Why Banks Are in the Spotlight
Credit institutions are among the most heavily supervised entities under DORA. The regulation explicitly names banks in Art. 2(1)(a), and the combination of ECB direct supervision (for significant institutions) and national competent authority oversight (for less significant institutions) means that banks face rigorous scrutiny on every DORA requirement from day one.
The rationale is straightforward: banks sit at the centre of the financial system. A major ICT disruption at a systemically important bank can cascade across payment systems, interbank markets, and the real economy. DORA addresses this concentration of systemic risk by requiring banks to demonstrate that their digital operations can withstand, respond to, and recover from severe ICT-related incidents.
For banks already subject to the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), many DORA concepts will be familiar. However, DORA goes further in several areas: it introduces legally binding incident reporting timelines, mandates threat-led penetration testing for significant institutions, requires a comprehensive Register of Information on all ICT third-party arrangements, and establishes a direct EU-level oversight framework for critical ICT providers that banks depend on.
Key Requirements for Banks Across All Five Pillars
DORA is structured around five pillars, each of which carries specific implications for credit institutions. Below is a banking-focused summary of what each pillar demands.
ICT Risk Management Framework (Art. 5-16)
Banks must establish and maintain a comprehensive ICT risk management framework that is proportionate to their size, business model, and risk profile. This includes documented policies on ICT security, asset classification, access control, encryption, vulnerability management, and business continuity. The management body bears ultimate responsibility for approving and overseeing the framework, and must receive regular reporting on ICT risk posture.
Incident Reporting (Art. 17-23)
Banks must classify ICT-related incidents using criteria defined in the RTS and submit an initial notification to their national competent authority within 4 hours of classification (and no later than 24 hours after detection). An intermediate report follows within 72 hours, and a final report within one month. For banks in the euro area, the ECB and relevant national supervisor are the primary recipients. Banks should integrate DORA incident reporting into existing operational risk and crisis management processes.
Digital Operational Resilience Testing (Art. 24-27)
All banks must conduct basic resilience testing at least annually, including vulnerability assessments, network security reviews, and scenario-based testing. Significant institutions identified by their competent authority must additionally perform threat-led penetration testing (TLPT) at least every three years, using the TIBER-EU framework. TLPT must cover critical or important functions and, where these rely on ICT third-party providers, pooled testing arrangements may be required.
Register of Information & Third-Party Risk (Art. 28-44)
Banks must maintain a Register of Information (RoI) covering all contractual arrangements with ICT third-party service providers. This register must follow EBA standardised templates (ITS 2024/2956) and be submitted to the NCA at least annually. Beyond the RoI, banks must conduct pre-contract due diligence, include mandatory contract clauses for critical arrangements, monitor concentration risk, and maintain tested exit strategies for critical providers.
Information Sharing (Art. 45)
Banks are encouraged to participate in voluntary information-sharing arrangements on cyber threats, indicators of compromise, and tactics and procedures used by threat actors. While not mandatory, supervisors view active participation favourably. Banks should establish internal processes for receiving, assessing, and acting on shared threat intelligence while protecting the confidentiality of shared information.
Proportionality: How DORA Scales to Bank Size
DORA does not apply a one-size-fits-all approach. Art. 4 establishes the principle of proportionality, which means requirements are calibrated to the size, nature, scale, and complexity of the financial entity's activities, as well as its overall risk profile. For banks, this creates a tiered landscape of obligations.
Large and significant institutions face the full scope of DORA requirements. They must conduct TLPT, maintain a detailed ICT risk management framework with a dedicated ICT risk management function separate from the control functions, perform comprehensive annual testing programmes, and submit a granular Register of Information. The ECB expects significant institutions to demonstrate mature, board-level governance of ICT risk.
Medium-sized banks must meet the core DORA requirements but have more flexibility in how they implement them. They may combine certain governance functions, conduct testing programmes proportionate to their operational complexity, and document their ICT risk framework at a level of detail that reflects their business model.
Small and non-complex institutions benefit from a simplified ICT risk management framework under Art. 16. They are exempt from TLPT, may maintain less granular documentation, and can adopt a lighter governance structure. However, they must still comply with incident reporting obligations, maintain a Register of Information, and manage third-party ICT risk appropriately. The simplified framework does not exempt small banks from DORA; it scales the obligations to match their risk profile.
Determining your tier
Your proportionality tier depends on how your competent authority classifies your institution. For euro-area banks, the ECB's significant/less significant classification is a starting point. Beyond this, factors such as the nature of your services (e.g., payment services, custody, market-making), the volume of cross-border operations, and your dependence on ICT third-party providers all influence the supervisory expectations you face. If you are unsure where you stand, the DORA gap analysis can help you assess your current position.
EBA Supervisory Expectations for Banks
The European Banking Authority plays a central role in DORA implementation for credit institutions. The EBA has developed the majority of the Regulatory Technical Standards and Implementing Technical Standards that underpin DORA, and it coordinates supervisory convergence across national competent authorities.
ICT risk management. The EBA expects banks to maintain an ICT risk management framework that is integrated into their overall risk management system, not treated as a standalone IT function. The framework should be reviewed and updated at least annually, and the management body must be able to demonstrate that it understands and actively oversees ICT risk. Banks that previously relied on the EBA/GL/2019/04 guidelines should review the additional requirements introduced by DORA and the supporting RTS.
TLPT coordination. For banks subject to TLPT, the EBA works with the ECB and national authorities to coordinate testing activities. Banks must engage qualified threat intelligence providers and penetration testers, define the scope based on critical or important functions, and share results with their competent authority. The TIBER-EU framework provides the methodology, and banks should expect supervisory challenge on the scope, depth, and remediation of findings.
Register of Information data quality. The EBA has emphasised that the RoI is not a compliance checkbox but a supervisory tool. Competent authorities will use RoI data to assess concentration risk, map dependencies, and identify potential systemic vulnerabilities in the banking sector's ICT supply chain. Banks should invest in data quality, ensure completeness of provider and contract information, and establish internal processes for keeping the register current.
Ongoing reporting. Beyond the RoI, banks should expect supervisory engagement on incident trends, testing outcomes, remediation progress, and third-party risk concentrations. The EBA is developing additional supervisory tools and convergence measures that will shape how competent authorities assess DORA compliance across the banking sector in the coming years.
Common Challenges for Banks
Banks face several practical challenges in achieving and maintaining DORA compliance. Understanding these in advance allows institutions to allocate resources effectively and avoid common pitfalls.
Legacy systems and technical debt. Many banks operate core banking platforms that are decades old. Retrofitting ICT risk management controls, vulnerability scanning, and resilience testing onto legacy infrastructure is often more complex and costly than applying the same controls to modern systems. Banks should prioritise identifying critical functions that run on legacy platforms and develop targeted remediation or replacement plans.
Complex third-party ecosystems. Large banks often rely on hundreds of ICT providers, ranging from global cloud platforms to niche fintech services. Building and maintaining a complete Register of Information across this ecosystem requires cross-functional coordination between procurement, IT, risk, and legal teams. Concentration risk analysis is particularly challenging when multiple business lines independently contract with the same underlying provider. Our third-party risk management guide provides a structured approach to this challenge.
Cross-border operations. Banks operating across multiple EU jurisdictions must navigate potentially different supervisory expectations from each national competent authority, even though DORA is a directly applicable regulation. Incident reporting channels, TLPT coordination, and RoI submission processes may vary by jurisdiction. Groups with subsidiaries in multiple countries need a consistent group-wide DORA framework that can accommodate local requirements.
Integration with existing regulatory frameworks. Banks are already subject to CRD/CRR, the Basel framework, PSD2, GDPR, and in some cases sectoral outsourcing guidelines. DORA adds another layer of requirements that must be integrated rather than siloed. The challenge is to avoid duplicative governance structures and reporting while ensuring that DORA-specific obligations are fully met. Operational risk, business continuity, and outsourcing functions need to work together rather than treating DORA as a separate workstream.
Board-level awareness. DORA places explicit responsibility on the management body for ICT risk oversight. In practice, many bank boards have limited technical expertise in ICT risk. Banks need to invest in board education, develop meaningful ICT risk reporting that translates technical detail into strategic risk language, and ensure that governance arrangements meet DORA's expectations for active board involvement. Non-compliance carries personal accountability implications under both DORA and existing banking law.
Getting Started with DORA Compliance
Whether your bank is just beginning its DORA programme or refining an existing one, a structured approach will help you achieve compliance efficiently and demonstrate readiness to supervisors.
1. Assess your current position. Start with a gap analysis that maps your existing controls, policies, and processes against each DORA requirement. The free DORA gap analysis tool provides a structured assessment across all five pillars and generates an actionable report showing where you stand and what needs attention.
2. Prioritise by risk and supervisory expectation. Not all gaps carry equal weight. Focus first on areas where your competent authority is most likely to challenge you: incident reporting readiness, RoI completeness, and the adequacy of your ICT risk management framework. The DORA compliance checklist can help you structure your remediation roadmap.
3. Build your Register of Information. The RoI is both a compliance requirement and a practical tool for managing third-party ICT risk. Start early, use the EBA standardised templates, and establish a process for ongoing maintenance. This is one of the most data-intensive DORA requirements, and banks that delay often find themselves scrambling at submission time.
4. Integrate DORA into existing governance. Avoid creating a standalone DORA programme that duplicates your existing risk management and governance structures. Instead, extend your current operational risk framework, outsourcing governance, and business continuity arrangements to incorporate DORA-specific requirements. This approach is more sustainable and aligns with supervisory expectations.
5. Explore tooling that supports your obligations. DORA compliance involves ongoing data management, reporting, and monitoring across all five pillars. DORA GRC is purpose-built for this, covering everything from ICT risk management and incident tracking to RoI management and board reporting. Explore the platform features to see how it fits your institution's needs.
Frequently Asked Questions
Yes. DORA applies to all credit institutions authorised in the EU, regardless of size. Art. 2(1)(a) of Regulation (EU) 2022/2554 explicitly includes credit institutions as defined in Art. 4(1)(1) of Regulation (EU) 575/2013. However, the depth of requirements varies under the proportionality principle (Art. 4), meaning smaller and less complex banks face simplified obligations in areas such as ICT risk management documentation, testing scope, and governance arrangements.
Only banks identified by their competent authority as significant institutions are required to conduct threat-led penetration testing under Art. 26-27 of DORA. This typically covers banks designated as significant by the ECB under the Single Supervisory Mechanism, as well as other institutions that national competent authorities consider systemically important. TLPT must be carried out at least every three years using the TIBER-EU framework or an equivalent national scheme.
The Register of Information is a structured inventory of all contractual arrangements with ICT third-party service providers, required by Art. 28(3) of DORA. Banks must maintain this register on an ongoing basis and submit it to their national competent authority upon request and at least annually. The EBA has published standardised templates (ITS 2024/2956) that define the data fields, formats, and validation rules. The register covers all ICT services, though the level of detail required is greater for arrangements supporting critical or important functions.
DORA complements rather than replaces existing banking prudential requirements. CRD VI and the CRR already include operational risk provisions, and the EBA Guidelines on ICT and security risk management have been a reference for banks for several years. DORA builds on these foundations with more granular requirements specifically for digital operational resilience. Banks should integrate DORA into their existing risk management and governance frameworks rather than treating it as a standalone programme, ensuring cohesive management of overlapping areas such as operational risk capital, business continuity, and outsourcing governance.