DORA Compliance: What the Regulation Requires, Who It Affects, and How to Prepare
A practical guide to DORA compliance — what the Digital Operational Resilience Act requires, which financial entities and ICT providers are affected, key obligations around ICT risk management, incident reporting, resilience testing, and third-party risk management.
DORA Compliance: What the Regulation Requires, Who It Affects, and How to Prepare
The Digital Operational Resilience Act (DORA) is the EU's regulation for digital operational resilience in the financial sector. Applicable from January 2025, it establishes harmonised requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management across all types of financial entities.
For B2B SaaS companies serving the financial sector, DORA has significant implications. If designated as a critical ICT third-party provider, you fall under direct EU oversight. Even without that designation, financial entity customers will impose DORA-aligned contractual requirements on their ICT suppliers. Understanding DORA is essential for any technology company doing business with European financial institutions.
This guide covers what DORA requires, who it applies to, the five pillars of compliance, and how to prepare as an ICT service provider.
DORA Scope and Applicability
Financial Entities in Scope
DORA applies to virtually all regulated financial entities in the EU:
| Category | Entities |
|---|---|
| Banking | Credit institutions, payment institutions, electronic money institutions |
| Investment | Investment firms, trading venues, central counterparties, central securities depositories |
| Insurance | Insurance undertakings, reinsurance undertakings, insurance intermediaries |
| Pensions | Institutions for occupational retirement provision |
| Crypto | Crypto-asset service providers, issuers of asset-referenced tokens |
| Other | Credit rating agencies, administrators of critical benchmarks, securitisation repositories, crowdfunding service providers |
ICT Third-Party Service Providers
DORA extends beyond financial entities to cover ICT third-party service providers, including:
- Cloud service providers (IaaS, PaaS, SaaS)
- Data analytics providers
- Software vendors
- Data centre service providers
- ICT infrastructure providers
Critical ICT third-party providers (CTPPs) designated by the European Supervisory Authorities face direct oversight. Designation criteria include systemic importance to the financial sector, degree of substitutability, and the number and significance of financial entities relying on the provider.
The Five Pillars of DORA
Pillar 1: ICT Risk Management (Articles 5-16)
Financial entities must establish comprehensive ICT risk management frameworks:
Governance
- Management body bears ultimate responsibility for ICT risk management
- Define, approve, and oversee the ICT risk management framework
- Allocate sufficient budget and resources for ICT security
- Management members must maintain ICT risk knowledge through regular training
ICT Risk Management Framework
- Identify all ICT-supported business functions and assets
- Classify information assets by criticality
- Conduct regular risk assessments
- Implement protection and prevention measures
- Establish detection mechanisms for anomalous activity
- Define response and recovery procedures
- Maintain a comprehensive ICT risk management policy
Key Requirements:
| Area | Requirement |
|---|---|
| Identification | Maintain updated inventory of ICT assets, map dependencies, identify critical functions |
| Protection | Implement security policies, access controls, encryption, network security |
| Detection | Deploy monitoring, alerting, and anomaly detection capabilities |
| Response | Establish incident response procedures, containment strategies, communication plans |
| Recovery | Define recovery objectives, backup policies, restoration procedures |
| Learning | Post-incident reviews, vulnerability assessments, continuous improvement |
Pillar 2: ICT-Related Incident Management and Reporting (Articles 17-23)
Incident Classification
Financial entities must classify ICT-related incidents using these criteria:
| Criterion | Description |
|---|---|
| Affected clients | Number of clients or financial counterparts affected |
| Duration | Length of the incident |
| Geographical spread | Areas affected, including cross-border impact |
| Data losses | Whether data was compromised, corrupted, or lost |
| Criticality of services | How critical the affected services are |
| Economic impact | Direct and indirect costs and losses |
Reporting Timeline
| Stage | Deadline | Content |
|---|---|---|
| Initial notification | 4 hours after classification (24 hours after detection) | Incident summary, initial impact assessment |
| Intermediate report | 72 hours after classification | Updated assessment, containment measures, root cause (if known) |
| Final report | 1 month after last intermediate report | Root cause analysis, total impact, remediation measures, lessons learned |
Voluntary Threat Reporting
Financial entities may voluntarily report significant cyber threats to competent authorities. This is encouraged to improve sector-wide resilience and threat intelligence sharing.
Pillar 3: Digital Operational Resilience Testing (Articles 24-27)
Basic Testing (All entities)
All financial entities must conduct proportionate testing:
- Vulnerability assessments and scans
- Open source analyses
- Network security assessments
- Gap analyses
- Physical security reviews
- Questionnaires and scanning software solutions
- Source code reviews where feasible
- Scenario-based tests
- Compatibility testing
- Performance testing
- End-to-end testing
- Penetration testing (at least annually)
Advanced Testing — TLPT (Significant entities)
Significant financial entities must conduct threat-led penetration testing (TLPT):
| Requirement | Detail |
|---|---|
| Frequency | At least every 3 years |
| Framework | Must follow TIBER-EU or equivalent national framework |
| Scope | Critical or important functions on live production systems |
| Testers | Qualified external providers with specific expertise |
| Threat intelligence | Based on current threat landscape specific to the entity |
| Reporting | Results reported to competent authority with remediation plan |
Pillar 4: ICT Third-Party Risk Management (Articles 28-44)
Pre-Contracting Requirements
- Conduct risk assessment before entering ICT arrangements
- Assess provider's information security capabilities
- Evaluate concentration risk (dependency on single providers)
- Ensure due diligence on providers supporting critical functions
Mandatory Contractual Provisions
Contracts with ICT third-party providers must include:
| Provision | Description |
|---|---|
| Service description | Clear description of functions, including sub-outsourcing conditions |
| Data location | Locations where data is processed and stored, notification of changes |
| Security measures | Service levels, security requirements, access controls |
| Availability targets | Guaranteed uptime, recovery time and point objectives |
| Incident notification | Obligation to report ICT-related incidents |
| Business continuity | Plans for ensuring continuity during disruptions |
| Audit rights | Rights to conduct audits and inspections |
| Termination and exit | Transition periods, data return, deletion requirements |
| Sub-outsourcing | Conditions for further outsourcing to sub-contractors |
Ongoing Monitoring
- Monitor provider performance against contractual obligations
- Maintain a register of all ICT third-party arrangements
- Report the register to competent authorities annually
- Assess and manage concentration risk regularly
Exit Strategies
- Develop exit plans for critical ICT third-party arrangements
- Ensure plans include adequate transition periods
- Plan for data portability and migration
- Test exit procedures periodically
Pillar 5: Information Sharing (Article 45)
Financial entities may participate in voluntary arrangements for sharing cyber threat intelligence and information about:
- Tactics, techniques, and procedures (TTPs)
- Indicators of compromise (IoCs)
- Security alerts and configuration tools
- Cyber threat intelligence
Participation is voluntary but encouraged. Shared information must be handled in accordance with confidentiality requirements and competition law.
DORA for ICT Service Providers
Direct Impact
If you are an ICT third-party service provider to financial entities:
Contractual obligations: Financial entity customers will require DORA-compliant contractual terms covering security measures, incident notification, audit rights, data location, and exit strategies.
Enhanced due diligence: Expect deeper security assessments during procurement, including reviews of your ICT risk management framework, incident response capabilities, and business continuity plans.
Incident notification: You will need to notify financial entity customers of ICT-related incidents according to timelines that support their own 4-hour reporting obligation.
Audit and inspection rights: Financial entities and their competent authorities must have the right to audit and inspect your systems, operations, and security measures.
Critical ICT Third-Party Provider (CTPP) Designation
If designated as a CTPP by the ESAs, additional obligations apply:
- Direct oversight by a Lead Overseer (one of the three ESAs)
- Obligation to respond to information requests and comply with recommendations
- Subject to general investigations and on-site inspections
- Must appoint an EU subsidiary for non-EU providers
- Recommendations are not legally binding but non-compliance can result in financial entities being required to terminate arrangements
DORA and Other Frameworks
DORA and NIS2
| Aspect | DORA | NIS2 |
|---|---|---|
| Scope | Financial sector | Cross-sector (18 sectors) |
| Nature | Regulation (directly applicable) | Directive (requires transposition) |
| Incident reporting | 4 hours initial notification | 24 hours early warning |
| Testing | Mandatory TLPT for significant entities | Effectiveness assessment required |
| Third-party management | Comprehensive framework with oversight | Supply chain security obligations |
| Relationship | Lex specialis (takes precedence) | Applies where DORA does not |
DORA and ISO 27001
| Aspect | ISO 27001 | DORA Additions |
|---|---|---|
| Risk management | Comprehensive ISMS | Aligned, with financial sector specifics |
| Incident reporting | Internal procedures | Mandatory 4/72-hour external reporting |
| Testing | A.8.8 vulnerability management | Mandatory TLPT every 3 years |
| Third-party | A.5.19-A.5.23 supplier security | Register, contractual provisions, oversight |
| Business continuity | A.5.29-A.5.30 | Detailed ICT continuity requirements |
Preparing for DORA Compliance
For Financial Entities
- Gap analysis — Map current ICT risk management framework against DORA requirements
- Governance — Ensure management body is engaged with ICT risk oversight and training
- ICT risk management — Enhance identification, protection, detection, response, and recovery capabilities
- Incident management — Establish classification criteria and reporting processes meeting DORA timelines
- Resilience testing — Develop testing programme, plan TLPT if applicable
- Third-party register — Create and maintain the register of all ICT third-party arrangements
- Contract review — Update contracts with ICT providers to include DORA mandatory provisions
- Exit strategies — Develop exit plans for critical ICT third-party arrangements
For ICT Service Providers
- Understand your exposure — Identify which financial entity customers are subject to DORA
- Review contracts — Prepare for DORA-compliant contractual requirements
- Strengthen incident response — Ensure you can support customers' 4-hour reporting obligation
- Prepare for audits — Build audit-readiness with comprehensive documentation and evidence
- Publish on Trust Center — Make security documentation, incident response capabilities, and compliance evidence available to financial entity buyers
- Assess CTPP risk — Evaluate whether you might be designated as critical and prepare accordingly
How Orbiq Supports DORA Compliance
- Trust Center: Publish your DORA compliance posture — ICT risk management measures, incident response capabilities, and resilience testing evidence for financial entity buyers
- Continuous Monitoring: Track DORA requirements across all five pillars with real-time compliance status
- Evidence Management: Centralize ICT risk documentation, incident records, testing reports, and third-party arrangement registers mapped to DORA articles
- AI-Powered Questionnaires: Auto-respond to DORA-related security questionnaire questions from financial entity customers
Further Reading
- NIS2 Compliance — Understanding the relationship between DORA and NIS2
- Penetration Testing — Meeting DORA's resilience testing requirements including TLPT
- Incident Response — Building incident response capabilities for DORA's 4-hour reporting
- Third-Party Risk Management — Managing ICT third-party risks as required by DORA Pillar 4
This guide is maintained by the Orbiq team. Last updated: March 2026.