US +1 302 608 6303 | UK +44 204 566 6000 | IRL +353 21 212 8332

DORA

Why DORA is Critical for Financial Services

Regulatory Reality

DORA became applicable on 17 January 2025, making compliance mandatory for all EU financial entities.

Harmonised EU Requirements

Covers over 22,000 financial entities across banking, insurance, investment services, and their ICT service providers.

Unified Standards

Harmonizes digital resilience requirements across all EU member states, replacing fragmented national approaches.

Severe Penalties

Non-compliance can result in fines up to 1% of annual turnover for major breaches.

What DORA Requires from Financial Organizations

DORA establishes comprehensive digital operational resilience requirements that go far beyond traditional cybersecurity measures.

N

Establish ICT Risk Management Frameworks

Implement comprehensive strategies, policies, and procedures that address ICT risk across the entire organization.

N

Report Major ICT Incidents

Classify and report significant operational disruptions to regulators within strict timelines, including initial, intermediate, and final reports.

N

Conduct Advanced Resilience Testing

Perform threat-led penetration testing (TLPT) for significant institutions and comprehensive testing programs for all covered entities

N

Manage Third-Party ICT Risks

Maintain detailed registers of all ICT service providers and implement robust oversight of critical third-party relationships.

The Five Pillars of DORA Compliance

U

ICT Risk Management

Organizations must establish comprehensive frameworks covering risk identification, assessment, mitigation, and continuous monitoring. This includes defining ICT risk appetite, implementing appropriate controls, and ensuring regular review and updates of risk management practices.

Incident Reporting

Financial entities must classify ICT-related incidents based on severity criteria and report major incidents to competent authorities. The regulation specifies exact timelines for initial reports (within 4 hours for critical incidents) and requires detailed root cause analysis and remediation plans.

Digital Operational Resilience Testing

All covered entities must conduct regular testing of their digital operational resilience, including vulnerability assessments and penetration testing. Significant institutions must undergo threat-led penetration testing (TLPT) every three years, conducted by accredited providers.

ICT Third-Party Risk Management

Organizations must implement comprehensive due diligence processes for ICT service providers, maintain detailed contractual arrangements, and establish ongoing monitoring procedures. Special attention is required for critical or important functions outsourced to third parties.

Information and Intelligence Sharing

DORA encourages sharing of cyber threat intelligence and best practices among financial entities, while establishing formal mechanisms for coordination with regulatory authorities and other stakeholders.

Who must comply with DORA

Key compliance dates: 

  • 17 January 2025: DORA application date
  • 17 July 2025: First incident reports under new framework
  • 17 January 2026: First mandatory resilience testing cycles complete
  • Ongoing: Continuous monitoring and reporting requirements

Calculate Risk

  • Credit institutions (banks, building societies)
  • Investment firms and asset managers
  • Insurance and reinsurance undertakings
  • Payment institutions and e-money institutions
  • Central counterparties and trade repositories
  • Data reporting service providers

ICT Third-Party Service Providers:

Critical ICT service providers to financial entities become subject to direct regulatory oversight, including cloud service providers, software vendors, and managed service providers deemed critical to financial stability.