Regulation
What is DORA? Digital Operational Resilience Act
DORA is EU Regulation 2022/2554 on digital operational resilience in the financial sector. It is directly applicable in all EU member states and has been applicable since 17 January 2025. DORA replaces fragmented national rules with a single EU standard for ICT risk management, incident reporting, resilience testing and third-party governance.
Who is in scope?
DORA covers around 20 categories of financial entities in the EU plus critical ICT third-party service providers designated by the ESAs. The perimeter is broader than under MiFID or CRD alone.
Credit institutions, payment institutions, e-money institutions. Investment firms, crypto-asset service providers (CASPs under MiCA). CSDs, CCPs, trading venues, trade repositories.
Insurance and reinsurance undertakings, insurance intermediaries. Occupational pension institutions. AIFMs and UCITS management companies.
Credit rating agencies, administrators of critical benchmarks. Crowdfunding service providers, securitisation repositories, crypto-asset service providers. Plus critical ICT third-party providers (Art. 31), under direct EU oversight.
The five pillars
Pillar 1: ICT risk management framework (Art. 5-16). Management body approves and reviews annually, documented strategy, clear responsibility, asset management, detection, protection, response, recovery.
Pillar 2: ICT incident management and reporting (Art. 17-23). RTS-based classification, 24 h / 72 h / 1 month deadlines, voluntary reporting of significant cyber threats.
Pillar 3: Digital operational resilience testing (Art. 24-27). At least annual baseline tests, Threat-Led Penetration Testing (TLPT) at least every three years for significant entities.
Pillar 4: Management of ICT third-party risk (Art. 28-44). Information register, due-diligence, mandatory Art. 30 clauses, tested exit strategy, concentration-risk analysis.
Pillar 5: Information sharing on cyber threats (Art. 45). Voluntary participation in threat-intelligence communities with privacy safeguards.
Art. 28-30: the hard third-party regime
Art. 28 demands a documented ICT third-party risk strategy, an information register of all contracts, pre-contract due-diligence, continuous monitoring, a tested exit strategy and an explicit concentration-risk assessment.
Art. 29 extends to system-wide concentration risk: the competent authority may issue directions when a market becomes too dependent on one ICT third-party provider.
Art. 30 lists the mandatory contract clauses. For normal functions: clear service description, location, SLAs, availability arrangements, data paths, termination, audit rights. For critical or important functions, additionally: extensive audit rights, full sub-outsourcing control, exit strategies with appropriate transition periods, incident reporting duties, cooperation with supervisors.
Practical implication: every cloud, SaaS or outsourcing memo of a financial entity must address Art. 28-30 explicitly before signing.
TLPT, Threat-Led Penetration Testing
Art. 26-27 DORA. At least every three years for significant financial entities, identified by the national authority (BaFin in Germany). Methodologically aligned with TIBER-EU: threat-intelligence-driven scenarios, tests in production environments, strict separation between tester and the entity, reporting to the supervisor. Non-compliance can trigger supervisory directions or fines.
Incident reporting under DORA
Initial notification: within 24 hours of classifying an incident as major. Content: first information, suspected cause, preliminary impact assessment.
Interim notification: within 72 hours of classification. Content: updated data on severity, impact, mitigations, indicators.
Final report: at the latest one month after the incident. Content: full root-cause analysis, applied measures, lessons learned, financial impact.
Classification criteria are set in the RTS on incident classification: affected customers, duration, geographic spread, data integrity, criticality of services, economic damage, reputation.
Sanctions
DORA itself does not set a single fine framework; sanctions follow national law. In Germany, the Finanzmarktdigitalisierungsgesetz (FinmadiG) applies. Expected fines range from hundreds of thousands to millions of euros per breach, plus personal management body liability. For critical ICT third-party providers under direct EU oversight, daily periodic penalty payments can be imposed.
What financial entities should do now
1. Formally approve an ICT risk-management framework, documented and signed off by the management body.
2. Build an information register of all ICT third-party providers, mapping critical/important vs. supporting.
3. Review existing contracts against Art. 30, renegotiate missing mandatory clauses. New contracts only with compliant clauses.
4. Implement and test incident classification and reporting. An untested reporting chain is a DORA risk.
5. Clarify TLPT applicability: am I significant? If yes, pre-qualify providers, design test plans.
6. Run structured IT decisions with DORA mapping: every memo on EDR, IAM, cloud, SIEM or outsourcing documents Art. 5 (framework), Art. 28-30 (third-party), and Art. 26 (testing) where relevant.
DecisionOS and DORA
DecisionOS is the decision infrastructure for DORA-relevant IT procurement. Each decision memo maps directly to Art. 5, Art. 28-30 and DORA mandatory clauses, documents stakeholder alignment across CISO / CRO / Legal / Board, keeps dealbreakers (EU data residency, exit strategy, audit rights) visible, and produces a Readiness Score that signals supervisory readiness. EU-hosted in Nuremberg, Germany. Book a demo at nexalign.io/book.