The Digital Operational Resilience Act (DORA) has been applicable since January 2025. If you're a financial entity in the EU — or an ICT third-party service provider to one — DORA is now law, and compliance is mandatory.
Unlike NIS2 (which is broader), DORA is specifically designed for the financial sector and focuses squarely on digital operational resilience: your ability to withstand, respond to, and recover from ICT-related disruptions.
Who DORA Applies To
Financial Entities
Banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, credit rating agencies, and pension funds. Essentially every regulated financial entity in the EU.
ICT Third-Party Service Providers
This is the crucial part for technology companies: if you provide ICT services to financial entities (cloud hosting, SaaS platforms, managed services, data analytics), DORA's third-party risk management requirements apply to you — through your customers' compliance obligations.
What this means in practice: Your financial sector customers will impose DORA-aligned contractual requirements on you. If you can't meet them, you lose the business.
The Five Pillars
Pillar 1: ICT Risk Management
Requirement: Establish and maintain a comprehensive ICT risk management framework.
What you need to implement:
- ICT risk management policy approved by the management body
- Risk identification and assessment process for all ICT assets and systems
- Protection and prevention measures (access controls, encryption, network security)
- Detection mechanisms (monitoring, alerting, anomaly detection)
- Business continuity and disaster recovery plans specifically for ICT
- Learning and evolving — update risk management based on incidents and threat landscape
Technology implementation:
- Asset inventory of all ICT systems (automated discovery)
- Vulnerability management programme with defined SLAs
- Security monitoring (SIEM) with detection rules for financial sector threats
- Automated backup and recovery testing
- Configuration management and drift detection
Pillar 2: ICT-Related Incident Reporting
Requirement: Classify, report, and manage ICT-related incidents according to defined criteria.
Classification criteria:
- Number of clients/counterparties affected
- Duration of the incident
- Geographic spread
- Data losses
- Impact on critical functions
- Economic impact
Reporting timeline:
- Initial notification: Within 4 hours of classifying a major incident
- Intermediate report: Within 72 hours
- Final report: Within 1 month
Technology implementation:
- Incident management system with DORA-specific classification
- Automated severity assessment based on DORA criteria
- Reporting templates pre-configured for regulatory submission
- Integration with national competent authority reporting channels
- Post-incident root cause analysis process
Pillar 3: Digital Operational Resilience Testing
Requirement: Conduct regular testing of ICT systems and tools.
Testing types required:
- Vulnerability assessments and scans (at least annually)
- Open-source analysis
- Network security assessments
- Gap analysis
- Physical security reviews
- Penetration testing (at least every 3 years, annually for significant entities)
- Threat-Led Penetration Testing (TLPT) for significant entities (using the TIBER-EU framework)
Technology implementation:
- Automated vulnerability scanning (continuous)
- Annual penetration testing by qualified external providers
- Red team exercises for critical systems (TLPT for significant entities)
- Scenario-based resilience testing (simulate realistic disruption scenarios)
- Test results documentation and remediation tracking
Pillar 4: ICT Third-Party Risk Management
Requirement: Manage risks arising from ICT third-party service providers.
Key requirements:
- Register of all ICT third-party arrangements
- Risk assessment before entering into arrangements
- Contractual requirements (right to audit, exit strategies, data location, security measures)
- Ongoing monitoring of third-party performance and risk
- Exit strategies for critical or important functions
- Concentration risk assessment (over-reliance on a single provider)
Contractual provisions (mandatory):
- Clear service level descriptions
- Data processing locations
- Security measures
- Right of access, inspection, and audit
- Termination rights and exit assistance
- Incident notification obligations
- Sub-contracting conditions
Technology implementation:
- Third-party risk management platform or register
- Automated monitoring of third-party SLAs and security posture
- Contract management with DORA-specific clauses
- Annual third-party risk assessments
- Exit plan documentation and testing for critical providers
Pillar 5: Information Sharing
Requirement: Participate in voluntary information-sharing arrangements regarding cyber threats.
What this means: Financial entities are encouraged (not required) to share cyber threat intelligence with each other and with authorities. DORA provides a legal framework for this sharing.
Technology implementation:
- Participation in sector-specific ISACs (Information Sharing and Analysis Centres)
- Threat intelligence platform integration
- Anonymisation of shared intelligence (protect sensitive information)
Relationship with NIS2
DORA and NIS2 overlap but serve different purposes:
| Aspect | DORA | NIS2 |
|---|---|---|
| Scope | Financial sector specifically | Broad (essential and important entities) |
| Focus | ICT operational resilience | Cybersecurity risk management |
| Testing requirements | Specific (including TLPT) | General |
| Third-party management | Detailed requirements | General |
| Incident reporting | 4h/72h/1m timeline | 24h/72h timeline |
Key principle: DORA is lex specialis — it takes precedence over NIS2 for financial entities where the requirements overlap. However, financial entities must still comply with NIS2 requirements that DORA doesn't specifically address.
Implementation Roadmap
Phase 1: Assessment (1-2 months)
- Gap analysis against DORA requirements
- ICT asset inventory
- Third-party register creation
- Risk classification of ICT systems and functions
Phase 2: Framework (2-4 months)
- ICT risk management framework documentation
- Incident classification and reporting procedures
- Third-party contractual review and updates
- Business continuity plan updates for ICT
Phase 3: Implementation (3-6 months)
- Security monitoring enhancements
- Vulnerability management programme
- Incident management system updates
- Third-party monitoring implementation
- Staff training
Phase 4: Testing and Validation (2-3 months)
- Resilience testing programme execution
- Penetration testing
- Scenario-based testing
- Business continuity testing
- Third-party exit plan testing
Phase 5: Continuous Compliance (Ongoing)
- Regular risk assessments
- Continuous monitoring
- Annual testing programme
- Incident reporting readiness
- Regulatory updates monitoring
DORA compliance is a significant undertaking, but it's ultimately about building genuinely resilient technology operations — which is good engineering practice regardless of regulation. If you need help assessing your DORA compliance posture or implementing the framework, let's talk.