20+ Free Resources · Updated 2026

DORA Knowledge Base

Authoritative guides, templates, and regulatory references to help you understand and implement DORA compliance — no registration required.

⚖️ Regulation & RTS📋 Implementation Guides📄 Templates🎯 Testing & TLPT
⚖️

Regulation & Technical Standards

Primary source summaries and RTS/ITS references

Guide20 min read

DORA Article-by-Article Summary

Plain-language breakdown of all 64 DORA articles. Covers scope, governance, ICT risk management, incident reporting, testing, third-party risk, and intelligence sharing — with direct compliance implications for each entity type.

Covers

Chapter I (Arts. 1–4): Purpose, scope, and definitions — 22 entity types covered
Chapter II (Arts. 5–16): ICT Risk Management — proportionality principle for smaller entities
Chapter III (Arts. 17–23): ICT-related incident reporting — major incident thresholds
Chapter IV (Arts. 24–27): Digital operational resilience testing — TLPT thresholds
Chapter V (Arts. 28–44): ICT third-party risk — critical provider oversight regime
Chapter VI (Art. 45): Cyber threat intelligence sharing arrangements
Read Full Resource →
Reference12 min read

RTS on TLPT (Joint ESA Standard)

Summary of the Joint Regulatory Technical Standards specifying requirements for Threat-Led Penetration Testing under DORA Article 26(11). Covers tester qualifications, threat intelligence requirements, scope assessment, and mutual recognition.

Covers

Tester independence and qualification requirements (Art. 26 RTS)
Threat intelligence provider standards and sourcing
Mutual recognition framework for cross-border TLPT
Blue team notification rules and covert vs. announced tests
Reporting requirements and supervisory submission format
Read Full Resource →
Reference10 min read

RTS on ICT Incident Classification

EBA/ESMA/EIOPA Joint RTS defining criteria for classifying ICT incidents as "major" under DORA Article 18. Includes materiality thresholds, client impact assessment, and reporting timeline obligations.

Covers

Severity classification matrix: duration, geographic spread, data loss
Major vs. significant incident thresholds
Initial notification: within 4 business hours of classification
Intermediate report: within 72 hours
Final report: within 1 month of incident closure
Read Full Resource →
Reference15 min read

RTS/ITS on ICT Third-Party Risk

Regulatory technical standards for ICT third-party risk management under DORA Articles 28–30. Covers mandatory contractual provisions, register of information format, and the oversight framework for critical ICT providers.

Covers

Mandatory contractual clauses for ICT service agreements (Art. 30)
Sub-contracting chains and concentration risk obligations
Register of information: required fields and submission format
Critical ICT third-party provider (CTPP) oversight regime
Exit strategy requirements for critical ICT services
Read Full Resource →
📋

Implementation Guides

Practical how-to guides for each DORA pillar

Guide25 min read

Building Your ICT Risk Management Framework

Step-by-step guide to implementing a DORA-compliant ICT risk management framework under Articles 5–16. Covers governance structure, risk appetite, asset management, and business continuity planning.

Covers

Management body accountability and oversight roles (Art. 5)
ICT risk strategy aligned with overall business strategy
ICT asset identification and classification methodology
Threat landscape and risk assessment process
Protection, detection, response, and recovery controls
ICT Business Continuity Policy and Disaster Recovery plans
Read Full Resource →
Guide30 min read

TLPT Programme Planning Guide

End-to-end guide for planning and executing your first DORA-compliant Threat-Led Penetration Test. Covers pre-engagement scoping, threat intelligence gathering, provider selection, execution, and supervisory reporting.

Covers

Determining if TLPT is mandatory (significance criteria)
Engaging the competent authority — notification requirements
Defining scope: critical functions, systems, and people
Threat intelligence sourcing and red team provider selection
Test execution phases: reconnaissance, initial access, lateral movement
Remediation planning and supervisory submission
Read Full Resource →
Guide20 min read

DORA Incident Response Playbook

Practical playbook for managing ICT-related incidents in compliance with DORA Articles 17–23. Includes classification decision trees, notification workflows, and template communications for competent authorities.

Covers

Incident detection and initial triage process
Major incident classification decision tree
Competent authority notification: channels and formats
Internal escalation procedures and war room setup
Client and counterparty communication templates
Post-incident review and lessons-learned documentation
Read Full Resource →
Guide22 min read

ICT Third-Party Due Diligence Framework

How to build a proportionate third-party ICT risk management programme under DORA Article 28. Covers provider risk tiering, onboarding due diligence, ongoing monitoring, and exit strategy planning.

Covers

Risk-based tiering of ICT providers (critical vs. non-critical)
Pre-onboarding due diligence questionnaire framework
Mandatory contractual provisions checklist
Annual review and continuous monitoring controls
Concentration risk assessment methodology
Exit strategy and service continuity requirements
Read Full Resource →
📄

Templates & Checklists

Ready-to-use tools for your compliance programme

Guide15 min read

TLPT Provider RFP Template

Ready-to-use Request for Proposal template for selecting a DORA-compliant TLPT testing provider. Includes evaluation criteria aligned with DORA Article 26 tester requirements and TIBER-EU standards.

Covers

Mandatory tester qualification requirements (DORA Art. 26 RTS)
Threat intelligence provider sourcing expectations
Methodology and test phases specification
Confidentiality and data handling requirements
Reporting format and supervisory deliverables
Evaluation scoring matrix for provider selection
Read Full Resource →
Guide10 min read

ICT Third-Party Provider Register

Excel-compatible template for maintaining your DORA-compliant ICT third-party service provider register (Article 28). Pre-mapped to the mandatory fields required by the RTS on ICT third-party risk.

Covers

All mandatory fields per RTS register of information requirements
Service category classification (critical vs. non-critical)
Contract reference and renewal tracking
Sub-contractor chain mapping
Risk tier and last assessment date
Data residency and geographic location fields
Read Full Resource →
Guide5 min read

ICT Incident Classification Flowchart

Visual decision tool for determining whether an ICT incident qualifies as "major" under DORA Article 18 and the classification RTS. Walk through the materiality thresholds step-by-step.

Covers

Step 1: Duration threshold — exceeds 4 hours / 20 hours / 5 days?
Step 2: Client impact — number of clients / transactions affected
Step 3: Reputational / geographic impact assessment
Step 4: Data integrity or confidentiality breach indicators
Step 5: Financial impact against materiality threshold
Output: Classification (minor / significant / major) and reporting path
Read Full Resource →
Guide15 min read

DORA Gap Assessment Spreadsheet

Comprehensive spreadsheet for conducting your own DORA compliance gap assessment. Covers all five pillars across 180+ control points with a traffic light scoring system.

Covers

180+ control requirements mapped to DORA articles
Current state / target state / gap scoring methodology
Priority classification (P1 regulatory / P2 operational / P3 recommended)
Responsible owner and target remediation date fields
Executive summary dashboard with aggregate readiness score
Read Full Resource →
🎯

Testing & TLPT

Guides to DORA's digital operational resilience testing requirements

Guide15 min read

TIBER-EU Framework Explained

Clear explanation of the TIBER-EU framework (ECB, 2018, updated 2021) and its relationship to DORA TLPT requirements. How TIBER-XX national variants relate to DORA Article 26 mutual recognition.

Covers

TIBER-EU origin and governance (ECB / national central banks)
Three phases: preparation, test, closure
Red Team Provider (RTP) and Threat Intelligence Provider (TIP) roles
TIBER-XX national variants and cross-border recognition
How TIBER tests satisfy DORA TLPT requirements
Key differences: TIBER-EU vs. DORA RTS on TLPT
Read Full Resource →
Guide12 min read

DORA Testing Hierarchy: What You Need

Not all testing is equal under DORA. This guide explains the full testing hierarchy — from basic vulnerability scans to full TLPT — and maps requirements to entity types and sizes.

Covers

Vulnerability assessments: mandatory for all in-scope entities
Source code reviews and network security assessments
Scenario-based testing and continuity plan exercises
Penetration testing: recommended frequency by entity size
Advanced testing (TLPT): mandatory for significant entities
Proportionality principle: simplified regime for small entities
Read Full Resource →
Guide8 min read

Red Team vs. TLPT: Key Differences

Understanding the distinction between a conventional red team exercise and a DORA-compliant Threat-Led Penetration Test. Critical for procurement, scoping, and supervisory reporting.

Covers

Threat intelligence foundation: TLPT is intelligence-led, red team is scenario-based
Scope: TLPT covers critical functions across all attack surfaces
Duration: TLPT typically 6–12 months from engagement to closure
Regulatory recognition: only TLPT satisfies DORA Art. 26 obligations
Blue team involvement: TLPT allows optional blue team visibility
Supervisory submission: TLPT requires formal competent authority reporting
Read Full Resource →

Need a Qualified TLPT Provider?

We match financial entities with vetted TLPT providers that meet DORA Article 26 tester requirements.

Find a TLPT Provider

DORA Glossary

Key terms and abbreviations used in DORA and its technical standards.

DORA

Digital Operational Resilience Act — EU Regulation 2022/2554, applicable from 17 January 2025.

TLPT

Threat-Led Penetration Testing — advanced adversarial testing of critical functions using real-world threat intelligence.

TIBER-EU

Threat Intelligence-Based Ethical Red Teaming — ECB framework that informs and is partly satisfied by DORA TLPT.

RTS

Regulatory Technical Standard — binding delegated acts specifying DORA requirements in detail, published by the ESAs.

ITS

Implementing Technical Standard — specifies uniform formats and procedures; complementary to RTS.

ESAs

European Supervisory Authorities — EBA, ESMA, and EIOPA, jointly responsible for DORA technical standards.

CTPP

Critical Third-Party Provider — ICT providers designated as critical by ESAs, subject to direct oversight.

ICT

Information and Communication Technology — systems, infrastructure, and services covered by DORA.

Official Regulatory Sources

Primary source documents from European regulatory authorities.

European Parliament

DORA Official Text (EUR-Lex)

Full text of Regulation (EU) 2022/2554 as published in the Official Journal.

European Central Bank

TIBER-EU Framework

The TIBER-EU implementation guide for threat-led red team testing.

European Banking Authority

EBA DORA Policy Products

All EBA technical standards, guidelines, and Q&As related to DORA.

European Securities and Markets Authority

ESMA DORA Resources

ESMA technical standards and guidance for investment firms and CCPs.

Need Expert Guidance?

Our network of DORA specialists can answer your specific compliance questions, conduct formal gap assessments, and connect you with the right testing providers.

Start Free Readiness AssessmentFind a TLPT Provider