Digital Operational Resilience Act

DORA compliance for financial services

EU Regulation 2022/2554 has been in effect since January 17, 2025, requiring financial entities to strengthen digital operational resilience. We help you implement the five pillars with clear processes, evidence and supervisory reporting.

Start DORA assessmentBook compliance consultation

What is DORA?

The Digital Operational Resilience Act (DORA) is EU Regulation 2022/2554 that establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities operating in the European Union.

Why this matters now: DORA has been in effect since January 17, 2025. All EU financial institutions must have comprehensive ICT risk management, incident reporting, resilience testing and third-party oversight in place. Non-compliance exposes entities to supervisory sanctions and operational risk.

In effect now

Effective since January 17, 2025

Mandatory

Legal requirement for all financial entities

Complements EU AI Act for AI systems and ISO 42001 for AI management.

Who needs DORA compliance?

Credit institutions (banks)

All banks operating in the EU, regardless of size

Payment institutions

Payment service providers including PSPs and e-money institutions

Investment firms

Investment firms, trading venues and central securities depositories

Insurance and reinsurance undertakings

Insurance companies, intermediaries and ancillary services

Crypto-asset service providers

Entities providing crypto-asset services under MiCA regulation

ICT third-party service providers

Critical ICT providers serving financial entities (designated by ESAs)

How VerifyWise supports DORA compliance

Comprehensive capabilities addressing all five pillars and supervisory requirements

ICT risk management framework

Establish comprehensive ICT risk management frameworks with structured policies, procedures and controls. The platform maintains governance documentation, risk registers and monitoring capabilities aligned with DORA Article 6 requirements.

Addresses: ICT risk management: Frameworks, policies, procedures, risk identification

Incident detection and reporting

Classify ICT-related incidents, manage major incident reporting to authorities and track resolution workflows. The platform automates classification logic and maintains the audit trail required for regulatory reporting.

Addresses: Incident reporting: Detection, classification, authority notification, resolution tracking

Digital operational resilience testing

Plan and execute resilience testing programs including vulnerability assessments, scenario testing and threat-led penetration testing (TLPT). The platform schedules tests, tracks findings and manages remediation.

Addresses: Resilience testing: Test planning, TLPT coordination, remediation tracking

Third-party ICT service provider management

Maintain a register of critical ICT third-party providers, conduct due diligence assessments and monitor contractual obligations. The platform tracks concentration risk and supports exit strategy documentation.

Addresses: Third-party risk: Provider register, due diligence, contract management, exit planning

Continuous monitoring and metrics

Track operational resilience metrics, monitor ICT system performance and generate supervisory reporting. The platform consolidates resilience indicators for ongoing oversight and trend analysis.

Addresses: Monitoring: KPIs, performance dashboards, supervisory reporting

Information sharing arrangements

Participate in information-sharing arrangements for cyber threats and vulnerabilities. The platform manages participation in designated frameworks and tracks intelligence received and shared.

Addresses: Information sharing: Threat intelligence, vulnerability disclosure, industry collaboration

All DORA compliance activities are timestamped, assigned to responsible owners and tracked through approval workflows. This creates the audit trail supervisory authorities expect during inspections and reporting.

Complete DORA requirements coverage

VerifyWise provides dedicated capabilities for all regulatory requirements across the five pillars

26

Key DORA requirements

26

Requirements with dedicated tooling

100%

Coverage across all pillars

ICT Risk Management8/8

Frameworks, policies, procedures, monitoring

Incident Reporting6/6

Detection, classification, reporting, resolution

Resilience Testing5/5

Testing programs, threat-led testing, vulnerability assessments

Third-party Risk7/7

Due diligence, contracts, monitoring, exit strategies

Built for DORA compliance from day one

Incident classification

Automated major incident detection and authority reporting workflows

TLPT coordination

Threat-led penetration testing program management and remediation

Third-party register

Critical ICT provider tracking with concentration risk analysis

Supervisory reporting

Generate reports for EBA, EIOPA, ESMA and national authorities

Five pillars of DORA

DORA organizes digital operational resilience into five interconnected pillars

ICT Risk Management

Establish and maintain comprehensive ICT risk management frameworks aligned with business strategy.

ICT risk management framework
Business continuity policy
Disaster recovery capabilities
Business impact analysis
ICT systems inventory and mapping
Protection and prevention measures
Detection mechanisms
Response and recovery procedures

ICT-related Incident Management

Detect, manage, classify and report ICT-related incidents to ensure timely resolution and regulatory compliance.

Incident detection and management
Incident classification and categorization
Major incident reporting to authorities
Incident response procedures
Root cause analysis
Lessons learned integration

Digital Operational Resilience Testing

Test ICT systems and processes to identify vulnerabilities and ensure operational resilience.

Testing program development
Vulnerability assessments
Scenario-based testing
Threat-led penetration testing (TLPT)
Testing frequency and scope determination
Remediation tracking and validation

Third-party ICT Risk Management

Manage risks arising from ICT third-party service providers through comprehensive oversight.

Register of ICT third-party providers
Risk-based due diligence
Contractual arrangements and SLAs
Concentration risk assessment
Continuous monitoring of providers
Exit strategies and transition plans
Critical vs important provider classification

Information Sharing

Exchange information about cyber threats and vulnerabilities within designated frameworks.

Participation in information-sharing arrangements
Cyber threat intelligence exchange
Vulnerability disclosure procedures
Confidentiality protections
Industry collaboration mechanisms

36-week compliance roadmap

A practical path to achieving and maintaining DORA compliance with clear milestones and deliverables

Phase 1Weeks 1-6

Assessment

  • Gap analysis against DORA requirements
  • ICT asset and service provider inventory
  • Current risk management maturity assessment
  • Identify critical ICT third-party dependencies
Phase 2Weeks 7-14

Framework development

  • Develop ICT risk management framework
  • Establish incident classification procedures
  • Create testing program strategy
  • Design third-party oversight processes
Phase 3Weeks 15-28

Implementation

  • Deploy monitoring and detection tools
  • Implement incident reporting workflows
  • Execute initial resilience testing
  • Onboard critical third-party providers
Phase 4Weeks 29-36

Validation

  • Conduct TLPT for qualifying entities
  • Validate incident response capabilities
  • Test business continuity and disaster recovery
  • Prepare supervisory reporting processes

Penalties and enforcement

Understanding the consequences of non-compliance with DORA requirements

Administrative sanctions

Competent authorities can impose fines determined by member states

Examples

  • • Public statements identifying the person and the nature of the infringement
  • • Order to cease the conduct and desist from repetition
  • • Withdrawal or suspension of authorization

Financial penalties

Member states determine maximum fines that must be effective, proportionate and dissuasive

Examples

  • • Penalties for non-compliance with oversight requirements
  • • Fines for failure to report major incidents
  • • Sanctions for inadequate third-party risk management

Supervisory measures

ESAs (EBA, EIOPA, ESMA) can exercise direct oversight over critical ICT third-party providers

Examples

  • • On-site inspections
  • • General investigations
  • • Requests for information
  • • Recommendations for remediation

Enforcement authorities: European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), European Securities and Markets Authority (ESMA) and national competent authorities in each member state.

Penalties must be effective, proportionate and dissuasive. Specific amounts are determined by member states.

How DORA compares to other frameworks

Understanding the relationship between DORA and other compliance requirements

AspectDORAEU AI ActISO 27001
Scope
EU financial services and critical ICT providersAI systems placed on EU marketAny organization (information security)
Legal status
Mandatory EU regulationMandatory EU regulationVoluntary certification standard
Focus
Digital operational resilience for financeAI system safety and fundamental rightsInformation security management
Effective date
In effect since January 17, 2025Phased: August 2025-2027Voluntary (ongoing)
Key requirements
5 pillars of digital resilienceRisk tiers with role-based obligationsISMS with 93 controls
Enforcement
EBA, EIOPA, ESMA + national authoritiesNational authorities + EU AI OfficeThird-party certification bodies
Penalties
Effective, proportionate, dissuasive (member state defined)Up to €35M or 7% global revenueNone (voluntary standard)
Documentation
ICT risk registers, incident logs, test reports, third-party contractsTechnical documentation, conformity declarations, risk assessmentsISMS policies, procedures, risk treatment plans
Best for
Financial services digital resilienceAI system compliance in EUGeneral information security certification

Pro tip: Financial institutions using AI systems face both DORA andEU AI Actrequirements. DORA addresses operational resilience of ICT systems while EU AI Act addresses AI-specific risks. Implement both with ISO 42001 for comprehensive governance.

Discuss multi-framework compliance
Policy templates

ICT governance policy repository

Access ready-to-use ICT risk management policy templates aligned with DORA, EU AI Act and ISO 42001 requirements

ICT risk management

  • • ICT Risk Management Framework
  • • Business Continuity Policy
  • • Disaster Recovery Procedures
  • • ICT Asset Management
  • • Change Management Policy
  • • Access Control Policy
  • + 5 more policies

Incident & testing

  • • Incident Response Policy
  • • Major Incident Classification
  • • Authority Reporting Procedures
  • • Resilience Testing Program
  • • TLPT Framework
  • • Vulnerability Management
  • + 4 more policies

Third-party & sharing

  • • Third-Party Risk Policy
  • • ICT Provider Due Diligence
  • • Contract Management Standards
  • • Exit Strategy Framework
  • • Concentration Risk Assessment
  • • Information Sharing Policy
  • + 3 more policies
Browse all policy templates

Frequently asked questions

Common questions about DORA compliance and implementation

DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554 that became effective on January 17, 2025. It establishes uniform requirements for ICT risk management, incident reporting, resilience testing, third-party risk management and information sharing across EU financial services. See the full regulation text at EUR-Lex.
DORA is enforced by the European Supervisory Authorities (ESAs): the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), working with national competent authorities in each member state.
Member states determine specific penalties, but they must be effective, proportionate and dissuasive. Authorities can impose fines, withdraw authorizations, issue public warnings and require cessation of non-compliant conduct. Critical ICT third-party providers face direct ESA oversight with inspection powers and potential sanctions.
DORA defines major incidents as those with high adverse impact on network and information systems supporting critical functions. Entities must notify competent authorities of major incidents and provide initial, intermediate and final reports. The classification depends on impact to services, clients, financial stability and reputation, with specific thresholds defined in regulatory technical standards.
TLPT is advanced testing simulating real-world attacks by replicating tactics, techniques and procedures of genuine threat actors. DORA requires certain financial entities (based on size, criticality and risk profile) to undergo TLPT at least every three years. Tests must follow the TIBER-EU framework or equivalent national frameworks.
DORA distinguishes between 'critical' and 'important' ICT third-party providers based on the significance of services to business operations. The ESAs will designate 'critical' providers who are then subject to direct oversight. Financial entities must maintain a register of all ICT providers and implement enhanced due diligence for critical dependencies.
Financial entities must ensure contracts with ICT third-party providers include: full service descriptions, service level requirements, access and audit rights, notice periods, termination rights, exit strategies, subcontracting provisions, data location and processing terms, business continuity requirements and liability arrangements. Standard contract templates are being developed.
DORA complements NIS2 (Network and Information Security Directive) and GDPR. For financial entities, DORA is lex specialis (specialized law) taking precedence for digital operational resilience. Entities must still comply with GDPR for personal data and may have NIS2 obligations if operating essential services. Many controls overlap and can be implemented together.
Article 6 requires financial entities to have a comprehensive ICT risk management framework covering protection, detection, containment, recovery and repair capabilities. This includes risk identification, business continuity planning, backup policies, disaster recovery, crisis management and annual strategy review by the management body.
Most financial institutions require 6-9 months for comprehensive DORA implementation, depending on existing maturity. Since DORA became effective in January 2025, organizations should prioritize gap remediation, framework enhancement and validation testing. Organizations starting from lower maturity or with complex third-party ecosystems may need 12+ months for full compliance.
DORA applies to financial entities established in the EU. Non-EU entities with EU branches or subsidiaries must ensure those entities comply. Third-country firms providing services into the EU should monitor national implementation as member states may extend certain requirements to cross-border service providers.
Financial entities using AI systems face both DORA and EU AI Act requirements. DORA addresses the operational resilience of ICT systems (including AI-powered systems), while the EU AI Act addresses AI-specific risks and fundamental rights. Many controls complement each other, particularly around risk management, testing and third-party oversight.
Yes, VerifyWise provides dedicated DORA compliance capabilities including ICT risk registers, incident management workflows, third-party provider tracking, testing program management and supervisory reporting. Our platform also supports ISO 42001 and EU AI Act for organizations implementing multiple frameworks.

Ready to achieve DORA compliance?

Start your digital operational resilience journey with our guided assessment and implementation tools.

Start DORA assessmentSchedule consultation
DORA compliance for financial institutions: ICT risk and audit guide