DORA: What is the Digital Operational Resilience Act?

What is DORA?

The Digital Operational Resilience Act (EU 2022/2554) was developed to address a critical gap in financial sector regulation: while financial institutions were subject to extensive capital and operational requirements, there was no single, harmonized EU framework for ICT risk management and digital resilience.

DORA changes that. It creates a comprehensive, binding framework covering how financial entities manage ICT risks, report incidents, test their resilience, oversee third-party ICT providers, and share threat intelligence. The regulation entered into application on 17 January 2025, with no transitional period.

The driving motivation is systemic risk. Modern financial systems are deeply interconnected and reliant on a concentrated pool of critical technology providers. A major ICT incident at a systemically important institution or a critical cloud provider could have cascading effects across the entire financial system. DORA is designed to prevent this.

Who Falls Under DORA?

DORA applies to a wide range of financial entities and their critical ICT service providers, including:

• Credit institutions (banks)
• Payment institutions and e-money institutions
• Investment firms and fund managers (UCITS, AIFMs)
• Insurance and reinsurance undertakings
• Crypto-asset service providers (CASPs)
• Central counterparties (CCPs) and trading venues
• Trade repositories and credit rating agencies
• Critical ICT third-party service providers (CTPPs) to financial institutions, including major cloud providers

Proportionality applies: smaller financial entities (microenterprises) are subject to a simplified regime. However, the core obligations around ICT risk management and incident reporting apply across the board.

The 5 Pillars of DORA

Pillar 1: ICT Risk Management

Financial entities must have a comprehensive, documented ICT risk management framework. This includes identifying and classifying ICT assets, conducting risk assessments, defining protection measures, and having a strategy for ICT business continuity and disaster recovery. The management body is directly responsible for approving and overseeing the ICT risk strategy.

Pillar 2: ICT Incident Reporting

DORA introduces a harmonized incident classification and reporting regime. Major ICT incidents must be reported to the competent authority within 4 hours of classification (initial notification), with an intermediate report within 72 hours and a final report within one month. This replaces the patchwork of national reporting obligations that previously existed.

Pillar 3: Digital Operational Resilience Testing

All in-scope entities must conduct regular testing of their ICT systems. This includes basic testing (vulnerability assessments, network security assessments, penetration tests) at least annually. Significant institutions are required to conduct Threat-Led Penetration Testing (TLPT) every three years.

Pillar 4: ICT Third-Party Risk Management

Financial entities must implement a robust framework for managing the risks posed by ICT third-party service providers. This includes maintaining a register of all ICT providers, conducting due diligence before onboarding, including DORA-required contractual provisions, and monitoring provider performance and risk on an ongoing basis. The European Supervisory Authorities (ESAs) can directly supervise critical third-party providers designated as systemic.

Pillar 5: Information and Intelligence Sharing

DORA encourages (and in some cases requires) financial entities to share cyber threat intelligence and information about vulnerabilities, tactics, techniques, and procedures (TTPs) used by threat actors. Participation in information sharing arrangements is explicitly promoted as a mechanism to strengthen collective resilience across the financial sector.

TLPT: Threat-Led Penetration Testing Explained

TLPT (Threat-Led Penetration Testing) is the most rigorous testing requirement under DORA, applicable to significant financial institutions. TLPT is based on the TIBER-EU framework developed by the European Central Bank and is conducted by accredited red team providers.

Key characteristics of TLPT:

• Based on real threat intelligence specific to the target institution
• Conducted by certified external red team providers
• Tests the full kill chain across people, processes, and technology
• Performed on live production systems (not test environments)
• Results are reviewed by the competent supervisory authority
• Required every 3 years for significant institutions

DORA vs NIS2

Many financial institutions fall under both DORA and NIS2. Understanding the relationship is important:

DORA Compliance Checklist

• ICT risk management framework documented and approved by management body
• ICT asset inventory maintained and classified
• ICT incident classification and reporting procedures in place (4h / 72h / 30 day timelines)
• Annual vulnerability assessments and network security testing conducted
• TLPT program established (for significant entities)
• Register of all ICT third-party providers maintained
• DORA-compliant contractual clauses in ICT provider contracts
• Business continuity and disaster recovery plans tested
• Staff training and awareness program in place
• Threat intelligence sharing arrangements evaluated

Frequently Asked Questions About DORA

Does DORA apply to ICT providers outside the EU?

Yes. DORA applies to ICT third-party service providers that provide services to in-scope EU financial entities, regardless of where the provider is headquartered. If you provide cloud, SaaS, or other ICT services to EU banks or insurers, DORA requirements flow through to you via contractual obligations.

What are the penalties for non-compliance with DORA?

DORA delegates penalty setting to member states for most entities, but penalties for critical third-party providers are defined at EU level: up to 1% of average daily worldwide turnover for each day of non-compliance, for up to 6 months. Financial entity penalties vary by national implementation but can be significant.

What is the difference between DORA and Basel operational risk requirements?

Basel III/IV operational risk requirements focus on capital adequacy for operational losses. DORA focuses on the actual resilience of ICT systems and processes. They are complementary: DORA addresses the prevention and response side, while Basel addresses the capital buffer for when things go wrong.

How does DORA affect cloud contracts with AWS, Azure, or Google?

DORA requires specific contractual provisions in agreements with ICT third-party providers, including cloud providers. These cover audit rights, exit strategies, service level guarantees, security obligations, and incident notification requirements. Major cloud providers have updated their terms for financial sector customers to reflect DORA requirements.

Is a DORA readiness assessment different from a NIS2 assessment?

Yes. A DORA readiness assessment focuses specifically on the five DORA pillars: ICT risk management framework, incident reporting capabilities, resilience testing program, third-party risk management, and information sharing. It also evaluates compliance with the detailed technical standards (RTS/ITS) published by the ESAs under DORA.

Can our existing penetration testing program satisfy DORA requirements?

Basic annual pentests satisfy the standard testing requirements. However, if you are a significant institution subject to TLPT, your existing pentest program does not satisfy the TLPT requirement. TLPT requires specific threat intelligence preparation, accredited red team providers, regulatory oversight, and testing of live production systems. DEFION's TLPT-capable red team can guide you through the full process.