DORA: Digital Operational Resilience Act — Compliance Guide for Financial Services

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has been fully applicable since January 17, 2025. It establishes a comprehensive ICT risk management framework for the EU financial sector, covering banks, insurance companies, investment firms, payment providers, and critically, the ICT third-party service providers that serve them.

DORA is directly applicable across all EU member states without requiring national transposition, unlike NIS2.

Who Is Covered

Financial Entities (21 categories)

Banks and credit institutions, investment firms, insurance and reinsurance companies, payment institutions and e-money institutions, central securities depositories, trading venues and central counterparties, fund managers (UCITS and AIFM), credit rating agencies, crowdfunding service providers, and crypto-asset service providers under MiCA.

ICT Third-Party Service Providers

DORA extends regulatory oversight to critical ICT third-party providers (CTPPs), meaning cloud providers, data center operators, and software vendors designated as critical by the European Supervisory Authorities. This is the first time technology vendors serving financial services face direct EU regulatory oversight.

Five Pillars of DORA

1. ICT Risk Management (Articles 5-16)

Financial entities must implement a comprehensive ICT risk management framework. Governance requires the management body to define, approve, and oversee the ICT risk management framework. Risk identification means inventorying all ICT assets, mapping dependencies, and identifying vulnerabilities. Protection and prevention involves implementing security controls proportionate to identified risks. Detection requires deploying capabilities to detect anomalous activity and ICT incidents. Response and recovery means maintaining incident response plans, business continuity plans, and disaster recovery procedures. Learning and evolving requires post-incident reviews and continuous improvement.

2. ICT Incident Reporting (Articles 17-23)

Classify ICT-related incidents using criteria defined by the ESAs. Major incidents must be reported to the competent authority with an initial notification within 4 hours of classification (24 hours of detection at latest), an intermediate report within 72 hours, and a final report within 1 month. Voluntary reporting of significant cyber threats is encouraged.

3. Digital Operational Resilience Testing (Articles 24-27)

All entities must perform basic testing including vulnerability assessments, network security testing, gap analysis, source code reviews, and performance testing at least annually. Significant entities must conduct Threat-Led Penetration Testing (TLPT), which is advanced red team testing based on real threat intelligence, conducted every 3 years by independent testers following the TIBER-EU framework or equivalent national frameworks.

4. ICT Third-Party Risk Management (Articles 28-44)

Maintain a register of all ICT third-party arrangements. Conduct pre-contractual due diligence and ongoing risk assessment. Include mandatory contractual clauses covering security, audit rights, incident notification, exit strategies, and data location. The ESAs designate Critical ICT Third-Party Providers (CTPPs) and conduct direct oversight including inspections and recommendations.

5. Information Sharing (Articles 45)

Financial entities are encouraged to share cyber threat intelligence with peers through trusted information-sharing arrangements, with legal protections for good-faith sharing.

Relationship to NIS2

DORA is lex specialis to NIS2 for financial entities. Where DORA imposes sector-specific requirements that are at least as stringent as NIS2, DORA takes precedence. Financial entities subject to DORA do not need to separately comply with NIS2 for the same obligations.

Penalties

Member states define specific penalties, but DORA allows for fines, public statements, and corrective orders for non-compliant financial entities. For Critical ICT Third-Party Providers, periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance are possible, for up to six months.

Practical Steps

Assess scope by determining which of your entities fall under DORA and which ICT providers are in scope. Conduct a gap analysis comparing current ICT risk management practices against DORA’s five pillars. Maintain a complete ICT asset inventory and register of third-party dependencies. Establish incident reporting processes to classify, escalate, and report ICT incidents within the required timelines. Review and update ICT third-party contracts to include DORA-mandated clauses. Implement annual basic testing and prepare for TLPT if designated as significant. Ensure the management body is formally accountable for ICT risk management.