Compliance Guide

DORA
Compliance Guide

Everything you need to know about the Digital Operational Resilience Act (EU Regulation 2022/2554) and how to achieve compliance.

What is DORA?

The Digital Operational Resilience Act (DORA) is EU Regulation 2022/2554, adopted on 16 January 2023 and in full effect since 17 January 2025. It establishes a comprehensive framework for ICT risk management in the EU financial sector.

DORA harmonises digital operational resilience requirements across the EU, replacing the patchwork of national guidelines and EBA/EIOPA/ESMA recommendations that existed before. It creates a single set of rules for all financial entities.

The regulation was created in response to the financial sector's growing dependence on ICT systems and third-party technology providers. Cyber attacks, IT outages, and vendor failures pose systemic risks that can spread across the financial ecosystem.

Who does DORA apply to?

DORA applies to over 20 types of financial entities, making it one of the broadest EU financial regulations in scope:

  • Credit institutions (banks)
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers
  • Central securities depositories
  • Insurance and reinsurance companies
  • Insurance intermediaries
  • Pension funds (IORPs)
  • Credit rating agencies
  • Crowdfunding service providers
  • ICT third-party service providers (designated as critical)

The 5 Pillars of DORA

1

ICT Risk Management

Financial entities must establish and maintain a comprehensive ICT risk management framework. This includes identifying and classifying all ICT assets, mapping dependencies, conducting risk assessments, and implementing controls. The management body bears ultimate responsibility for ICT risk.

2

ICT-Related Incident Reporting

Entities must classify ICT incidents using defined criteria and report major incidents to their competent authority. Initial notification within 4 hours, intermediate report within 72 hours, and final report within 30 days. This creates a harmonised incident reporting regime across the EU.

3

Digital Operational Resilience Testing

All entities must conduct regular resilience testing including vulnerability assessments, network security testing, and scenario-based testing. Significant entities must additionally perform Threat-Led Penetration Testing (TLPT) at least every three years.

4

ICT Third-Party Risk Management

Entities must maintain a Register of Information (RoI) documenting all ICT third-party arrangements. Contractual requirements are specified in Articles 28-44. Critical ICT providers are subject to direct oversight by EU supervisory authorities (EBA, ESMA, EIOPA).

5

Information Sharing

Financial entities may participate in information-sharing arrangements to exchange cyber threat intelligence, indicators of compromise, and best practices. This pillar encourages collaboration within the financial sector to strengthen collective resilience.

Key Deadlines

16 Jan 2023

DORA enters into force

Regulation published in the Official Journal of the EU. 24-month implementation period begins.

17 Jan 2025

DORA in full effect

All financial entities must be fully compliant. Supervisory authorities begin enforcement. RTS and ITS standards apply.

Apr 2025

First Register of Information submissions

Entities must submit their Register of Information to competent authorities for the first time.

Penalties & Enforcement

DORA empowers national competent authorities to impose administrative penalties and remedial measures on non-compliant entities. The specific penalty amounts are determined by each EU Member State's transposition of the regulation.

Supervisory measures may include orders to cease activities, public statements, withdrawal of authorisation, and periodic penalty payments. For critical ICT third-party providers, the lead overseer (EBA, ESMA, or EIOPA) can impose fines of up to 1% of average daily worldwide turnover for each day of non-compliance, for up to six months.

Beyond financial penalties, non-compliance creates reputational risk and may affect business relationships, as counterparties are required to assess their partners' DORA compliance status.

How ComplyShield helps with DORA compliance

Pillar 1: ICT Risk Management

Complete asset registry, risk assessments with CIA scoring, dependency mapping, control tracking, and risk heat maps.

Pillar 2: Incident Reporting

Wizard-driven classification, automated 4h/72h/30d deadline tracking, PDF reports, and escalation workflows.

Pillar 3: Resilience Testing

Track vulnerability scans, penetration tests, and TLPT exercises. Import findings from Qualys, Nessus, and Rapid7.

Pillar 4: Third-Party Risk

Vendor registry, self-service assessments, contract tracking, concentration risk analysis, and 15 RoI xBRL-CSV templates.

Pillar 5: Information Sharing

Track information-sharing arrangements, set review reminders, and maintain an auditable record of sharing activities.

Regulatory Reporting

Generate ESA-validated xBRL-CSV exports for all 15 Register of Information templates, board reports, and audit evidence.

Get your DORA compliance checklist

Talk to our team for a detailed DORA compliance assessment and a personalised action plan for your institution.

Download DORA Checklist