What is DORA?
DORA is EU Regulation 2022/2554, the Digital Operational Resilience Act. It sets out binding requirements for how financial entities manage the risks that come from their dependence on information and communications technology. The regulation entered into force on 16 January 2023 and became enforceable on 17 January 2025.
The regulation applies to around 22,000 financial entities operating in the EU. It is supervised by national competent authorities (NCAs) such as the ECB, EBA, ESMA, and EIOPA, depending on the type of entity. Non-compliance can result in supervisory intervention and financial penalties.
DORA consolidates ICT risk requirements that previously existed across multiple sector-specific directives. It introduces a single, technology-neutral framework covering five areas: governance, risk management, incident reporting, resilience testing, and third-party oversight. Each area maps to specific articles in the regulation and to accompanying Regulatory Technical Standards and Implementing Technical Standards published by the ESAs.
The 5 Pillars of DORA Compliance
DORA organises its requirements into five distinct areas. Each pillar has its own article range, accompanying technical standards, and specific obligations that vary by entity type and size.
The management body of a financial entity is responsible for approving, overseeing, and remaining accountable for the ICT risk management framework. This is not something that can be delegated entirely to the IT department. Art. 5(2) makes the management body personally responsible for defining ICT risk appetite and staying informed about the ICT threat landscape.
Entities must produce and maintain a documented ICT risk management framework, reviewed at least annually. The framework must include an ICT strategy, an internal audit function with ICT expertise, and clear policies for ICT security, access control, and data management.
This pillar covers the operational content of the risk management framework. Entities must maintain a complete, up-to-date register of ICT assets (Art. 8), map dependencies between functions, assets, and providers, and identify threats and vulnerabilities on an ongoing basis.
Business continuity and ICT disaster recovery plans are mandatory under Art. 11. These plans must include defined recovery objectives: a Recovery Time Objective (RTO), a Recovery Point Objective (RPO), and a Maximum Tolerable Period of Disruption (MTPD) for each critical function.
DORA requires a documented process for detecting, classifying, and responding to ICT-related incidents. The classification framework at Art. 18, and the delegated regulation CDR 2024/1772, defines criteria for what constitutes a major incident, including the number of clients affected, duration, data loss, geographic spread, and economic impact.
For major incidents, reporting timelines are strict and non-negotiable. An initial notification must be filed with the NCA within 4 hours of the entity classifying an incident as major, and in any case no later than 24 hours after the incident is first detected. An intermediate report follows within 72 hours. A final report is due within one month of the incident closure.
All financial entities in scope must operate a testing programme that covers their critical ICT systems. At minimum, this means annual vulnerability assessments and network security reviews. The programme must be proportionate to the entity's size, risk profile, and business model.
Larger or more systemically significant entities must carry out Threat-Led Penetration Testing (TLPT) at least every three years. TLPT follows a structured methodology defined in RTS 2025/1190 and involves testing production systems using real threat intelligence, with participation from the entity's critical ICT third-party service providers.
Financial entities must maintain a Register of Information on all ICT third-party service arrangements, structured according to ITS 2024/2956. This register is submitted to NCAs on request and, for most entities, was first due by 30 April 2025. Entities must also conduct pre-contract risk assessments for providers supporting critical or important functions (CIFs), and assess concentration risk across their provider base.
Contracts with providers of CIF-related services must include mandatory clauses under Art. 30(2), covering exit rights, audit access, service level commitments, security requirements, and sub-contracting notifications. Critical ICT third-party service providers (CTPPs) are subject to direct EU-level oversight by a Lead Overseer appointed from among the ESAs.
DORA Compliance Checklist
Use this checklist to assess where your organisation stands. Each item maps to a specific DORA article. If you want a scored result across all five pillars, the free assessment tool covers 25 questions in about 3 minutes.
DORA Compliance Timeline
DORA has a fixed legislative timeline. The dates below are the ones that matter for compliance planning and supervisory engagement.
Who Does DORA Apply To?
DORA defines its scope at Art. 2. It covers a wide range of financial sector entities, including both firms that hold EU licences and ICT service providers that serve them. If you operate in the EU financial sector or provide ICT services to EU financial entities, you are likely in scope.
How DORA GRC Helps
DORA GRC is built specifically for the five pillars described above. Each module maps to a section of the regulation, so you are always working in the context of a specific article rather than a generic compliance tool.
Governance and Risk Framework
The ICT risk register, asset register, CIF register, and control library give management bodies a single view of ICT risk. Board-level reports are generated automatically from live data, covering the items required under Art. 5. Risks are linked to assets, controls, and incidents so nothing sits in a separate spreadsheet.
Incident Management and Reporting
The incident register classifies incidents using the CDR 2024/1772 criteria and tracks the 4-hour, 72-hour, and 1-month reporting deadlines automatically. ITS 2024/2956 report templates are pre-populated from the incident record, so your compliance team spends time on accuracy rather than formatting.
Resilience Testing Programme
The testing module manages your annual testing schedule, tracks which critical ICT systems have been covered, and records results against each test. Results feed back into the risk register, which is the feedback loop Art. 25 requires. If you are in scope for TLPT, the TLPT tracker documents scope, tester credentials, and NCA coordination.
Third-Party Risk and Register of Information
The provider register and Register of Information module cover the full Art. 28 to 44 scope. Contract records include mandatory clause tracking against Art. 30(2). The ROI is structured to the ITS 2024/2956 schema and can be exported as an EBA-format submission file. The concentration risk dashboard gives management bodies the view required under Art. 28(5).
For a full list of features across all five pillars, see the features page.