How many EU regulations does Cleo cover?

Cleo monitors 25,000+ regulations across all 27 EU member states, including GDPR, AI Act, DORA, CSRD, NIS2, MiCA, and sector-specific directives.

Does Cleo track national transpositions of EU directives?

Yes. Cleo's multi-agent pipeline automatically detects when EU directives are transposed into national law and alerts your team with the specific local requirements.

Can Cleo compare regulations across EU member states?

Absolutely. Cleo's multi-jurisdiction comparison feature lets you see how the same directive is implemented differently across member states, highlighting gaps and additional requirements.

🇪🇺European Union

DORA compliance in the EU

DORA (Regulation 2022/2554) creates a unified ICT risk management framework for all EU financial entities. It applies to over 22,000 entities including banks, insurers, investment firms, crypto-asset providers, and their critical ICT suppliers.

Start free scan

Enforcement authority

ESAs (EBA, ESMA, EIOPA) for oversight framework designation; national competent authorities (NCAs) for enforcement

Maximum sanctions

National authorities determine penalties. Critical ICT providers face fines up to 1% of average daily worldwide turnover for up to 6 months. Periodic penalty payments of up to 0.5% of daily turnover.

Key obligations

What DORA requires from organizations operating in the EU.

Implement a comprehensive ICT risk management framework with board-level oversight

Report major ICT incidents to national authorities within strict timelines

Conduct advanced threat-led penetration testing (TLPT) every 3 years for significant entities

Maintain a register of all ICT third-party contracts and conduct concentration risk analysis

Share cyber threat intelligence with other financial entities and authorities

Local context in the EU

DORA became applicable on January 17, 2025. The ESAs have published Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that detail specific requirements. Critical ICT third-party providers are directly supervised at EU level.

DORA by industry in the EU

Retail & Consumer Goods HealthTech Insurance Energy & Utilities Cosmetics & Personal Care Electronics & Connected Devices

Frequently asked questions

How does DORA apply in the EU?

Who enforces DORA in the EU?

ESAs (EBA, ESMA, EIOPA) for oversight framework designation; national competent authorities (NCAs) for enforcement

What are the penalties for DORA non-compliance?

National authorities determine penalties. Critical ICT providers face fines up to 1% of average daily worldwide turnover for up to 6 months. Periodic penalty payments of up to 0.5% of daily turnover.

Read our complete DORA compliance guide

DORA in other jurisdictions

🇫🇷France 🇩🇪Germany 🇬🇧United Kingdom 🇺🇸United States 🇧🇷Brazil 🇦🇺Australia 🇮🇳India

Check your DORA compliance now

Start free scan to see your risk score and applicable obligations.

Start free scan

Key obligations

What DORA requires from organizations operating in the EU.

Implement a comprehensive ICT risk management framework with board-level oversight

Report major ICT incidents to national authorities within strict timelines

Conduct advanced threat-led penetration testing (TLPT) every 3 years for significant entities

Maintain a register of all ICT third-party contracts and conduct concentration risk analysis

Share cyber threat intelligence with other financial entities and authorities

Frequently asked questions

How does DORA apply in the EU?

Who enforces DORA in the EU?

ESAs (EBA, ESMA, EIOPA) for oversight framework designation; national competent authorities (NCAs) for enforcement

What are the penalties for DORA non-compliance?

National authorities determine penalties. Critical ICT providers face fines up to 1% of average daily worldwide turnover for up to 6 months. Periodic penalty payments of up to 0.5% of daily turnover.