DORA Compliance Checker

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is the EU's comprehensive framework for ensuring that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. Unlike a directive, DORA is a regulation — it applies directly across all EU member states without requiring national transposition.

DORA entered into force on 16 January 2023 and applies from 17 January 2025. It covers virtually all regulated financial entities in the EU, from major banks to small payment institutions, plus critical ICT third-party service providers to the financial sector.

The regulation was created in response to the financial sector's growing dependence on ICT systems and third-party technology providers. A single ICT failure at a major cloud provider or a successful cyberattack on a bank's core systems can have cascading effects across the entire financial system. DORA aims to ensure this digital backbone is resilient.

Pillar 1: ICT Risk Management (Articles 5-16)

Financial entities must establish a comprehensive ICT risk management framework that is documented, approved by the management body, and regularly reviewed. This includes identifying all ICT assets, implementing protection and detection measures, maintaining business continuity plans, and continuously learning from incidents. The management body bears ultimate accountability — a significant shift that puts ICT resilience firmly on the board's agenda.

Microenterprises (fewer than 10 staff, under €2M turnover) may apply a simplified framework under Article 16, though core requirements still apply.

Pillar 2: ICT Incident Management (Articles 17-23)

DORA requires financial entities to implement a robust ICT incident management process with clear classification criteria. Major incidents must be reported to the competent authority on an aggressive timeline: initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. This 4-hour window is among the tightest in any EU regulation.

Pillar 3: Digital Operational Resilience Testing (Articles 24-27)

Entities must maintain a testing programme proportionate to their size and risk profile. This includes annual vulnerability assessments and penetration tests, scenario-based testing, and for significant entities, Threat-Led Penetration Testing (TLPT) every three years. All identified weaknesses must be remediated within defined timelines.

Pillar 4: ICT Third-Party Risk (Articles 28-44)

This is one of DORA's most impactful pillars. Financial entities must maintain a register of all ICT third-party arrangements, reported annually to the competent authority. Contracts must include specific provisions (SLAs, audit rights, incident notification, exit clauses), and concentration risk must be actively monitored. Critical ICT providers are subject to a new EU-level oversight framework led by the European Supervisory Authorities.

Pillar 5: Information Sharing (Article 45)

DORA encourages — but does not mandate — participation in cyber threat intelligence sharing arrangements within the financial sector. When entities do share, DORA provides a framework to protect confidentiality and ensure compliance with data protection rules.

DORA delegates penalty-setting to EU member states and competent authorities (such as EBA, ESMA, EIOPA, and national financial regulators). Penalties must be effective, proportionate, and dissuasive. While DORA does not specify maximum fine amounts like GDPR does, the financial sector's existing regulatory framework already includes significant enforcement powers.

For critical ICT third-party providers, the European Supervisory Authorities can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover to compel compliance with oversight measures.

Beyond formal penalties, non-compliance with DORA can result in supervisory actions including restrictions on activities, public statements, and in severe cases, withdrawal of authorization to operate.

Both DORA and NIS2 address cybersecurity, but they serve different purposes and scopes. DORA is a sector-specific regulation for financial entities focused on digital operational resilience. NIS2 is a cross-sector directive covering essential and important entities across 18 sectors.

Under the lex specialis principle, DORA takes precedence over NIS2 for financial entities where their requirements overlap. If you are a financial entity subject to DORA, you comply with DORA's ICT risk management and incident reporting requirements rather than NIS2's — though NIS2 may still apply for areas not covered by DORA.

Key differences include incident reporting timelines (DORA: 4 hours initial; NIS2: 24 hours early warning) and third-party oversight (DORA creates an EU-level framework for critical ICT providers; NIS2 has no equivalent).