Digital Operational Resilience Act

DORA compliance for financial services

EU Regulation 2022/2554 has been in effect since January 17, 2025, requiring financial entities to strengthen digital operational resilience. We help you implement the five pillars with clear processes, evidence and supervisory reporting.

Start DORA assessment Book compliance consultation

What is DORA?

The Digital Operational Resilience Act (DORA) is EU Regulation 2022/2554 that establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities operating in the European Union.

Why this matters now: DORA has been in effect since January 17, 2025. All EU financial institutions must have comprehensive ICT risk management, incident reporting, resilience testing and third-party oversight in place. Non-compliance exposes entities to supervisory sanctions and operational risk.

In effect now

Effective since January 17, 2025

Mandatory

Legal requirement for all financial entities

Complements EU AI Act for AI systems and ISO 42001 for AI management.

Who needs DORA compliance?

Credit institutions (banks)

All banks operating in the EU, regardless of size

Payment institutions

Payment service providers including PSPs and e-money institutions

Investment firms

Investment firms, trading venues and central securities depositories

Insurance and reinsurance undertakings

Insurance companies, intermediaries and ancillary services

Crypto-asset service providers

Entities providing crypto-asset services under MiCA regulation

ICT third-party service providers

Critical ICT providers serving financial entities (designated by ESAs)

How VerifyWise supports DORA compliance

Comprehensive capabilities addressing all five pillars and supervisory requirements

ICT risk management framework

Establish comprehensive ICT risk management frameworks with structured policies, procedures and controls. The platform maintains governance documentation, risk registers and monitoring capabilities aligned with DORA Article 6 requirements.

Addresses: ICT risk management: Frameworks, policies, procedures, risk identification

Incident detection and reporting

Classify ICT-related incidents, manage major incident reporting to authorities and track resolution workflows. The platform automates classification logic and maintains the audit trail required for regulatory reporting.

Addresses: Incident reporting: Detection, classification, authority notification, resolution tracking

Digital operational resilience testing

Plan and execute resilience testing programs including vulnerability assessments, scenario testing and threat-led penetration testing (TLPT). The platform schedules tests, tracks findings and manages remediation.

Addresses: Resilience testing: Test planning, TLPT coordination, remediation tracking

Third-party ICT service provider management

Maintain a register of critical ICT third-party providers, conduct due diligence assessments and monitor contractual obligations. The platform tracks concentration risk and supports exit strategy documentation.

Addresses: Third-party risk: Provider register, due diligence, contract management, exit planning

Continuous monitoring and metrics

Track operational resilience metrics, monitor ICT system performance and generate supervisory reporting. The platform consolidates resilience indicators for ongoing oversight and trend analysis.

Addresses: Monitoring: KPIs, performance dashboards, supervisory reporting

Information sharing arrangements

Participate in information-sharing arrangements for cyber threats and vulnerabilities. The platform manages participation in designated frameworks and tracks intelligence received and shared.

Addresses: Information sharing: Threat intelligence, vulnerability disclosure, industry collaboration

All DORA compliance activities are timestamped, assigned to responsible owners and tracked through approval workflows. This creates the audit trail supervisory authorities expect during inspections and reporting.

Complete DORA requirements coverage

VerifyWise provides dedicated capabilities for all regulatory requirements across the five pillars

Key DORA requirements

Requirements with dedicated tooling

100%

Coverage across all pillars

ICT Risk Management8/8

Frameworks, policies, procedures, monitoring

Incident Reporting6/6

Detection, classification, reporting, resolution

Resilience Testing5/5

Testing programs, threat-led testing, vulnerability assessments

Third-party Risk7/7

Due diligence, contracts, monitoring, exit strategies

Built for DORA compliance from day one

Incident classification

Automated major incident detection and authority reporting workflows

TLPT coordination

Threat-led penetration testing program management and remediation

Third-party register

Critical ICT provider tracking with concentration risk analysis

Supervisory reporting

Generate reports for EBA, EIOPA, ESMA and national authorities

Five pillars of DORA

DORA organizes digital operational resilience into five interconnected pillars

ICT Risk Management

Establish and maintain comprehensive ICT risk management frameworks aligned with business strategy.

ICT risk management framework

Business continuity policy

Disaster recovery capabilities

Business impact analysis

ICT systems inventory and mapping

Protection and prevention measures

Detection mechanisms

Response and recovery procedures

ICT-related Incident Management

Detect, manage, classify and report ICT-related incidents to ensure timely resolution and regulatory compliance.

Incident detection and management

Incident classification and categorization

Major incident reporting to authorities

Incident response procedures

Root cause analysis

Lessons learned integration

Digital Operational Resilience Testing

Test ICT systems and processes to identify vulnerabilities and ensure operational resilience.

Testing program development

Vulnerability assessments

Scenario-based testing

Threat-led penetration testing (TLPT)

Testing frequency and scope determination

Remediation tracking and validation

Third-party ICT Risk Management

Manage risks arising from ICT third-party service providers through comprehensive oversight.

Risk-based due diligence

Contractual arrangements and SLAs

Concentration risk assessment

Continuous monitoring of providers

Exit strategies and transition plans

Critical vs important provider classification

Information Sharing

Exchange information about cyber threats and vulnerabilities within designated frameworks.

Participation in information-sharing arrangements

Cyber threat intelligence exchange

Vulnerability disclosure procedures

Confidentiality protections

Industry collaboration mechanisms

36-week compliance roadmap

A practical path to achieving and maintaining DORA compliance with clear milestones and deliverables

Phase 1Weeks 1-6

Assessment

Gap analysis against DORA requirements
ICT asset and service provider inventory
Current risk management maturity assessment
Identify critical ICT third-party dependencies

Phase 2Weeks 7-14

Framework development

Develop ICT risk management framework
Establish incident classification procedures
Create testing program strategy
Design third-party oversight processes

Phase 3Weeks 15-28

Implementation

Deploy monitoring and detection tools
Implement incident reporting workflows
Execute initial resilience testing
Onboard critical third-party providers

Phase 4Weeks 29-36

Validation

Conduct TLPT for qualifying entities
Validate incident response capabilities
Test business continuity and disaster recovery
Prepare supervisory reporting processes

Penalties and enforcement

Understanding the consequences of non-compliance with DORA requirements

Administrative sanctions

Competent authorities can impose fines determined by member states

Examples

• Public statements identifying the person and the nature of the infringement
• Order to cease the conduct and desist from repetition
• Withdrawal or suspension of authorization

Financial penalties

Member states determine maximum fines that must be effective, proportionate and dissuasive

Examples

• Penalties for non-compliance with oversight requirements
• Fines for failure to report major incidents
• Sanctions for inadequate third-party risk management

Supervisory measures

ESAs (EBA, EIOPA, ESMA) can exercise direct oversight over critical ICT third-party providers

Examples

• On-site inspections
• General investigations
• Requests for information
• Recommendations for remediation

Enforcement authorities: European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), European Securities and Markets Authority (ESMA) and national competent authorities in each member state.

Penalties must be effective, proportionate and dissuasive. Specific amounts are determined by member states.

How DORA compares to other frameworks

Understanding the relationship between DORA and other compliance requirements

Aspect	DORA	EU AI Act	ISO 27001
Scope	EU financial services and critical ICT providers	AI systems placed on EU market	Any organization (information security)
Legal status	Mandatory EU regulation	Mandatory EU regulation	Voluntary certification standard
Focus	Digital operational resilience for finance	AI system safety and fundamental rights	Information security management
Effective date	In effect since January 17, 2025	Phased: August 2025-2027	Voluntary (ongoing)
Key requirements	5 pillars of digital resilience	Risk tiers with role-based obligations	ISMS with 93 controls
Enforcement	EBA, EIOPA, ESMA + national authorities	National authorities + EU AI Office	Third-party certification bodies
Penalties	Effective, proportionate, dissuasive (member state defined)	Up to €35M or 7% global revenue	None (voluntary standard)
Documentation	ICT risk registers, incident logs, test reports, third-party contracts	Technical documentation, conformity declarations, risk assessments	ISMS policies, procedures, risk treatment plans
Best for	Financial services digital resilience	AI system compliance in EU	General information security certification

Pro tip: Financial institutions using AI systems face both DORA andEU AI Actrequirements. DORA addresses operational resilience of ICT systems while EU AI Act addresses AI-specific risks. Implement both with ISO 42001 for comprehensive governance.

Discuss multi-framework compliance

Policy templates

ICT governance policy repository

Access ready-to-use ICT risk management policy templates aligned with DORA, EU AI Act and ISO 42001 requirements

ICT risk management

• ICT Risk Management Framework
• Business Continuity Policy
• Disaster Recovery Procedures
• ICT Asset Management
• Change Management Policy
• Access Control Policy
+ 5 more policies

Incident & testing

• Incident Response Policy
• Major Incident Classification
• Authority Reporting Procedures
• Resilience Testing Program
• TLPT Framework
• Vulnerability Management
+ 4 more policies

Third-party & sharing

• Third-Party Risk Policy
• ICT Provider Due Diligence
• Contract Management Standards
• Exit Strategy Framework
• Concentration Risk Assessment
• Information Sharing Policy
+ 3 more policies

Browse all policy templates

Frequently asked questions

Common questions about DORA compliance and implementation

DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554 that became effective on January 17, 2025. It establishes uniform requirements for ICT risk management, incident reporting, resilience testing, third-party risk management and information sharing across EU financial services. See the full regulation text at EUR-Lex.

DORA is enforced by the European Supervisory Authorities (ESAs): the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), working with national competent authorities in each member state.

Member states determine specific penalties, but they must be effective, proportionate and dissuasive. Authorities can impose fines, withdraw authorizations, issue public warnings and require cessation of non-compliant conduct. Critical ICT third-party providers face direct ESA oversight with inspection powers and potential sanctions.

DORA defines major incidents as those with high adverse impact on network and information systems supporting critical functions. Entities must notify competent authorities of major incidents and provide initial, intermediate and final reports. The classification depends on impact to services, clients, financial stability and reputation, with specific thresholds defined in regulatory technical standards.

TLPT is advanced testing simulating real-world attacks by replicating tactics, techniques and procedures of genuine threat actors. DORA requires certain financial entities (based on size, criticality and risk profile) to undergo TLPT at least every three years. Tests must follow the TIBER-EU framework or equivalent national frameworks.

DORA distinguishes between 'critical' and 'important' ICT third-party providers based on the significance of services to business operations. The ESAs will designate 'critical' providers who are then subject to direct oversight. Financial entities must maintain a register of all ICT providers and implement enhanced due diligence for critical dependencies.

Financial entities must ensure contracts with ICT third-party providers include: full service descriptions, service level requirements, access and audit rights, notice periods, termination rights, exit strategies, subcontracting provisions, data location and processing terms, business continuity requirements and liability arrangements. Standard contract templates are being developed.

DORA complements NIS2 (Network and Information Security Directive) and GDPR. For financial entities, DORA is lex specialis (specialized law) taking precedence for digital operational resilience. Entities must still comply with GDPR for personal data and may have NIS2 obligations if operating essential services. Many controls overlap and can be implemented together.

Article 6 requires financial entities to have a comprehensive ICT risk management framework covering protection, detection, containment, recovery and repair capabilities. This includes risk identification, business continuity planning, backup policies, disaster recovery, crisis management and annual strategy review by the management body.

Most financial institutions require 6-9 months for comprehensive DORA implementation, depending on existing maturity. Since DORA became effective in January 2025, organizations should prioritize gap remediation, framework enhancement and validation testing. Organizations starting from lower maturity or with complex third-party ecosystems may need 12+ months for full compliance.

DORA applies to financial entities established in the EU. Non-EU entities with EU branches or subsidiaries must ensure those entities comply. Third-country firms providing services into the EU should monitor national implementation as member states may extend certain requirements to cross-border service providers.

Financial entities using AI systems face both DORA and EU AI Act requirements. DORA addresses the operational resilience of ICT systems (including AI-powered systems), while the EU AI Act addresses AI-specific risks and fundamental rights. Many controls complement each other, particularly around risk management, testing and third-party oversight.

Yes, VerifyWise provides dedicated DORA compliance capabilities including ICT risk registers, incident management workflows, third-party provider tracking, testing program management and supervisory reporting. Our platform also supports ISO 42001 and EU AI Act for organizations implementing multiple frameworks.

Ready to achieve DORA compliance?

Start your digital operational resilience journey with our guided assessment and implementation tools.

Start DORA assessment Schedule consultation