How many EU regulations does Cleo cover?

Cleo monitors 300+ regulatory frameworks across all 27 EU member states, including GDPR, AI Act, DORA, CSRD, NIS2, MiCA, and sector-specific directives.

Does Cleo track national transpositions of EU directives?

Yes. Cleo's multi-agent pipeline automatically detects when EU directives are transposed into national law and alerts your team with the specific local requirements.

Can Cleo compare regulations across EU member states?

Absolutely. Cleo's multi-jurisdiction comparison feature lets you see how the same directive is implemented differently across member states, highlighting gaps and additional requirements.

🇪🇺European Union

DORA compliance in European Union

DORA (Regulation 2022/2554) creates a unified ICT risk management framework for all EU financial entities. It applies to over 22,000 entities including banks, insurers, investment firms, crypto-asset providers, and their critical ICT suppliers.

Run a Free Scan

Enforcement authority

ESAs (EBA, ESMA, EIOPA) for oversight framework designation; national competent authorities (NCAs) for enforcement

Maximum sanctions

National authorities determine penalties. Critical ICT providers face fines up to 1% of average daily worldwide turnover for up to 6 months. Periodic penalty payments of up to 0.5% of daily turnover.

Key obligations

What DORA requires from organizations operating in European Union.

Implement a comprehensive ICT risk management framework with board-level oversight

Report major ICT incidents to national authorities within strict timelines

Conduct advanced threat-led penetration testing (TLPT) every 3 years for significant entities

Maintain a register of all ICT third-party contracts and conduct concentration risk analysis

Share cyber threat intelligence with other financial entities and authorities

Local context in European Union

DORA became applicable on January 17, 2025. The ESAs have published Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that detail specific requirements. Critical ICT third-party providers are directly supervised at EU level.

DORA by industry in European Union

Retail & Consumer Goods Real Estate FinTech HealthTech Insurance Energy & Utilities Sustainability & ESG

Frequently asked questions

How does DORA apply in European Union?

Who enforces DORA in European Union?

ESAs (EBA, ESMA, EIOPA) for oversight framework designation; national competent authorities (NCAs) for enforcement

What are the penalties for DORA non-compliance?

National authorities determine penalties. Critical ICT providers face fines up to 1% of average daily worldwide turnover for up to 6 months. Periodic penalty payments of up to 0.5% of daily turnover.

Read our complete DORA compliance guide

DORA in other jurisdictions

🇫🇷France 🇩🇪Germany 🇬🇧United Kingdom 🇺🇸United States 🇧🇷Brazil 🇦🇺Australia 🇮🇳India

Check your DORA compliance now

Run a free scan to see your risk score and applicable obligations.

Run a Free Scan

Key obligations

What DORA requires from organizations operating in European Union.

Implement a comprehensive ICT risk management framework with board-level oversight

Report major ICT incidents to national authorities within strict timelines

Conduct advanced threat-led penetration testing (TLPT) every 3 years for significant entities

Maintain a register of all ICT third-party contracts and conduct concentration risk analysis

Share cyber threat intelligence with other financial entities and authorities

Frequently asked questions

How does DORA apply in European Union?

Who enforces DORA in European Union?

ESAs (EBA, ESMA, EIOPA) for oversight framework designation; national competent authorities (NCAs) for enforcement

What are the penalties for DORA non-compliance?

National authorities determine penalties. Critical ICT providers face fines up to 1% of average daily worldwide turnover for up to 6 months. Periodic penalty payments of up to 0.5% of daily turnover.