DORA Compliance: Build Digital Operational Resilience Across ICT Risk, Incidents and Third Parties
DORA (Regulation (EU) 2022/2554) sets a single EU rulebook for ICT risk in the financial sector and has applied since 17 January 2025. Track the obligations, evidence them in living registers, and keep counsel in control.
What is DORA?
The Digital Operational Resilience Act, Regulation (EU) 2022/2554, is an EU regulation that harmonises how financial entities manage information and communication technology (ICT) risk so they can withstand, respond to and recover from ICT disruptions such as cyberattacks and system failures. It was adopted by the European Parliament and Council in December 2022, entered into force on 16 January 2023, and has applied since 17 January 2025. DORA is supplemented by a body of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (the EBA, ESMA and EIOPA), and it also creates an EU-level oversight framework for critical ICT third-party service providers (CTPPs).
Who does DORA apply to?
DORA applies broadly across the EU financial sector and, importantly, reaches the ICT providers that serve it. Scope is defined by entity type rather than size, though some requirements are proportionate.
- Banks, credit institutions, payment and e-money institutions, and account information service providers
- Investment firms, trading venues, central securities depositories, central counterparties and crypto-asset service providers
- Insurance and reinsurance undertakings, insurance intermediaries, and institutions for occupational retirement provision (IORPs)
- Asset managers, including UCITS management companies and alternative investment fund managers (AIFMs)
- ICT third-party service providers to financial entities, including cloud, software and data providers, with critical providers (CTPPs) brought under direct EU oversight
- Other regulated players such as credit rating agencies, crowdfunding service providers and data reporting service providers
Key DORA obligations
ICT risk management framework
Establish and maintain a sound, documented ICT risk management framework as part of the overall risk framework, with the management body holding ultimate accountability. It must cover identification, protection, detection, response, recovery, learning and communication.
ICT-related incident management, classification and reporting
Detect, manage, classify and log ICT-related incidents against DORA criteria, then report major ICT-related incidents to the competent authority within the required time limits using the standard templates, with initial, intermediate and final notifications. Significant cyber threats may be notified voluntarily.
Digital operational resilience testing
Run a risk-based testing programme on ICT systems and tools at least annually, covering vulnerability assessments, scenario-based tests and more. Designated significant entities must also perform advanced threat-led penetration testing (TLPT) at least every three years.
ICT third-party risk management
Manage ICT third-party risk across the contract lifecycle, embed mandatory contractual provisions, run pre-contract due diligence and concentration-risk assessment, and apply stricter requirements where a provider supports a critical or important function.
Register of information on contractual arrangements
Maintain a complete register of information on all contractual arrangements for ICT services, at entity, sub-consolidated and consolidated levels, using the prescribed templates, and make it available to competent authorities on request and for annual reporting.
Information sharing and threat intelligence
DORA enables financial entities to exchange cyber threat information and intelligence among trusted communities to strengthen collective resilience, within arrangements that protect confidentiality and comply with data protection rules.
Governance and oversight of critical providers
Governance arrangements must give the management body active oversight of ICT risk and resilience, while critical ICT third-party providers (CTPPs) designated by the ESAs fall under a direct EU oversight framework led by a Lead Overseer.
Key dates
- 16 January 2023DORA entered into force, starting the two-year preparation period before application.
- 17 January 2025DORA became applicable across the EU; financial entities and in-scope ICT providers must comply from this date, alongside the supplementing RTS and ITS.
- 30 April 2025Target milestone for the first submission of registers of information, with competent authorities collecting them from supervised financial entities to pass to the ESAs.
- Ongoing from 2025ESAs designation and direct oversight of critical ICT third-party service providers (CTPPs), and periodic resilience testing including TLPT at least every three years for designated entities.
How RegSpace helps with DORA
Draft, source-linked intelligence for your team to review. Not legal advice.
Weekly-monitors the EU regulators and legislative trackers that touch DORA, including the ESAs and EU sources, and drafts a source-linked digest of changes such as new or amended RTS and ITS. Where a change hits a policy you have published, it produces a DOCX redline with track-changes for your counsel to review.
Scores your uploaded ICT risk, incident-management, resilience-testing and third-party policies against the law and corpus, showing missing, partial and covered gaps with a score so you can see where your DORA documentation falls short before a supervisor does.
Gives you the registers DORA leans on, including a risk register with a 5x5 matrix, a controls library, an incidents log, and a vendor register for ICT third parties, plus a review and approval workflow, tickets and dashboards to evidence governance and accountability.
Scores vendor and third-party risk and reconciles your published notices against the underlying registers, supporting the ICT third-party due diligence and concentration view that DORA expects you to maintain.
Builds your compliance profile by crawling your website and classifying your policies, giving your counsel an editable starting point so the DORA-relevant policies on file are mapped before assessment and monitoring begin.
DORA FAQ
Who does DORA apply to?
DORA applies to a wide range of EU financial entities, including banks, payment and e-money institutions, investment firms, trading venues, insurers and reinsurers, asset managers, crypto-asset service providers and more. Critically, it also reaches ICT third-party service providers to those entities, with critical providers (CTPPs) brought under direct EU oversight.
When did DORA come into force and when does it apply?
DORA entered into force on 16 January 2023 and has applied since 17 January 2025. The supplementing RTS and ITS sit alongside it, and the register of information had a first reporting milestone targeted around 30 April 2025.
What are the main obligations under DORA?
The five core pillars are ICT risk management, ICT-related incident management and reporting of major incidents, digital operational resilience testing (including TLPT for designated entities), ICT third-party risk management, and information sharing on cyber threats. Maintaining a register of information on ICT contractual arrangements is a central, evidenced requirement.
What is the DORA register of information?
It is a structured register of all contractual arrangements for ICT services, maintained at entity, sub-consolidated and consolidated levels using prescribed templates. Financial entities must keep it current and make it available to competent authorities on request and for annual reporting to the ESAs.
What is threat-led penetration testing (TLPT) under DORA?
TLPT is advanced, intelligence-led resilience testing that simulates realistic attacks against critical systems. Financial entities designated as significant must conduct TLPT at least every three years, in addition to the broader annual testing programme that all in-scope entities must run.
How does RegSpace help with DORA compliance?
RegSpace monitors the EU sources and ESAs touching DORA and drafts source-linked change digests and policy redlines, scores your uploaded policies against the law to surface gaps, and gives you living registers (risk, controls, incidents, vendors) with review and approval workflows. Its output is draft regulatory intelligence for your qualified counsel to review; RegSpace does not provide legal advice, file anything with a regulator, or guarantee compliance.
Stay ahead of DORA changes, automatically.
RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.