DORA: explained for the people who have to keep the systems running.

Digital Operational Resilience Act

Direct answer

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, is the EU law that requires financial entities to withstand, respond to, and recover from information and communication technology (ICT) disruptions. It applies from 17 January 2025 across five areas: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk, and information sharing. It covers most regulated financial entities in the EU and extends supervision to the critical ICT providers they rely on.

Why DORA exists

Before DORA, operational resilience for EU financial services was governed by a patchwork of national rules and sector guidance. DORA replaces that with a single, directly applicable regulation, so a bank, an insurer, and an investment firm are held to the same baseline for surviving a technology failure or a cyber attack. The shift in mindset is the important part: DORA treats ICT disruption not as an IT problem but as a threat to financial stability, and it makes the board answerable for managing it.

The five pillars

DORA is organised around five areas. Read together they describe a full lifecycle: govern the risk, detect and report what goes wrong, prove your resilience by testing it, control the third parties you depend on, and share what you learn.

DORA: five pillars
PillarWhat it requires
ICT risk managementA documented framework, owned by the management body, covering identification, protection, detection, response, and recovery.
ICT incident management and reportingClassify incidents by severity and report major ones to the competent authority within set deadlines.
Digital operational resilience testingA testing programme, including advanced threat-led penetration testing for significant entities.
ICT third-party riskA register of ICT contractual arrangements and mandatory contractual terms, with stricter rules for critical or important functions.
Information sharingOptional participation in cyber threat information-sharing arrangements between financial entities.

Who DORA applies to

DORA covers a broad range of financial entities established in the EU, and it reaches beyond them to the technology providers they depend on. Scope is wide by design, so the safer assumption for an EU financial entity is that you are in scope until you have confirmed otherwise. A separate oversight regime applies to ICT third-party providers designated as critical, who become subject to direct supervision by a lead overseer.

Proportionality applies: smaller and less complex entities meet a simplified version of the framework, but they are not exempt.
CategoryExamples
Financial entitiesCredit institutions, payment and e-money institutions, investment firms, insurers and intermediaries, crypto-asset service providers, fund managers, and more.
ICT third-party providersCloud platforms, software and data providers, and other technology suppliers, with a dedicated oversight regime for those designated critical.

The ICT third-party register

DORA requires every financial entity to keep a register of information on all its contractual arrangements for the use of ICT services. The register has to be maintained at entity and, where relevant, group level, kept current as arrangements change, and made available to the competent authority on request. In practice it is the single hardest thing to keep honest, because it only stays accurate if it is tied to the vendor relationships it describes rather than maintained as a separate document. Acuna keeps that register live against your third-party risk management vendor inventory, which is the tightest fit between DORA and the platform.

Resilience testing and TLPT

Every in-scope entity runs a digital operational resilience testing programme sized to its risk profile. Entities identified as significant go further and perform threat-led penetration testing (TLPT) at least every three years, carried out by qualified testers against live production systems, drawing on the TIBER-EU framework. TLPT is the demanding end of the testing obligation and is scoped and validated with the competent authority.

Why the board is on the hook

DORA is explicit that the management body holds final responsibility for managing ICT risk. It must approve and oversee the ICT risk management framework, and it cannot delegate the accountability away. This is the practical reason DORA cannot live only inside the security team: the people who sign off have to be able to see that the framework is real and maintained, which is exactly what a running system, rather than a set of documents, provides.

How DORA relates to NIS2 and ISO 27001

DORA does not sit alone. Much of its ICT risk management substance overlaps with NIS2 and with ISO 27001, and its third-party requirements echo the supplier controls in both. For an entity already running one of those, the efficient path is to map the shared controls once and reuse them, rather than stand up a parallel DORA programme. That reuse is the argument for treating DORA as one framework on a multi-framework core rather than a standalone project.

When it applies

DORA entered into force in January 2023 and applies from 17 January 2025. The detailed technical standards that sit beneath it, the regulatory and implementing technical standards developed by the European Supervisory Authorities, fill in the specifics of areas such as incident classification, the register, and testing. Because those standards continue to be finalised and updated, verify the current detail of any specific technical requirement against the latest published standard before you rely on it.

EXPLORE

DORA

What is DORA in financial services?DORA basics

The regulation, its scope, and what it changes for financial entities.

What is operational resilience testing under DORA?Testing

The testing programme every in-scope entity must run.

What is the DORA ICT third-party register?Coming soon

The Article 28 register of information, and how to keep it current.

How does DORA incident reporting work?Coming soon

Classifying major ICT incidents and reporting them to your authority.

What is threat-led penetration testing (TLPT) under DORA?Coming soon

The advanced testing significant entities must perform.

Who does DORA apply to?Coming soon

Which financial entities and ICT providers are in scope.

DORA: common questions.

Related answers

Questions practitioners ask.

What is DORA in financial services?

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to financial entities in the EU. It establishes requirements for ICT risk management, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing for significant entities), ICT third-party risk management, and information sharing on cyber threats. DORA became applicable on 17 January 2025. Acuna covers DORA requirements across all four panes: framework mapping in Comply, ICT controls and asset inventory in Implement, incident and third-party management in Operate, and TLPT findings and corrective actions in Assure.

What is operational resilience testing under DORA?

DORA Chapter IV requires financial entities to maintain a digital operational resilience testing programme. This includes vulnerability assessments, network security testing, gap analysis, and software security reviews. Significant entities must also conduct threat-led penetration testing (TLPT) at least every three years, simulating real-world attacks against live production systems using threat intelligence. TLPT must be performed by qualified testers and results reported to the National Competent Authority. Acuna tracks TLPT planning, findings, and corrective actions in the Assure pane.

What is the DORA ICT third-party register?

The DORA register of information is the record, required by Article 28 of Regulation (EU) 2022/2554, of all your contractual arrangements for the use of ICT services provided by third parties. Every financial entity must keep it current, maintain it at entity and, where relevant, sub-consolidated and consolidated group level, and make it available to its competent authority on request. It is the backbone of DORA's third-party risk regime: supervisors use it to see, across the financial sector, which providers the system depends on. The register is not a one-time inventory. It is a living record that has to reflect your ICT supply chain as it actually is, including which arrangements support critical or important functions, because those carry stricter contractual and oversight requirements. That distinction, critical-or-important versus the rest, drives much of what DORA asks of the relationship. The register documents each ICT contractual arrangement: the provider, the service, whether it supports a critical or important function, and the contractual terms DORA requires. The European Supervisory Authorities set the detailed template and fields through technical standards, so the precise columns are defined centrally rather than left to each entity. The register has to be complete and consistent enough that a supervisor can read your ICT dependency map from it. A register maintained as a spreadsheet, separate from the vendor relationships it describes, is accurate the day it is built and wrong the week a contract changes and nobody updates the file. That is the failure mode DORA's "keep it current" requirement is aimed at, and it is why the register cannot be a document you refresh before an inspection.

How does DORA incident reporting work?

DORA requires financial entities to detect, manage, classify, and report ICT-related incidents. Major incidents must be reported to the competent authority in stages: an initial notification, followed by an intermediate report as the situation develops, and a final report once the root cause is known. The classification of what counts as "major" is based on criteria set out in the regulation and its technical standards, covering factors such as the number of clients affected, duration, geographic spread, data losses, and economic impact. Entities may also notify significant cyber threats voluntarily. Before you report, you classify. DORA and its technical standards define the thresholds that separate a major incident from a routine one, using materiality factors. Getting classification right matters because it determines whether the reporting clock starts at all. This is where a running incident process earns its place: if you cannot quickly assemble which clients, systems, and data an incident touched, you cannot classify it, let alone report it on time. DORA structures reporting in stages: an initial notification once you determine an incident is major, an intermediate report as handling progresses, and a final report with root-cause analysis. The precise deadlines for each stage are set by the regulatory and implementing technical standards and should be verified against the current published standard before you rely on them.

What is threat-led penetration testing (TLPT) under DORA?

Threat-led penetration testing (TLPT) is the advanced form of resilience testing that DORA requires of financial entities identified as significant. Unlike routine vulnerability scanning or standard penetration tests, TLPT simulates the tactics, techniques, and procedures of real threat actors against an entity's live production systems, covering the critical or important functions that support its business. It is performed by qualified external testers, scoped and validated with the competent authority, and carried out at least every three years. TLPT draws on the TIBER-EU framework for threat-led testing. TLPT sits at the demanding end of DORA's testing pillar. Most in-scope entities run a general resilience testing programme; significant entities additionally run TLPT, because the regulation treats their disruption as a bigger systemic risk. A standard penetration test checks whether known weaknesses can be exploited. TLPT is intelligence-led: it starts from a picture of the threats that realistically target your kind of entity, then tests whether your live systems and your people would withstand those specific adversary behaviours. It runs against production, not a test environment, which is what makes it a genuine test of operational resilience rather than of a lab setup. TLPT is a structured engagement: scoping the critical or important functions to be tested, developing threat intelligence, running the red-team test against live systems, and producing findings that feed remediation. Tester qualification, scoping, and the outcome are handled with the competent authority.

Who does DORA apply to?

DORA applies to a broad range of financial entities established in the EU, including credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings and intermediaries, crypto-asset service providers, fund managers, trading venues, and more. It also reaches the ICT third-party service providers those entities depend on, and it creates a dedicated oversight regime for providers designated as critical, who become subject to direct supervision by a lead overseer. Scope is deliberately wide, so an EU financial entity should assume it is in scope until it confirms otherwise. DORA is not one-size-fits-all. Smaller and less complex entities apply a simplified version of the ICT risk management framework, calibrated to their scale and risk. Simplified is not exempt: the obligation still applies, at a proportionate depth. The largest and most systemically important entities carry the fullest requirements, including advanced testing. Certain ICT providers, judged critical to the EU financial system, are designated and brought under direct oversight by a lead overseer among the European Supervisory Authorities. This extends supervision to firms that are not themselves financial entities but on which the sector depends. For a financial entity, it means the concentration risk in your ICT supply chain is now a supervisory concern, not only a commercial one, which is exactly why the [third-party risk management](/supplier-shield) register matters.

What is the difference between NIS2 and DORA?

NIS2 and DORA are two EU frameworks for cybersecurity and operational resilience that came into force around the same time and overlap heavily, but they are not interchangeable. NIS2 (Directive (EU) 2022/2555) is a cross-sector cybersecurity directive covering many industries; DORA (Regulation (EU) 2022/2554) is a finance-specific regulation for digital operational resilience. Where both could apply to the same organisation, DORA generally takes precedence for ICT risk in financial services as the more specific law, the lex specialis principle. A financial entity can therefore be in scope for both, with DORA governing its ICT risk and NIS2 relevant to the extent DORA does not cover. The two differ on instrument, scope, and specificity. NIS2 is a directive, so it is transposed into each member state's national law and its details can vary by country. DORA is a regulation, so it applies directly and uniformly across the EU without transposition. NIS2 spans many sectors; DORA is confined to financial entities and their ICT providers. DORA is also more prescriptive on ICT specifics, such as the register of information and threat-led penetration testing, than NIS2's more general risk-management measures. Where a financial entity would fall under both, DORA is treated as the more specific regime for its ICT risk, and it prevails on the matters it covers. NIS2 recognises this relationship, so the two are designed to fit together rather than duplicate. In practice, a bank manages its ICT risk under DORA and does not also apply NIS2's general measures to the same ground. For a financial entity in scope for both: determine your DORA obligations for ICT risk first, since they are the more specific and prescriptive. Then confirm what, if anything, NIS2 adds beyond DORA's coverage for your organisation, which depends partly on your member state's transposition. The efficient path is to map the shared requirements once, as most of the risk-management and supply-chain substance is common, and only maintain the genuinely distinct pieces separately.

GO DEEPER

See how DORA runs as one system.

The ICT register, controls, testing, and evidence in one place, tied to owners and reused across your other frameworks.

Explore the DORA solutionRequest a demo
Built for:CISOsCompliance LeadersMSSPs