DORA Compliance for Financial Services: A Practical Guide

DORA, the Digital Operational Resilience Act (EU Regulation 2022/2554), is the EU regulation that requires financial entities and the critical ICT third parties that serve them to manage, test, and report on their digital operational resilience. It became applicable on 17 January 2025 and harmonizes ICT risk requirements that were previously fragmented across banking, insurance, and securities rules.

DORA is a regulation, not a directive, so it applies directly across all EU member states without national transposition. Non-EU firms providing ICT services to EU financial entities can be designated as critical ICT third-party providers and brought into scope under direct EU oversight.

Defining DORA and Its Scope

DORA applies to a broad set of financial entities: credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, central counterparties, trading venues, insurance and reinsurance undertakings, credit rating agencies, crowdfunding service providers, and others listed in Article 2. It also applies to ICT third-party service providers that serve them, with the largest and most systemic providers designated as "critical" and brought under direct supervision by the European Supervisory Authorities.

A principle of proportionality runs through the regulation, so smaller and less complex entities face lighter obligations than large interconnected banks. Microenterprises are explicitly carved out of several requirements.

The Five Pillars of DORA

• ICT risk management: A documented ICT risk framework owned by the management body. Identification of business functions and supporting ICT assets, protection and prevention, detection, response and recovery, backups, and annual review.
• ICT-related incident management, classification, and reporting: A process to detect, manage, and notify ICT incidents using harmonized criteria. Major incidents must be reported to the competent authority with initial, intermediate, and final notifications on defined timelines.
• Digital operational resilience testing: A risk-based program covering vulnerability scans, source code reviews, and penetration testing. The most significant entities must perform threat-led penetration testing (TLPT) aligned with TIBER-EU at least every three years.
• Management of ICT third-party risk: Pre-contractual due diligence, mandatory contractual clauses, a register of all arrangements reported annually to authorities, and ongoing monitoring. Critical ICT third parties are placed under a dedicated EU oversight framework.
• Information and intelligence sharing: Voluntary arrangements between financial entities to share cyber threat information and indicators of compromise, subject to data protection safeguards.

Who Must Comply and By When

The regulation has been in force since 16 January 2023 and applicable since 17 January 2025. Financial entities and their critical ICT providers must demonstrate compliance from that date forward. Competent national authorities (such as the ECB, BaFin, AMF, Finansinspektionen, and the Reserve Bank of India where Indian firms serve EU entities) supervise enforcement, supported by the European Supervisory Authorities (EBA, EIOPA, ESMA).

Penalties for non-compliance are set at member-state level but include administrative fines, public statements identifying the entity, and orders to cease the conduct. Critical ICT third parties face periodic penalty payments of up to 1% of average daily worldwide turnover for failure to comply with oversight measures.

How to Start

The pragmatic sequence is: complete the ICT third-party register, gap-assess your ICT risk framework against DORA articles, update incident classification and reporting playbooks to match the harmonized criteria, plan TLPT if in scope, and renegotiate contracts with critical ICT providers to include the mandatory clauses. Firms already aligned to NIS2 and ISO/IEC 27001 will find overlap, but DORA goes further on third-party risk and testing.

Common pitfalls include treating the ICT register as a spreadsheet rather than a maintained system of record, underestimating contract remediation, and assuming the board can stay at arm's length (DORA assigns ultimate accountability to the management body).

How Opsio Helps

Opsio supports financial entities and ICT providers across Europe and India with DORA-aligned cloud operations. Our managed cloud services provide the resilient, auditable foundation, our cybersecurity services cover ICT risk frameworks, incident response, and resilience testing, and we deliver evidence packs aligned to DORA articles for your supervisor. Talk to our compliance specialists for a DORA gap assessment.

Frequently Asked Questions

How is DORA different from NIS2?

NIS2 is a directive that sets baseline cybersecurity requirements across many critical sectors. DORA is a regulation that is sector-specific to financial services and goes deeper on operational resilience, third-party risk, and testing. Where both apply, DORA acts as lex specialis for financial entities, meaning DORA's specific rules prevail. See our NIS2 overview for the comparison.

Does DORA apply to non-EU cloud providers?

Yes, indirectly through their financial entity customers and directly if they are designated as a critical ICT third-party provider. Designated providers fall under direct EU oversight, can be subject to inspections including on-premises, and must comply with recommendations from the lead overseer. AWS, Microsoft, and Google are widely expected to fall in this category.

What contractual changes does DORA require with ICT providers?

Article 30 mandates clauses covering service descriptions and service levels, data location and processing, audit and access rights for the financial entity and competent authorities, security and incident notification commitments, cooperation duties, exit strategies and transition support, sub-outsourcing controls, and termination rights. Existing contracts will almost always need amendment.

What is threat-led penetration testing (TLPT) under DORA?

TLPT is an advanced testing technique that simulates real-world adversaries against live production systems, performed at least every three years by significant financial entities designated by competent authorities. It follows the TIBER-EU framework: threat intelligence informs the scenario, an independent red team executes, and the institution's blue team responds without prior knowledge.

How does DORA interact with existing operational resilience rules?

DORA harmonizes and supersedes many previous fragmented rules, including parts of the EBA Guidelines on ICT and security risk management, EIOPA's ICT guidelines, and ESMA's cyber guidance. National regulators have updated their handbooks accordingly. Firms with mature operational resilience programs from UK PRA/FCA rules will find the foundations transferable, but should not assume direct equivalence.