DORA
Digital Operational Resilience Act compliance for financial entities and their critical ICT providers.
Do you need to act on DORA?
DORA applies to financial entities and the ICT providers that serve them.
You likely need this if
- You are a bank, insurer, investment firm, payment or crypto-asset provider, or similar EU financial entity
- You are an ICT third-party provider serving financial entities
- You need to evidence ICT risk management, resilience testing and incident reporting
- You must manage and document third-party ICT and concentration risk
Not sure where you land? A short scoping call will tell you plainly, including if you do not need this yet.
Book a scoping callWhat is DORA?
The Digital Operational Resilience Act (DORA) establishes a uniform framework for the effective and comprehensive management of digital operational risk in the financial sector. It applies to financial entities - banks, insurers, and investment firms - and their critical third-party ICT providers.
Core Requirements & Our Services
ICT Risk Management
Manage ICT risks with comprehensive governance and security frameworks.
ICT-Related Incident Reporting
Report major digital incidents within strict twenty-four-hour windows.
Digital Operational Resilience Testing
Validate network security through mandatory penetration testing and audits.
ICT Third-Party Risk Management
Evaluate supply-chain risks and audit third-party service providers.
Information Sharing
Manage threat intelligence feeds and community-based alert systems.
Staff Training
Provide workforce awareness training to fulfil human factor requirements.
The full DORA capability set
From gap analysis to board reporting - everything in one programme.
Gap analysis & readiness assessment
Baseline your controls against the five DORA pillars.
Tailored service bundles by sector
Bundles for banks, insurers, investment firms, and fintechs.
Incident response & forensic readiness
24/72-hour reporting playbooks and evidence capture.
Audit-ready reports for regulators
Evidence packs mapped to each DORA obligation, board-ready.
Employee training & awareness
Training aligned with DORA and your HR security clauses.
Supply chain & third-party risk
ICT provider risk scoring and a maintained vendor register.
Continuous monitoring
Always-on control telemetry and drift detection.
Executive dashboards
Live resilience posture and compliance status for the board.
- 01 Operational Resilience Score p.2
- 02 Critical Third-Party Map p.4
- 03 Testing Maturity p.6
- 04 Incident Response Readiness p.8
Take a look inside the board report
This export-ready sample shows how our reporting structure aligns with DORA and can be presented to your board or regulatory body - every section, exactly as they'll see it.
Delivered to your inbox in seconds. No spam.
FAQ - Digital Operational Resilience Act
Yes. The DORA framework applies to nearly all financial entities, including small investment firms, insurance brokers, payment institutions, and credit institutions.
However, microenterprises (typically under 50 employees and 10 million euro annual revenue) may benefit from simplified risk management rules proportionate to their size. Despite simplified requirements, they must still comply with core DORA obligations including incident reporting, basic ICT risk management, and third-party risk oversight. There are no blanket exemptions - compliance is mandatory across the financial sector.
DORA and NIS2 are complementary but distinct frameworks.
| Dimension | DORA | NIS2 Directive |
|---|---|---|
| Scope | Financial sector only (banks, insurers, investment firms) | All essential/important entities across 18 critical sectors |
| Nature | Lex specialis (sector-specific regulation) | Lex generalis (general cybersecurity framework) |
| Precedence | Takes precedence for financial entities | General baseline, superseded by DORA in finance |
| Focus | Digital operational resilience and financial stability | Broad cybersecurity and operational resilience |
| Third-party risk | Detailed ICT provider oversight (including TPPs) | General supply-chain security requirements |
| Testing | Mandatory resilience testing (including penetration testing) | Vulnerability management, incident response |
DORA is a lex specialis for the financial sector, so its specific rules take precedence over the more general NIS2 framework for financial entities. Prioritize DORA compliance while using NIS2 as a supplementary baseline for non-financial operations.
DORA focuses on five core pillars that form the foundation of digital operational resilience.
| Pillar | Key requirements |
|---|---|
| 1. Governance & Organization | Board accountability, clear roles, ICT risk management framework, policies and procedures |
| 2. ICT Risk Management | Asset inventory, logical and physical security, access control, encryption, network segmentation, backups |
| 3. Incident Reporting | Classification criteria, 24-hour early warning, detailed report within 72 hours, final report within 1 month |
| 4. Resilience Testing | Annual testing program, penetration testing, vulnerability scanning, TLPT for critical entities |
| 5. Third-Party Risk Management | ICT provider risk assessments, contractual requirements, exit strategies, critical TPP oversight |
All five pillars must be implemented comprehensively, with integrated policies covering governance, technical controls, incident response, testing schedules, and vendor management.
Yes. DORA mandates penetration testing to validate network security and demonstrate operational resilience. Required activities include:
- Annual penetration testing of ICT systems touching critical or important functions.
- External-perspective testing (simulating an attacker's viewpoint).
- Internal network testing (validating segmentation effectiveness).
- Application-level testing for critical financial applications.
- Threat-led penetration testing (TLPT) for critical entities.
Testing must be conducted by qualified personnel with financial-sector expertise, results documented, vulnerabilities remediated within defined SLAs, and findings reported to the Board.
DORA sets strict incident reporting timelines, similar to NIS2.
| Stage | Timeline | Requirements |
|---|---|---|
| Early warning | 24 hours from detection | Initial notification, incident classification, impact assessment |
| Detailed report | 72 hours from detection | Comprehensive analysis, root cause, affected systems, data impact, remediation |
| Final report | 1 month from detection | Complete timeline, forensic findings, lessons learned, preventive measures |
Be ready for the 24-hour early-warning window with detection capabilities, classification procedures, and reporting templates. Classification follows DORA criteria (major vs non-major) based on impact duration, data loss, financial impact, and service disruption.
Yes. DORA requires comprehensive third-party risk management (TPRM), including:
- Risk evaluations for all ICT service providers (software vendors, cloud providers, data centers).
- Contractual requirements defining security obligations, incident reporting, audit rights, and exit clauses.
- Supply-chain risk assessments identifying threats posed by third-party providers.
- Critical TPP oversight for providers designated 'critical' (such as major cloud providers).
- Exit strategies ensuring you can migrate services if a vendor fails.
- Continuous monitoring of provider security posture, compliance status, and incident history.
DORA specifically addresses concentration risk (many firms using the same provider) and subcontracting risk. Maintain an inventory of all ICT providers with risk ratings and monitoring schedules.
Absolutely. DORA mandates human-resources security requirements, including:
- Continuous cybersecurity awareness training for all employees (annual minimum).
- Role-based training for ICT staff, security teams, and incident responders.
- Phishing simulation exercises to test employee vigilance.
- Incident response training for relevant personnel.
- Background checks for personnel accessing critical ICT systems.
- Security policy acknowledgments confirming understanding.
Training must be documented, with attendance, completion rates, and assessment results reported to the Board. Critical roles should receive more frequent updates.
DORA requires Board-level accountability for digital operational resilience. Executive reports must include:
| Component | Description |
|---|---|
| Compliance status | Implementation progress, mandatory control completion, remaining gaps |
| Risk overviews | Top ICT risks, severity ratings, mitigation status, emerging threats |
| Incident handling | Response readiness, recent incidents, detection/response metrics, forensics |
| Vulnerability posture | Vulnerability landscape, patch status, critical unpatched systems, timelines |
| Testing results | Penetration and resilience testing outcomes, TLPT results, remediation progress |
| Third-party risk | ICT provider assessments, critical TPP oversight, contract compliance, exit readiness |
| Resource & budget | Training, technology investment, and personnel needs for continued compliance |
Board reports should be quarterly (minimum), concise, risk-focused, and actionable.
Yes. A gap analysis and readiness assessment is the recommended first step to find where current systems fall short of DORA's mandatory requirements. Deliverables include:
- A current-state assessment across all five DORA pillars.
- A mandatory-control inventory mapping existing controls to DORA requirements.
- Gap identification highlighting missing controls, policies, or technical capabilities.
- Risk prioritization categorizing gaps by severity.
- A remediation roadmap with timeline, resources, and milestones.
- Resource estimation for tools, training, consultancy, and implementation.
DORA defines operational resilience as the ability to prevent, detect, respond to, and recover from ICT disruptions while maintaining critical functions. Demonstration requires:
| Element | Implementation requirements |
|---|---|
| Proactive threat detection | Continuous monitoring, anomaly detection, SIEM, threat intelligence |
| Vulnerability management | Systematic patching, vulnerability scanning, remediation SLAs by severity |
| Resilience validation | Annual testing, penetration testing, incident response drills, BC testing |
| Continuous monitoring | Real-time performance monitoring, availability tracking, capacity management |
| Forensic readiness | Investigation capabilities, evidence preservation, forensic tooling |
| Incident response | Documented procedures, response team, communication plans, regulatory workflows |
| Recovery capabilities | Backup strategies, disaster recovery plans, exit strategies for critical TPPs |
Demonstrate measurable resilience through testing results, incident metrics (MTTD, MTTR), uptime statistics, and Board oversight documentation. Regulators expect continuous improvement, not one-time compliance.