DORA Frequently Asked Questions

DORA is an EU regulation that establishes a comprehensive set of requirements for financial institutions to manage ICT risks, ensure digital operational resilience, and test their readiness for cyber threats. It applies to banks, insurance companies, payment institutions, and other financial service providers across the EU.

DORA came into effect on January 17, 2025. Financial institutions are required to be fully compliant from this date. The regulation applies to all regulated financial institutions in the EU, with first assessment periods beginning in Q3 2025.

The 5 pillars of DORA are: (1) Governance and Risk Management Framework, (2) Incident Management, (3) Digital Operational Resilience Testing, (4) Third-Party Risk Management, and (5) Information Sharing.

TLPT is an advanced security testing requirement where financial institutions must hire external testers to conduct realistic cyber attack simulations targeting their critical systems. Large institutions must conduct TLPT annually, medium institutions every 2 years, and smaller institutions every 3 years.

Financial institutions failing to comply with DORA can face fines up to 2% of annual worldwide turnover for the most serious breaches, and up to 1% for less serious violations. These penalties are administered by national supervisory authorities.

Yes, DORA applies to all financial institutions regulated under EU financial services regulations, including small entities. However, smaller institutions may benefit from proportionality principles in implementation, with extended timelines for certain requirements like TLPT.

RTS (Regulatory Technical Standards) provides framework-level requirements and specifications for DORA compliance, while ITS (Implementing Technical Standards) provides detailed technical specifications and implementation procedures. Both are developed by the EBA and are mandatory.

DORA requires financial institutions to include specific clauses in cloud and outsourcing contracts, maintain audit rights, ensure data residency compliance, and establish exit procedures. Critical ICT third-party service providers face direct supervision from EU authorities.

Major ICT incidents must be reported to supervisory authorities within 72 hours. Reports must include incident classification, impact assessment, affected systems, financial impact, customer implications, and remediation measures being taken.

Begin by conducting a comprehensive gap analysis against DORA requirements, establish governance structures, inventory critical ICT systems, assess third-party dependencies, implement necessary controls, establish incident management procedures, and conduct testing to ensure readiness.

Financial entities must classify ICT-related incidents and notify those that qualify as "major" using the criteria in RTS (EU) 2024/1772: clients/financial counterparts affected, reputational impact, duration and service downtime, geographical spread, data losses, criticality of services affected, and economic impact. An incident is major when it crosses the relevant primary and secondary thresholds. Significant cyber threats may be reported voluntarily. Major incidents trigger the 4-hour, 72-hour and 1-month reporting clock.

For a major ICT-related incident: an initial notification is due within 4 hours of classifying it as major (and no later than 24 hours after detection), an intermediate report within 72 hours, and a final report within 1 month. Reports are submitted to the competent authority using the templates in RTS/ITS (EU) 2025/301 and 2025/302.

The Register of Information (DORA Article 28(3)) is a machine-readable register of all contractual arrangements for ICT services provided by third parties. Entities report it annually to their national competent authority in xBRL-CSV format using the 15 templates of ITS (EU) 2024/2956. The ESAs use the aggregated data to designate Critical ICT Third-Party Providers and assess concentration risk. Most 2026 national deadlines fall at the end of Q1 2026.

A Critical or Important Function (DORA Article 3(22)) is a function whose disruption would materially impair an entity's financial performance, the soundness or continuity of its services, or its compliance with authorisation conditions. CIF identification is the cornerstone of DORA: it drives Register of Information flagging, third-party contractual obligations, TLPT scope and incident classification.

TLPT applies to financial entities identified by competent authorities based on their systemic importance and ICT risk profile — not to every entity. Designated entities must run intelligence-led red-team tests on live critical systems at least every 3 years, following the TIBER-EU framework, using qualified threat-intelligence and red-team providers.

DORA is a lex specialis for the EU financial sector and prevails over NIS2 for the ICT risk of in-scope financial entities. NIS2 is the broader cross-sector cybersecurity directive. Where both could apply, financial entities follow DORA for ICT risk management, incident reporting and third-party oversight, while NIS2 continues to cover sectors and activities outside DORA's scope.

DORA Article 30 sets mandatory contractual provisions: clear service descriptions, data location and processing terms, accessibility/availability and security requirements, full audit and access rights, assistance during incidents, sub-outsourcing conditions, and documented exit strategies. Contracts supporting critical or important functions carry an enhanced set of these provisions.

DORA does not publish a single official checklist, but compliance maps to its 5 pillars: ICT risk management governance, incident management and classification, digital operational resilience testing (including TLPT where applicable), ICT third-party risk and the Register of Information, and information sharing. Our free interactive checklist covers 45 control points across these pillars.

In November 2025 the European Supervisory Authorities designated 19 Critical ICT Third-Party Providers, including the major cloud hyperscalers and key financial-technology and market-infrastructure providers. Each is assigned a Lead Overseer (EBA, EIOPA or ESMA), must report major incidents within 2 hours, and can face penalties of up to 1% of average daily worldwide turnover for non-compliance.