The complete operational resilience playbook for credit institutions: ECB SSM supervision, TLPT scoping, ICT risk integration with ICAAP/SREP, third-party concentration risk and incident reporting timelines.
DORA applies to all EU banks — ECB-supervised significant institutions, less significant institutions, and EU branches of third-country banks. Since 17 January 2025 they must run an ICT risk-management framework, classify and report major incidents (4h / 72h / 1-month), maintain a Register of Information, oversee ICT third parties under Article 30, and perform threat-led penetration testing (TLPT) where designated.
Banks operate at the intersection of two structural realities that make DORA particularly consequential. First, modern retail and corporate banking is fundamentally a digital service: core banking platforms, payment rails, mobile channels, anti-money-laundering screening, fraud detection and trading desks all run on ICT stacks where a 30-minute outage can produce hundreds of millions of euros in lost transactions, supervisory notifications and reputational damage. Second, banks are systemically connected — a failure at a single bank can propagate through correspondent banking, payment systems and counterparty exposures across the European financial system.
Before DORA, ICT risk supervision was fragmented across the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), the EBA Outsourcing Guidelines, sectoral PSD2 incident reporting, and national supervisory practices. This fragmentation produced inconsistent expectations, double-reporting and gaps. DORA replaces the patchwork with a single, directly-applicable Regulation (EU) 2022/2554 with technical standards binding across all 27 Member States.
For credit institutions specifically, DORA elevates ICT risk to the same level of supervisory attention historically reserved for credit and market risk. The ECB's 2025-2027 supervisory priorities placed "operational resilience and digitalisation" as a top-three concern, alongside credit risk and business model sustainability. National competent authorities (BaFin, ACPR, DNB, Banco de España, Banca d'Italia, Finansinspektionen, FMA, CSSF and others) coordinate with the ECB Joint Supervisory Teams (JSTs) to inspect ICT risk frameworks during regular SREP cycles and on-site inspections.
DORA applies directly to all credit institutions authorised under Directive 2013/36/EU (CRD). Within that universe, three supervisory tiers shape how the regulation is enforced day-to-day:
Directly supervised by the ECB under the Single Supervisory Mechanism (SSM) as of 2025. JSTs lead DORA inspections, often in coordination with the national authority. These banks face the deepest scrutiny — full ICT risk framework reviews, on-site inspections, and SREP integration.
Supervised by national competent authorities. The ECB sets the supervisory framework via the SSM but day-to-day inspection is national. NCAs apply the simplified ICT risk framework (Article 16) for the smallest LSIs, full framework for larger ones.
Subject to DORA on the same basis as EU-incorporated entities for activities carried out in the Union. Branches must maintain a register of information for EU-related ICT contracts and report incidents affecting EU operations through their host NCA.
DORA's 64 articles map onto five operational pillars. Below is what each pillar means specifically for a credit institution, with the binding article references and the related RTS that operationalise them.
Credit institutions must maintain an ICT risk management framework that is documented, board-approved, and integrated with overall risk management. The framework covers identification of ICT-supported business functions, classification of information assets, protection through layered controls (Article 9), continuous threat detection (Article 10), response and recovery procedures (Articles 11–12), and learning from incidents (Article 13). The Commission Delegated Regulation 2024/1774 (RTS on ICT risk framework) specifies minimum content for security policies, network segmentation, identity and access management, encryption, change management and ICT business continuity policy.
For banks, integration with ICAAP and the operational risk inventory under CRR is critical. The board must define ICT risk appetite as part of the broader risk appetite statement and validate that ICT risk is captured in stress testing scenarios.
Banks must operate an end-to-end incident management process that detects, classifies, contains, recovers and reports ICT-related incidents. Major incidents trigger external reporting under harmonised criteria (RTS on classification): clients affected, geographic spread, duration, data integrity impact, economic impact, reputational impact, and impact on critical services. Significant cyber threats (not yet incidents) are reported on a voluntary basis under Article 19.
Reporting timelines are uniform: initial notification within 4 hours of classification (max 24h after detection), intermediate report within 72h, final report within one month. Banks already submitting PSD2 incident reports use the consolidated DORA template — no double reporting.
All banks must conduct an annual programme of digital operational resilience testing including vulnerability assessments, scenario-based tests, network security assessments, gap analyses, source code reviews where relevant and physical security tests. Testing must cover all critical or important ICT systems and be performed by independent parties — internal testers are acceptable provided independence safeguards are documented. Significant banks designated under Article 26 also conduct Threat-Led Penetration Testing (TLPT) at least every 3 years (see below).
This is where banks face the largest operational lift. Article 28 sets the principles, Article 29 mandates the Register of Information, Article 30 lists the mandatory contractual clauses (audit rights, exit strategies, sub-outsourcing rules, data location), Article 31–44 establish the Oversight Framework for Critical ICT Third-Party Providers (CTPPs). For banks heavily reliant on cloud, SaaS providers, market data vendors and payment infrastructure, this means renegotiating hundreds of contracts, building a real-time register and aligning vendor management with the lead overseer regime.
Voluntary participation in trusted communities for cyber threat information sharing. Banks typically join via FS-ISAC, national CERT-Bank arrangements (e.g., DSGV CERT in Germany, ABE-Lab in Spain) or the European Cyber Resilience Information Sharing Platform. Article 45 explicitly authorises sharing of cyber threat indicators and tactics, techniques and procedures (TTPs), removing prior legal uncertainties under GDPR for legitimate cyber-defence sharing.
For SSM-supervised banks, the most consequential reality is that DORA does not exist in a regulatory silo. The ECB has integrated DORA-aligned ICT risk assessment into the Supervisory Review and Evaluation Process (SREP), the cycle that determines Pillar 2 Requirements (P2R) capital add-ons. This means weak ICT risk management directly translates into higher capital requirements.
A weak SREP score on ICT risk (3 or 4 on the 1-4 scale) typically translates into 25-100 basis points of additional P2R, depending on bank size and concrete findings. For a mid-size bank with €30bn RWA, 50 basis points equals €150m of additional CET1 — a significant quantum that justifies investment in remediation.
Threat-Led Penetration Testing under Article 26 is the most operationally demanding DORA requirement for designated banks. Unlike traditional penetration testing, TLPT simulates realistic adversaries (red team) operating against the live production environment, with only a small "white team" aware. The methodology aligns with the TIBER-EU framework that several NCAs already operated as a voluntary regime.
Article 26(8) requires NCAs to designate financial entities for TLPT based on size, risk profile and systemic importance. In practice for the banking sector this means:
European banking is now massively cloud-dependent. EBA's 2024 risk dashboard reported that over 70% of significant banks rely on at least one of the three hyperscalers (AWS, Microsoft Azure, Google Cloud) for at least one critical or important function. DORA Article 29 forces this concentration into the open and subjects it to active supervisory oversight.
Article 28(8) and the related RTS require documented, tested exit strategies for every contract supporting a critical or important function. For cloud, "exit" rarely means "lift-and-shift back to on-premises in a weekend" — supervisors accept that realistic exit horizons are 12-36 months for core platforms, but they expect: an alternative provider identified, contracted reversibility (data extraction at no extra cost), tested data export (annual extraction validation), defined transition period, and budget reserved.
Major incident classification under the RTS on incident classification uses six primary criteria and three secondary criteria. For banks, the most frequently triggering criteria are:
Primary. Any incident affecting more than 10% of clients OR more than 100,000 clients OR more than 30% of transactions in a banking day.
Primary. Incident affecting clients in two or more Member States.
Primary. Service unavailability greater than 24 hours, OR service degradation longer than 7 days.
Primary. Direct/indirect cost > €100,000 or > 0.1% of net interest income (lower of).
Primary. Successful data integrity violation or unauthorised access to confidential client data.
Primary. Impact on a critical or important function (RTS-listed banking critical functions).
The clock starts at classification as major, not at detection — but a major incident must be classified within 24 hours of detection. The internal challenge for banks is the speed of classification governance: a clear playbook, an empowered duty officer, and pre-cleared escalation channels to the executive team and NCA contact.
Article 29 requires every authorised legal entity to maintain a Register of Information covering all contractual arrangements for the use of ICT services. The register is the single most data-intensive DORA artefact — and the most frequent source of supervisory findings.
The register must be submitted to the competent authority annually by 30 April, in XBRL/XML format following the Commission Implementing Regulation template. The first full submission cycle (2025) revealed material data quality issues at most banks: missing LEIs, inconsistent service taxonomy, gaps in sub-outsourcing data, unclear function-to-contract mapping.
DORA's enforcement architecture combines direct administrative fines with supervisory measures applied through existing prudential channels. For banks under SSM supervision, the ECB's Section 13 enforcement powers, public censures, and Pillar 2 add-ons amplify the formal DORA fine framework.
| Violation Type | Maximum Fine | Article |
|---|---|---|
| Failure to comply with ICT risk management requirements (Articles 5-16) | 2% of total annual worldwide turnover | Art. 50(4) |
| Failure to report major ICT incidents within timelines | 2% of total annual worldwide turnover | Art. 50(4) |
| Failure to conduct required resilience testing including TLPT | 2% of total annual worldwide turnover | Art. 50(4) |
| Failure to manage ICT third-party risk (Articles 28-30) | 2% of total annual worldwide turnover | Art. 50(4) |
| Natural persons responsible for non-compliance | €1,000,000 | Art. 50(4)(b) |
| Supervisory measures (independent of fines) | Public censure, suspension of activities, withdrawal of authorisation | Art. 50(7) |
For a mid-to-large bank starting from a CRD/EBA baseline, full DORA alignment realistically takes 12-18 months. The following sequence reflects what works in practice — the deliverable order matters because several streams have hard dependencies.
Article-by-article gap mapping against current state. Focus areas: ICT risk framework, register completeness, contract clauses, incident classification governance, testing coverage. Output: prioritised remediation backlog with effort estimates.
Update ICT risk appetite statement, board ICT competence assessment, committee charters. Define the three-lines-of-defence operating model. Allocate budget envelope (typical range €500K–€10M depending on size).
Refresh or write: ICT risk management policy, ICT business continuity policy, third-party policy, incident management policy, testing policy. Align with RTS on ICT risk framework and RTS on subcontracting.
The longest workstream. Inventory all ICT contracts, normalise to RTS taxonomy, capture sub-outsourcing chains, validate LEIs, build data quality controls. Aim for 30 April submission with <5% missing/invalid fields.
Article 30 mandatory clauses. Hyperscaler addendums first (highest concentration), then top 50 vendors by criticality. Use a contract-mapping spreadsheet to track clause-by-clause coverage.
Tabletop exercises with the duty officer team, NCA portal dry-runs, escalation governance test. Aim for <2 hours from classification decision to NCA notification submission.
Annual programme launched: vulnerability scans, scenario tests, code reviews, network assessments. TLPT procurement initiated for designated banks (lead time considerations).
Continuous register update, quarterly board ICT risk reporting, integration of ICT risk findings into ICAAP. SREP inspection readiness reviewed annually.
Use our free calculator to estimate implementation costs, staffing needs, and timeline based on your bank's size and current maturity.
Sector-specific DORA requirements compared.
Building Your ICT Risk Management FrameworkPractical guide to a DORA-compliant framework.
DORA Audit: Requirements & ChecklistSupervisory inspections, internal audit duties, scope by pillar and how to prepare.
Compliance Cost CalculatorEstimate DORA implementation costs — free tool.
Third-Party ICT Risk ManagementRegister, Article 30 clauses, the 19 designated CTPPs.
DORA Enforcement & PenaltiesWhat enforcement looks like in practice.
DORA vs NIS2How DORA and NIS2 interact for banks.
TLPT: Threat-Led Penetration TestingComplete TLPT methodology and procurement guide.
A systemically important bank with operations in 8 EU countries engaged our team for a full DORA gap analysis and implementation roadmap. The initial assessment revealed critical gaps in ICT incident reporting and third-party risk management.
"The gap analysis gave us complete visibility on our blind spots. The roadmap was actionable from day one — no theoretical frameworks, just clear steps with deadlines."
— Chief Risk Officer, Tier 1 European Bank
Once your gap analysis is done, the real work begins: maintaining evidence, tracking incidents, submitting the register of information every year, managing vendor contracts. Resiplan automates all of it — the specialised SaaS for DORA, business continuity & GRC designed for banks.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.