Understanding the
Digital Operational Resilience Act
DORA establishes a comprehensive framework for digital operational resilience in the EU financial sector. It requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.
The Five Pillars of DORA
DORA is built on five key pillars that together ensure comprehensive digital operational resilience for financial entities.
ICT Risk Management
Establish comprehensive ICT risk management frameworks, policies, and procedures.
Incident Reporting
Classify, report, and manage major ICT-related incidents to competent authorities.
Digital Resilience Testing
Regular testing including vulnerability assessments and threat-led penetration testing (TLPT).
Third-Party Risk
Manage ICT third-party risks and maintain oversight of critical service providers.
Information Sharing
Participate in cyber threat intelligence and information exchange arrangements.
Who Must Comply?
DORA applies to virtually all regulated financial entities in the EU, as well as critical ICT third-party service providers. The regulation affects over 22,000 entities across the financial sector.
Proportionality Principle
DORA applies requirements proportionally based on the size, risk profile, and complexity of the financial entity. Smaller entities may have simplified requirements, while significant entities face more stringent obligations, including mandatory TLPT testing.
Large/Significant Entities
Full DORA requirements including TLPT every 3 years
Medium Entities
Core requirements with simplified testing
Small/Micro Entities
Proportionate simplified ICT framework
DORA Timeline
Key milestones in the implementation of DORA.
Need Help with DORA Compliance?
Our team of certified security professionals can help you understand your DORA obligations and implement the required security testing.