What is DORA (Digital Operational Resilience Act)?

DORA (Regulation EU 2022/2554) is the EU's framework for managing ICT risks in the financial sector. It requires over 22,000 financial entities, including banks, insurers, payment providers, investment firms, and crypto-asset service providers, to implement ICT risk management, incident reporting, resilience testing, and third-party risk oversight. Fully applicable since January 17, 2025.

What are the five pillars of DORA?

The five pillars are: (1) ICT Risk Management, a comprehensive framework with management body responsibility; (2) ICT Incident Reporting, mandatory classification and notification to authorities; (3) Digital Operational Resilience Testing, including Threat-Led Penetration Testing (TLPT); (4) ICT Third-Party Risk Management, due diligence, contractual requirements, concentration risk monitoring; (5) Information Sharing, voluntary cyber threat intelligence exchange.

What are the penalties for DORA non-compliance?

National authorities can impose periodic penalty payments of up to 1% of average daily global turnover per day of non-compliance, for up to six months. For Critical ICT Third-Party Providers, the ESAs can impose fines up to €5 million (or €500,000 for individuals).

Resources/DORA

DORA Compliance Guide 2026

Q: Who must comply with DORA?

DORA applies to 21 categories of financial entities including credit institutions, payment institutions, investment firms, insurance companies, crypto-asset service providers (MiCA), central securities depositories, trading venues, and their critical ICT third-party service providers.

The Digital Operational Resilience Act (DORA, Regulation 2022/2554) is the EU's framework for managing ICT risks in the financial sector. It has been fully applicable since January 17, 2025. This guide covers the five pillars of DORA and what financial entities need to do to comply.

What is DORA?

DORA establishes a unified regulatory framework for digital operational resilience across the EU financial sector. It applies to over 22,000 financial entities and ICT third-party service providers, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical technology vendors.

Unlike previous regulations that addressed ICT risk in fragments, DORA creates a comprehensive, harmonized approach to ensure financial entities can withstand, respond to, and recover from ICT-related disruptions and cyber threats.

The five pillars of DORA

1. ICT Risk Management (Articles 5-16)

Financial entities must establish a comprehensive ICT risk management framework: risk identification, protection measures, detection capabilities, response and recovery procedures, and continuous learning. The management body bears ultimate responsibility and must receive regular training on ICT risks.

2. ICT Incident Reporting (Articles 17-23)

Mandatory classification and reporting of major ICT-related incidents to competent authorities. Entities must maintain an incident management process, classify incidents using defined criteria (clients affected, data loss, geographical spread, duration), and submit initial, intermediate, and final reports within prescribed timeframes.

3. Digital Operational Resilience Testing (Articles 24-27)

Regular testing of ICT systems: vulnerability assessments, penetration testing, network security, and scenario-based testing. Significant financial entities must conduct Threat-Led Penetration Testing (TLPT) at least every three years, following the TIBER-EU framework.

4. ICT Third-Party Risk Management (Articles 28-44)

Due diligence on ICT service providers, contractual requirements (data location, audit rights, exit strategies), and concentration risk monitoring. The European Supervisory Authorities (ESAs) will directly oversee Critical ICT Third-Party Providers (CTPPs) designated by the Joint Committee.

5. Information Sharing (Article 45)

Voluntary exchange of cyber threat intelligence between financial entities within trusted communities. Entities must notify competent authorities of their participation in information-sharing arrangements.

Who must comply with DORA?

DORA applies to 21 categories of financial entities, including:

Credit institutions (banks)

Payment institutions

Investment firms

Insurance and reinsurance companies

Crypto-asset service providers (MiCA)

Central securities depositories

Trading venues and data providers

Management companies (UCITS/AIF)

Crowdfunding service providers

ICT third-party service providers

Key dates and timeline

January 16, 2023

DORA entered into force

January 17, 2025

Full application date. All requirements are enforceable

April 2025

First batch of Regulatory Technical Standards (RTS) adopted by ESAs

H2 2025

Designation of first Critical ICT Third-Party Providers (CTPPs)

2026

Ongoing supervisory activities, first TLPT cycles for significant entities

Penalties for non-compliance

National competent authorities can impose administrative penalties and remedial measures, including periodic penalty payments of up to 1% of average daily global turnover for each day of non-compliance, for a maximum of six months. For Critical ICT Third-Party Providers, the ESAs can impose fines up to €5 million (or €500,000 for individuals).

How Cleo helps with DORA compliance

Cleo Labs continuously monitors DORA-related regulatory developments across all EU member states and the three European Supervisory Authorities (EBA, ESMA, EIOPA). The platform tracks Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS), and supervisory guidance as they are published.

For financial entities, Cleo maps your ICT third-party providers to DORA obligations, monitors concentration risk signals, and generates audit-ready compliance reports with risk scores and source traceability, reducing third-party due diligence from 5 days to under 2 hours.

Map your DORA obligations automatically

Enter your company domain and Cleo identifies applicable requirements in minutes.

Scan your company