Access comprehensive guides, technical standards, templates, and tools to achieve DORA compliance. All resources are free and updated for 2025.
Our most comprehensive guides to help you understand and implement DORA requirements
Comprehensive 59-page guide covering all five pillars of DORA with a six-phase implementation roadmap, step-by-step instructions, compliance checklists, and 34 worked examples.
Aperçu
Interactive compliance dashboard that helps you assess your current DORA readiness, identify gaps, and create a customized implementation roadmap.
Official regulatory technical standards and implementation guidelines
A fast, cross-referenced lookup of the RTS/ITS standards — what each requires and when it applies. A handy companion, not a deep implementation playbook.
Complete guide to ICT-related incident reporting requirements including classification criteria, reporting timelines, and notification templates.
Technical standards for ICT risk management framework, including governance, risk assessment methodologies, and control requirements.
Standards for managing ICT third-party service providers including due diligence, contract requirements, and oversight framework.
Comprehensive guide to Threat-Led Penetration Testing requirements including scoping, execution, and reporting guidelines.
All five pillar playbooks plus the Benchmark and Executive summary — 7 PDFs, ~134 pages. The complete practitioner library; save €175 vs buying separately.
Tailored compliance guidance for different financial sectors
DORA implementation guide specifically for banks, credit institutions, and payment service providers with sector-specific requirements.
Tailored guidance for insurance and reinsurance companies addressing specific operational resilience challenges in the insurance sector.
Real-world implementation scenarios covering common challenges and practical solutions for DORA compliance across different contexts.
The DORA technical standards are dense regulatory documents — Commission Delegated Regulations and Implementing Regulations running to 50-100+ articles each, written in formal EU legal style with extensive cross-references. Reading them cold is hard work even for experienced compliance teams. The guides on this page are interpretive companions: they translate the binding text into practical implementation language, with the regulatory anchors preserved so you can always trace a statement back to its article reference.
If you are new to the regulation, start with our complete guide to what DORA is for the big picture, run the free 45-point DORA compliance checklist to see where you stand, and read DORA vs NIS2 if your entity is also in scope of the cybersecurity directive. Then come back here for the technical detail.
The broadest reference. Covers all 64 articles of Regulation (EU) 2022/2554 organised by the five operational pillars, plus a full chapter on each related RTS. Each chapter includes: the binding requirement (with article citation), how it applies in practice, common implementation pitfalls, supervisory expectations, and a checklist of evidence the entity should hold. Used by 600+ institutions as the on-shelf DORA reference; refreshed quarterly as ESA Q&A documents are published.
Deep dive into the RTS on classification of major ICT-related incidents and the ITS on incident reporting templates and procedures. Walks through the 6 primary and 3 secondary classification criteria with worked examples for banks, insurers, investment firms and payment institutions. Includes the harmonised reporting template, the 4h/72h/1-month workflow, NCA portal walkthroughs (BaFin, ACPR, DNB, Banco de España, Banca d'Italia and others), and decision trees the duty officer team can paste into the incident management playbook.
Covers Commission Delegated Regulation 2024/1774 (RTS on ICT risk framework) and the simplified framework alternative. Maps every chapter of the RTS to existing controls under ISO 27001, NIST CSF and the legacy EBA ICT Guidelines so you avoid duplicating work. Includes the minimum content for security policies, the multi-factor authentication requirements for privileged access, the cryptographic agility expectation, and the network segmentation depth supervisors look for.
Combines DORA Articles 28-30 with the RTS on subcontracting and the ITS on Register of Information. Includes: the 11-clause Article 30 mandatory contract checklist with negotiation guidance, the Register template with field-by-field guidance, the sub-outsourcing chain visibility methodology, the concentration risk assessment framework, and exit strategy documentation requirements with annual partial-extraction-test expectations.
The RTS on threat-led penetration testing operationalises Article 26 in alignment with TIBER-EU. The guide walks through designation criteria, the 5 phases (Preparation, Threat Intelligence, Red Team execution, Closure, Remediation), the white team / red team / blue team controls, NCA notification and supervisory attestation. Includes scoping templates, Targeted Threat Intelligence Report (TTIR) outline, RFP package for red team firm selection, and a defensible attestation file structure.
The complete practitioner library in one pack: all five pillar playbooks plus the Benchmark report and the Executive All-in-One — 7 PDFs, ~134 pages. The best-value way to equip the whole compliance function; save €175 versus buying the playbooks individually. Lifetime updates included.
A fast lookup companion: a cross-reference matrix between every DORA article and the related RTS/ITS, an article-level implementation timeline, and a short chapter on the Oversight Framework for designated CTPPs (Articles 31-44). A handy desk reference — not a substitute for the deep pillar playbooks above.
Different roles in a financial institution typically need different starting points. Use the matrix below to identify the best fit:
Complete DORA Implementation Guide — covers accountability, governance, supervisory expectations. Read time: 4-6 hours.
RTS ICT Risk Management Framework Guide + Complete Implementation Guide. Focus on integration with existing risk taxonomy.
RTS ICT Risk Management Framework Guide + TLPT Testing Framework Guide. Operational depth on controls and testing.
All-in-One Bundle — the consolidated playbook library. Best for evidence file building and supervisory dialogue.
RTS Third-Party Risk Management Guide — Article 30 clauses, register, sub-outsourcing visibility.
RTS Incident Reporting Guide — classification criteria, decision trees and the 4h/72h/1-month workflow. Operational playbook material for the duty officer team.
Complete Implementation Guide + All-in-One Bundle. Source material for audit programme design.
Complete Implementation Guide with article citations to the official Regulation text on EUR-Lex. Reference companion for contract drafting.
Common questions about the downloadable resources
Read the context behind each technical standard before downloading
Explains the legal distinction between Regulatory and Implementing Technical Standards — essential context before reading the guides.
Walkthrough of the 4-hour, 72-hour, and final report timelines — pairs directly with the RTS Incident Reporting guide.
What threat-led penetration testing actually requires under DORA — context for the TLPT RTS guide.
Step-by-step implementation guide that complements the downloaded frameworks with actionable tasks.
Full list of providers designated by ESAs — essential reading alongside the third-party risk resources.
Recent ESA amendments — check this before downloading to know if you need the latest version.
Our DORA compliance specialists can help you develop a customized implementation strategy tailored to your organization's needs.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.