Background

What is DORA?

DORA is EU Regulation 2022/2554, the Digital Operational Resilience Act. It sets out binding requirements for how financial entities manage the risks that come from their dependence on information and communications technology. The regulation entered into force on 16 January 2023 and became enforceable on 17 January 2025.

The regulation applies to around 22,000 financial entities operating in the EU. It is supervised by national competent authorities (NCAs) such as the ECB, EBA, ESMA, and EIOPA, depending on the type of entity. Non-compliance can result in supervisory intervention and financial penalties.

DORA consolidates ICT risk requirements that previously existed across multiple sector-specific directives. It introduces a single, technology-neutral framework covering five areas: governance, risk management, incident reporting, resilience testing, and third-party oversight. Each area maps to specific articles in the regulation and to accompanying Regulatory Technical Standards and Implementing Technical Standards published by the ESAs.


The five pillars

The 5 Pillars of DORA Compliance

DORA organises its requirements into five distinct areas. Each pillar has its own article range, accompanying technical standards, and specific obligations that vary by entity type and size.

1
ICT Governance
Art. 5–16 — ICT Risk Management Framework

The management body of a financial entity is responsible for approving, overseeing, and remaining accountable for the ICT risk management framework. This is not something that can be delegated entirely to the IT department. Art. 5(2) makes the management body personally responsible for defining ICT risk appetite and staying informed about the ICT threat landscape.

Entities must produce and maintain a documented ICT risk management framework, reviewed at least annually. The framework must include an ICT strategy, an internal audit function with ICT expertise, and clear policies for ICT security, access control, and data management.

Example requirement The management body must receive regular reporting on ICT risk. Under Art. 5(4), members of the management body are expected to keep their ICT knowledge up to date, including by attending relevant training.
2
ICT Risk Management
Art. 8–14 — ICT Risk Framework Requirements

This pillar covers the operational content of the risk management framework. Entities must maintain a complete, up-to-date register of ICT assets (Art. 8), map dependencies between functions, assets, and providers, and identify threats and vulnerabilities on an ongoing basis.

Business continuity and ICT disaster recovery plans are mandatory under Art. 11. These plans must include defined recovery objectives: a Recovery Time Objective (RTO), a Recovery Point Objective (RPO), and a Maximum Tolerable Period of Disruption (MTPD) for each critical function.

Example requirement Under Art. 11(5), BCP and disaster recovery plans must be tested at least annually. Results must be documented and used to update the plans.
3
ICT Incident Management
Art. 17–23 — Incident Classification and Reporting

DORA requires a documented process for detecting, classifying, and responding to ICT-related incidents. The classification framework at Art. 18, and the delegated regulation CDR 2024/1772, defines criteria for what constitutes a major incident, including the number of clients affected, duration, data loss, geographic spread, and economic impact.

For major incidents, reporting timelines are strict and non-negotiable. An initial notification must be filed with the NCA within 4 hours of the entity classifying an incident as major, and in any case no later than 24 hours after the incident is first detected. An intermediate report follows within 72 hours. A final report is due within one month of the incident closure.

Example requirement Art. 19(4)(a) requires an initial notification to the NCA within 4 hours of classification. Entities must have pre-prepared templates in the ITS 2024/2956 format to meet this deadline in practice.
4
Digital Resilience Testing
Art. 24–27 — Testing Programme Requirements

All financial entities in scope must operate a testing programme that covers their critical ICT systems. At minimum, this means annual vulnerability assessments and network security reviews. The programme must be proportionate to the entity's size, risk profile, and business model.

Larger or more systemically significant entities must carry out Threat-Led Penetration Testing (TLPT) at least every three years. TLPT follows a structured methodology defined in RTS 2025/1190 and involves testing production systems using real threat intelligence, with participation from the entity's critical ICT third-party service providers.

Example requirement Under Art. 26(1), entities designated for TLPT must engage a qualified external tester and coordinate with their NCA before testing begins. The scope must cover critical functions and the systems that support them.
5
Third-Party ICT Risk
Art. 28–44 — Third-Party Oversight

Financial entities must maintain a Register of Information on all ICT third-party service arrangements, structured according to ITS 2024/2956. This register is submitted to NCAs on request and, for most entities, was first due by 30 April 2025. Entities must also conduct pre-contract risk assessments for providers supporting critical or important functions (CIFs), and assess concentration risk across their provider base.

Contracts with providers of CIF-related services must include mandatory clauses under Art. 30(2), covering exit rights, audit access, service level commitments, security requirements, and sub-contracting notifications. Critical ICT third-party service providers (CTPPs) are subject to direct EU-level oversight by a Lead Overseer appointed from among the ESAs.

Example requirement Art. 28(3) requires entities to maintain the Register of Information at all times. It must identify each ICT service, the supporting provider, whether the function is critical, and the sub-contractors used.

Practical reference

DORA Compliance Checklist

Use this checklist to assess where your organisation stands. Each item maps to a specific DORA article. If you want a scored result across all five pillars, the free assessment tool covers 25 questions in about 3 minutes.

Pillar 1 ICT Governance
Management body has formally approved the ICT risk management framework and assigned clear accountability Art. 5
ICT risk management framework is documented, reviewed at least annually, and subject to independent audit Art. 6
ICT security policies covering access control, encryption, and network segmentation are documented and enforced Art. 9
Pillar 2 ICT Risk Management
Complete, maintained register of all ICT assets, functions, and their dependencies is in place Art. 8
Business continuity and disaster recovery plans exist with defined RTO, RPO, and MTPD for each critical function Art. 11
BCP and DR plans have been tested within the last 12 months and results documented Art. 11(5)
Pillar 3 Incident Management
Documented incident management process exists with classification criteria aligned to CDR 2024/1772 Art. 17–18
Organisation can file an initial notification with the NCA within 4 hours of classifying a major incident Art. 19(4)(a)
ITS 2024/2956 incident reporting templates are prepared and pre-filled for rapid submission Art. 19
Pillar 4 Resilience Testing
A documented, proportionate testing programme covering all critical ICT systems is in operation Art. 24
Vulnerability assessments and network security reviews are conducted at least annually on critical systems Art. 25
Applicability for Threat-Led Penetration Testing (TLPT) under Art. 26 has been assessed and documented Art. 26
Pillar 5 Third-Party ICT Risk
Register of Information on all ICT third-party arrangements is maintained in ITS 2024/2956 format Art. 28(3)
All ICT contracts for critical or important functions include the mandatory clauses required by Art. 30(2) Art. 30
Concentration risk from ICT providers is assessed and reported to the management body at least annually Art. 28(5)

Key dates

DORA Compliance Timeline

DORA has a fixed legislative timeline. The dates below are the ones that matter for compliance planning and supervisory engagement.

16 January 2023
Completed
DORA entered into force
EU Regulation 2022/2554 was published in the Official Journal and entered into force. The 24-month implementation period began. ESAs started work on the accompanying technical standards.
Q1–Q3 2024
Completed
Technical standards finalised
The key RTS and ITS were published: RTS 2024/1774 (ICT risk management), CDR 2024/1772 (incident classification), ITS 2024/2956 (incident reporting and Register of Information format), and CDR 2024/1773 (third-party risk and subcontracting). These give detailed requirements that sit on top of the main regulation.
17 January 2025
Enforcement active
DORA became applicable
DORA became enforceable across all EU member states. Financial entities were expected to be fully compliant from this date. NCAs began supervisory reviews and engagement programmes. Incident reporting obligations under Art. 19 took effect immediately.
30 April 2025
Completed
First Register of Information submission
The first reference date for the Register of Information submission to NCAs. Entities were required to submit their complete register of ICT third-party arrangements in the ITS 2024/2956 format. This was the first major reporting milestone under DORA.
Ongoing
Continuous
Annual testing, supervision, and reporting
DORA obligations do not end after the first submission. Annual vulnerability assessments are required under Art. 25. Incident reporting under Art. 19 continues whenever a major incident occurs. TLPT must be repeated at least every three years for entities in scope. NCAs conduct ongoing supervisory reviews and may require additional information or corrective action at any time.

Scope

Who Does DORA Apply To?

DORA defines its scope at Art. 2. It covers a wide range of financial sector entities, including both firms that hold EU licences and ICT service providers that serve them. If you operate in the EU financial sector or provide ICT services to EU financial entities, you are likely in scope.

Credit institutions (banks)
Payment institutions
Electronic money institutions
Investment firms
Crypto-asset service providers
Central securities depositories
Central counterparties
Insurance undertakings
Reinsurance undertakings
Insurance intermediaries
Occupational pension funds
Credit rating agencies
Trade repositories
ICT third-party service providers (critical)
Proportionality principle: Art. 4 of DORA allows smaller and less complex entities to apply certain requirements in a simplified form. Microenterprises and some small entities have reduced obligations around the ICT risk management framework, testing, and third-party oversight. Your NCA can advise on which simplified regime applies to your entity.

Platform

How DORA GRC Helps

DORA GRC is built specifically for the five pillars described above. Each module maps to a section of the regulation, so you are always working in the context of a specific article rather than a generic compliance tool.

Governance and Risk Framework

The ICT risk register, asset register, CIF register, and control library give management bodies a single view of ICT risk. Board-level reports are generated automatically from live data, covering the items required under Art. 5. Risks are linked to assets, controls, and incidents so nothing sits in a separate spreadsheet.

Incident Management and Reporting

The incident register classifies incidents using the CDR 2024/1772 criteria and tracks the 4-hour, 72-hour, and 1-month reporting deadlines automatically. ITS 2024/2956 report templates are pre-populated from the incident record, so your compliance team spends time on accuracy rather than formatting.

Resilience Testing Programme

The testing module manages your annual testing schedule, tracks which critical ICT systems have been covered, and records results against each test. Results feed back into the risk register, which is the feedback loop Art. 25 requires. If you are in scope for TLPT, the TLPT tracker documents scope, tester credentials, and NCA coordination.

Third-Party Risk and Register of Information

The provider register and Register of Information module cover the full Art. 28 to 44 scope. Contract records include mandatory clause tracking against Art. 30(2). The ROI is structured to the ITS 2024/2956 schema and can be exported as an EBA-format submission file. The concentration risk dashboard gives management bodies the view required under Art. 28(5).

For a full list of features across all five pillars, see the features page.