specific:
| Aspect | DORA | NIS2 |
|---|---|---|
| Legal form | Regulation (directly applicable) | Directive (requires transposition) |
| Scope | Financial sector + critical ICT providers | 18 cross-sector categories |
| Incident reporting | 4h initial / 72h intermediate / 1 month final | 24h early warning / 72h notification / 1 month final |
| Testing | TLPT every 3 years for significant entities | Effectiveness assessment (less prescriptive) |
| Third-party risk | Detailed framework with oversight regime | Supply chain security requirements |
| Precedence | Takes priority for financial entities | Applies where DORA doesn't cover |
Financial entities comply with DORA for ICT-related requirements. NIS2 may still apply for aspects not specifically covered by DORA.
DORA Compliance Roadmap
Step 1: Assess Applicability and Proportionality
Determine which DORA requirements apply based on your entity type, size, and the criticality of your ICT systems.
Step 2: Gap Analysis
Map your current ICT risk management framework against DORA's five pillars. Common gaps include:
- Insufficient documentation of ICT third-party arrangements
- No TLPT programme for significant entities
- Incident classification and reporting not aligned with DORA timelines
- Concentration risk not assessed for critical ICT providers
Step 3: ICT Risk Management Framework
Establish or update your framework to cover all Article 5-16 requirements. Ensure management body involvement, independent ICT risk function, and annual strategy reviews.
Step 4: Incident Reporting Capability
Build or upgrade your incident detection, classification, and reporting workflows to meet the 4-hour initial notification timeline.
Step 5: Resilience Testing Programme
Establish a testing programme covering basic testing for all entities and TLPT for significant entities.
Step 6: Third-Party Risk Management
Create and maintain a complete register of ICT third-party arrangements. Review contracts for mandatory provisions. Assess concentration risk.
Step 7: Continuous Compliance
DORA compliance is ongoing. Implement tools and processes that maintain compliance continuously rather than treating it as a periodic exercise.
How Orbiq Supports DORA Compliance
Orbiq helps financial entities manage DORA's operational requirements:
- Third-party risk register: Maintain a complete inventory of ICT service arrangements with risk classifications and contract details
- Vendor monitoring: Continuous assessment of third-party ICT providers' security posture
- Evidence management: Automated collection and organisation of compliance evidence for regulatory inspections
- Trust Center: Demonstrate your operational resilience posture to counterparties, auditors, and regulators
- Supply chain visibility: Real-time view of your ICT dependency landscape and concentration risks
Built for European financial services from day one, with EU data residency and GDPR-native architecture.
Further Reading
- DORA Incident Reporting and Provider Monitoring: Articles 19, 28, 30
- NIS2 Compliance Guide — For requirements beyond DORA's scope
- NIS2 Supply Chain Security — Complementary third-party risk guidance
This guide is maintained by the Orbiq team. Last updated: March 2026.