EN|FR
DORA

DORA Guides

Complete guides to DORA (Digital Operational Resilience Act) compliance for financial institutions, including ICT risk management, incident reporting, and third-party risk.

1What is DORA? The Digital Operational Resilience Act Explained7 min2Who Needs DORA Compliance? Scope and Applicability8 min3The Five Pillars of DORA: Core Requirements Explained8 min4DORA ICT Risk Management Requirements8 min5DORA Incident Reporting: Timelines and Requirements8 min6DORA Resilience Testing: Requirements and TLPT Explained8 min7DORA Third-Party Risk Management: ICT Provider Requirements8 min8DORA Information Sharing: Cyber Threat Intelligence Exchange6 min9DORA Compliance Checklist: Step-by-Step Implementation Guide7 min10DORA Penalties: Fines and Enforcement Explained6 min11DORA vs NIS 2: Understanding the Differences7 min12DORA vs ISO 27001: How They Compare and Work Together7 min13DORA for Fintechs and Startups: What You Need to Know7 min14DORA Governance Requirements: Management Accountability6 min15DORA Register of Information: Requirements and Preparation7 min16DORA Contractual Requirements: ICT Third-Party Agreements7 min17DORA Timeline: Key Dates and Milestones6 min18DORA Compliance Cost: What to Budget7 min

Common Questions About DORA

Quick answers to the most frequently asked questions about DORA compliance.

DORA (Digital Operational Resilience Act) is an EU regulation establishing ICT risk management requirements for financial entities. It aims to ensure financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.

DORA applies to virtually all EU financial entities including banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party service providers serving these entities.

DORA's five pillars are: 1) ICT risk management, 2) ICT-related incident reporting, 3) Digital operational resilience testing, 4) ICT third-party risk management, and 5) Information sharing arrangements on cyber threats.

DORA entered into force on January 16, 2023, and applies from January 17, 2025. Financial entities and their critical ICT providers must be fully compliant by this date.

Major ICT incidents must be reported to competent authorities: initial notification within 4 hours of classification as major, intermediate report within 72 hours, and final report within one month. Reports use standardized templates specified in regulatory technical standards.

DORA is lex specialis for the financial sector, meaning it takes precedence over NIS 2 for financial entities. However, critical ICT third-party providers serving financial entities may need to comply with both regulations.

DORA requires financial entities to manage risks from ICT service providers throughout the relationship lifecycle, including due diligence, contractual requirements, ongoing monitoring, and exit strategies. Critical providers face direct EU oversight.

DORA applies to non-EU entities operating in the EU financial market. Non-EU ICT third-party service providers designated as critical must establish a subsidiary in the EU and may face direct oversight by EU regulators.

Ready to get DORA certified?

Let our experts guide you through DORA certification. We'll handle the complexity so you can focus on your business.

Talk to an expert