Is Your Organisation Ready for DORA? What Financial Entities Need to Know

The EU financial sector has long operated under robust prudential and conduct regulation. But until DORA, there was no single, uniform framework governing how financial entities managed their digital operational resilience — their ability to withstand, respond to, and recover from ICT-related disruptions and incidents.

DORA changes that. Regulation (EU) 2022/2554, the Digital Operational Resilience Act, entered into force in January 2023 and became fully applicable on 17 January 2025. It establishes binding requirements for ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing across the entire EU financial sector. The regulation applies directly — meaning it does not need to be transposed into national law — and is enforced by competent authorities in each EU member state.

If your organisation is a financial entity operating in the EU, or an ICT service provider supplying technology to EU financial entities, DORA's requirements apply to you now.

Who Does DORA Apply To?

DORA has a broad scope, covering most regulated financial entities operating in the EU. Article 2 of the regulation lists the entities in scope, including:

• Credit institutions (banks)
• Payment institutions and e-money institutions
• Investment firms and credit rating agencies
• Insurance and reinsurance undertakings and intermediaries
• Pension funds and occupational pension scheme managers
• Crypto-asset service providers and issuers of asset-referenced tokens
• Central counterparties, central securities depositories, and trading venues
• Data reporting service providers and trade repositories
• Crowdfunding service providers

DORA also applies to ICT third-party service providers (ICT TPSPs) — cloud providers, software vendors, data centres, data analytics firms, and other technology providers that deliver services to financial entities. Providers designated as "critical" by the European Supervisory Authorities (ESAs) face additional oversight obligations under the EU Oversight Framework in Chapter V.

A proportionality principle applies: microenterprises and smaller entities benefit from simplified requirements in some areas. However, the core pillars of DORA apply regardless of size.

The Five Pillars of DORA

DORA is structured around five interconnected pillars that together define what digital operational resilience looks like for a regulated financial entity.

Pillar 1: ICT Risk Management

The ICT risk management framework under DORA Articles 5–16 is the foundation of everything else. It requires the management body — the board or equivalent — to take direct accountability for ICT risk. This is not a delegatable function. DORA Article 5 explicitly places responsibility with the most senior governing body, requiring it to approve, oversee, and be accountable for the ICT risk management framework and the organisation's digital operational resilience strategy.

The framework itself must be comprehensive, documented, and reviewed at least annually (or after any major ICT incident). It must cover the full lifecycle of ICT assets and address:

• ICT risk identification, classification, and asset management
• Protection and prevention controls — including access management, network segmentation, patching, and encryption
• Detection capabilities for anomalous activity
• Response and recovery procedures, including defined recovery time and recovery point objectives
• Backup and restoration policies tested regularly
• ICT business continuity management and crisis communications
• A documented digital operational resilience strategy

For many financial entities, the gap between existing operational risk frameworks and DORA's specific ICT risk requirements is larger than expected — particularly around management body accountability, the explicit resilience strategy requirement, and documented recovery objectives tied to critical functions.

Pillar 2: ICT Incident Reporting

DORA creates a harmonised incident reporting regime across the EU financial sector. Financial entities must classify ICT incidents and report major ICT-related incidents to their competent national authority within defined timeframes.

The reporting timeline for a major incident involves three stages: an initial notification (within 4 hours of classification, or 24 hours of becoming aware of the event), an intermediate report (within 72 hours), and a final report within one month. The classification criteria for what constitutes a "major" incident are defined in Commission Delegated Regulation (EU) 2024/1772, based on impact on clients, the number of affected transactions, the geographic spread, and data loss.

Significant cyber threats — even where no incident has materialised — must also be reported voluntarily to competent authorities where the entity considers the threat relevant to the financial system.

Pillar 3: Digital Operational Resilience Testing

DORA mandates a testing programme covering ICT tools, systems, and processes supporting critical or important functions. All in-scope entities must conduct basic testing — including vulnerability assessments, network security testing, gap analyses, and physical security reviews — at least annually.

Significant financial entities — those identified by competent authorities based on size, systemic importance, and ICT risk profile — must also conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT is advanced adversary simulation based on the TIBER-EU framework, using real threat intelligence to simulate the tactics, techniques, and procedures of actual threat actors against live production systems.

Results of TLPT must be submitted to competent authorities, and identified vulnerabilities must be remediated within defined timeframes. Testing providers must meet specific qualification criteria, and the programme must be governed by a dedicated internal testing function or appropriately contracted specialists.

Pillar 4: ICT Third-Party Risk Management

This is often the pillar that generates the most immediate compliance work. DORA Articles 28–30 establish extensive requirements for how financial entities manage their ICT third-party arrangements.

Before entering any ICT contract supporting a critical or important function, financial entities must conduct pre-contractual due diligence covering the provider's security posture, resilience capabilities, sub-outsourcing arrangements, audit rights, and ability to cooperate with supervisory authorities.

Contracts with ICT providers for critical or important functions must include mandatory clauses covering:

• Full service level descriptions and performance targets
• Data location and processing provisions
• Termination rights and exit plans
• Audit rights — including the right of the financial entity and competent authority to inspect the provider
• Sub-outsourcing notification and approval requirements
• Business continuity and incident reporting obligations
• Data portability and transition assistance on exit

Financial entities must also maintain a register of all ICT third-party arrangements and report it to competent authorities annually. Concentration risk — the risk arising from dependence on a small number of critical providers — must be monitored and managed, including assessment of intra-group ICT arrangements.

Pillar 5: Information and Intelligence Sharing

DORA Article 45 creates a framework for voluntary sharing of cyber threat information and intelligence between financial entities. Entities may participate in threat intelligence sharing arrangements within trusted communities, exchanging indicators of compromise, tactics and techniques, and cyber alerts.

Information shared under these arrangements benefits from protections regarding confidentiality, personal data, and competition law. Participation is voluntary, but competent authorities may establish coordination mechanisms to facilitate sharing. The European Supervisory Authorities (EBA, ESMA, EIOPA) are expected to develop guidance on information sharing communities over time.

What ICT Third-Party Service Providers Must Do

If your organisation provides ICT services to EU financial entities, DORA's reach extends to you — even if you are not yourself a regulated financial entity.

Under Article 28, financial entities must flow down DORA requirements through their contracts. This means ICT TPSPs supplying services for critical or important functions will face contractual obligations covering audit rights, incident notification, sub-outsourcing controls, data portability, and continuity commitments.

ICT TPSPs designated as "critical" by the ESAs under Article 31 face a higher bar: direct oversight by a Lead Overseer (one of EBA, ESMA, or EIOPA depending on the type of financial entities served), with powers to conduct inspections, request information, and impose recommendations.

Even non-critical ICT TPSPs should prepare for DORA-driven contract renegotiations, client audit requests, and the need to demonstrate ICT security and resilience capabilities to financial entity clients.

Where Most Organisations Have Gaps

Based on the structure of DORA and what pre-existing frameworks typically cover, the areas where financial entities most commonly find gaps include:

• Management body accountability — ICT risk has historically sat below board level. DORA requires explicit board ownership, including approval of the ICT risk framework and regular reporting to the management body on ICT risks and incidents.
• Digital operational resilience strategy — Many entities have IT strategies and risk frameworks but lack the specific documented resilience strategy DORA requires, including the articulation of tolerance for ICT disruptions.
• Incident classification and reporting timelines — Existing incident processes rarely map to DORA's specific classification criteria or the three-stage reporting obligation. Testing and rehearsing the notification process before an incident occurs is critical.
• Third-party contract compliance — Legacy contracts with ICT providers almost never contain DORA-compliant terms. Reviewing and renegotiating these is time-consuming and often involves significant commercial negotiation.
• TLPT readiness — Threat-led penetration testing is materially more demanding than standard penetration testing. Significant entities that have not established a TLPT programme are behind.
• ICT third-party register — The requirement to maintain a complete, accurate register of all ICT arrangements — not just critical ones — and submit it to competent authorities is operationally demanding for large institutions.

What You Should Be Doing Right Now

Given DORA is already in force, the appropriate response is not to start planning a compliance programme — it is to understand where you stand and close gaps urgently. Practically, that means:

1. Conduct a structured readiness assessment

Work through each of DORA's five pillars systematically and identify where your current policies, processes, and controls fall short of the regulation's requirements. Document your current state and the gaps — this becomes the basis of your remediation plan and, importantly, demonstrates proactive effort to your competent authority.

2. Elevate ICT risk to the management body

If ICT risk is not already on the board agenda with explicit accountability, this needs to change immediately. The management body must approve the ICT risk management framework and receive regular reporting. Board-level training on ICT risk and digital operational resilience is a DORA requirement, not a recommendation.

3. Review and remediate ICT contracts

Identify all ICT arrangements supporting critical or important functions and compare existing contract terms against Article 30 requirements. Prioritise renegotiations with your most critical providers and engage legal and procurement early — contract changes with major vendors take time.

4. Test your incident reporting process

Map your current incident management process to DORA's classification criteria and three-stage notification requirements. Run a tabletop exercise simulating a major ICT incident to test whether your organisation can meet the 4-hour initial notification window and whether the right people and information are in the right places.

5. Build or verify your TLPT programme

If your organisation is likely to be classified as significant, engage with your competent authority on TLPT expectations and begin scoping your programme. Qualifying testers and establishing the governance framework takes time. Do not leave this until you receive a formal notification.

6. Engage with your competent authority

Most EU competent authorities have published DORA supervisory guidance and have supervisory expectations in place. Understanding what your national supervisor is prioritising — and demonstrating that you are taking compliance seriously — is both practically useful and strategically sensible.

Frequently Asked Questions