DORA: Digital Resilience for the Financial Sector

DORA Regulation Explained: What is DORA and why was it introduced?

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554, has been fully applicable to financial entities in the European Union since 17 January 2025. DORA is the European legislator's response to the growing dependence of the financial sector on digital systems and to the frequency and severity of cyber incidents affecting that sector.

The reasons were twofold. First, cybersecurity requirements for financial institutions were highly fragmented: each member state had its own rules, and the broader NIS Directive was not specific enough for the financial sector. Second, the COVID-19 pandemic led to accelerated digitalization and thus an expansion of ICT dependencies and risks.

As an EU Regulation (not a directive), DORA is directly applicable in all EU member states without national implementation legislation. There is no transposition period — the compliance deadline was 17 January 2025.

Who does DORA apply to?

DORA has a broad scope within the financial sector. The entities to which DORA applies include:

For micro-enterprises (fewer than 10 employees and annual turnover or total balance sheet of less than EUR2 million), simplified rules apply to certain areas.

The five pillars of DORA in detail

Pillar 1 — ICT Risk Management: DORA requires a comprehensive ICT risk management framework that is continuously maintained and improved. This includes: identification of all ICT assets and dependencies, protective measures for continuity, detection capabilities for anomalies and incidents, response and recovery plans, and post-incident reviews. The framework must be approved by the governing body, which is also responsible for overseeing its implementation.

Pillar 2 — ICT Incident Management and Reporting: DORA introduces strict reporting timelines for significant ICT-related incidents. The definition of "significant" is set out in Regulatory Technical Standards (RTS) adopted by the European Supervisory Authorities (ESA). Once classified as a major incident: initial notification to the supervisor within 4 hours, detailed notification within 72 hours, and final report within one month. Major cyber risks that have not yet become incidents must also be reported voluntarily.

Pillar 3 — Digital Operational Resilience Tests (TLPT): Financial entities must periodically test their digital resilience. This ranges from basic checks (networks, systems, applications) to advanced Threat-Led Penetration Tests (TLPT) for the largest and most systemically critical institutions. TLPT must be conducted once every three years by a recognized external tester. The methodology is based on TIBER-EU, the European framework for intelligence-driven penetration testing.

Pillar 4 — ICT Third-Party Risk: One of the most practically challenging pillars. DORA requires financial institutions to maintain a register of all contractual agreements with ICT vendors. For critical vendors, additional contractual requirements apply: exit strategies, audit rights, outsourcing safeguards, SLA requirements, and sub-outsourcing provisions. The European Central Bank (ECB) and national supervisors can designate critical ICT third-party service providers (CTPP), which then come directly under DORA supervision.

Pillar 5 — Information Sharing: DORA promotes voluntary information sharing about cyber threats and vulnerabilities within the financial sector. Financial entities are encouraged to participate in trusted information-sharing communities. This is partly a response to the observation that individual companies are too reluctant to share threat intelligence that would be valuable to the sector as a whole.

Oversight and enforcement

DORA supervision is primarily the responsibility of national financial supervisors — in the Netherlands, De Nederlandsche Bank (DNB) and the Dutch Authority for the Financial Markets (AFM). At the European level, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) oversee their respective sectors.

Sanctions for non-compliance can reach up to 1% of average daily global turnover of the preceding year, per day of infringement for material breaches. For critical ICT third-party service providers, maximum fines can be EUR5 million or 10% of global annual turnover.

DORA and ISO 27001: complementary frameworks

ISO 27001 provides a solid foundation for DORA compliance but does not cover all requirements. The risk-based approach, the incident management process and the governance requirements of ISO 27001 align well with DORA. However, DORA goes further in three areas: the reporting timelines are stricter (24/72 hours versus the more flexible ISO 27001 approach), TLPT is a formal statutory obligation that goes beyond the penetration tests in ISO 27001, and the supplier management requirements are more detailed and legally binding than the supply chain security controls in ISO 27001.

The most efficient route to DORA compliance for organisations already certified under ISO 27001 is a targeted gap analysis of DORA-specific requirements, followed by enhancement of existing processes and documentation to address identified gaps.

Practical priorities for DORA implementation

Given the complexity of DORA, we recommend beginning with four priority actions: First, ICT asset and supplier register — map all ICT systems and supplier contracts and assess which suppliers should be designated as critical. Second, incident classification criteria — implement criteria and procedures to classify ICT incidents and monitor reporting timelines. Third, board accountability — ensure the board formally adopts the ICT risk strategy and adequately fulfils its oversight role. Fourth, TLPT planning — start early with selecting a recognised TLPT provider and schedule the triennial test.

DORAFinancial SectorDigital ResilienceCompliance