Glossary term
DORA
Also: Digital Operational Resilience Act, Regulation (EU) 2022/2554
EU regulation on digital operational resilience in the financial sector. Directly applicable since 17 January 2025. Five pillars: ICT risk management, incident management, resilience testing including TLPT, third-party governance, information sharing.
DORA is a regulation (not a directive) and applies directly across all EU member states. It covers ~20 categories of financial entities plus critical ICT third-party providers under direct EU supervision.
Articles 28-30 are the hard third-party regime: information register, due-diligence, mandatory clauses for normal vs critical/important functions (audit rights, sub-outsourcing, exit, SLA, data residency).
TLPT under Articles 26-27 requires Threat-Led Penetration Testing at least every three years for significant entities, methodologically aligned with TIBER-EU. Incident-reporting deadlines: 24 h initial, 72 h interim, 1 month final.
Related terms
NIS2
EU directive on network and information security. Replaces NIS1, widens scope to around 30,000 Germa…
ICT Third-Party Risk
Sammelbegriff für Risiken aus dem Einsatz externer ICT-Lieferanten: Cloud-Provider, SaaS-Anbieter, M…
TLPT (Threat-Led Penetration Testing)
Ein behördlich begleiteter, intelligenz-gesteuerter Penetrationstest, den DORA für signifikante Fina…
Dealbreaker
A hard requirement that immediately disqualifies an option if not met, independent of weighted scori…
Decision memo
A short structured document that captures why a decision was made, the options considered, the crite…
Defensible record
A single versioned artefact that captures a decision in enough structure, with enough evidence and s…
DLP
Software category for detecting and preventing unauthorised data outflow. Operates on endpoints, net…
DMARC / DKIM / SPF
Three standards that together authenticate email senders and impede spoofing. SPF authenticates the …