The Five Pillars of DORA: Core Requirements Explained
DORA is structured around five interconnected pillars that together create a comprehensive framework for digital operational resilience. Each pillar addresses a specific aspect of ICT risk management, from internal governance to external information sharing.
Understanding these five pillars is essential for planning your compliance approach. While they are distinct areas, they reinforce each other. Effective incident reporting depends on robust detection capabilities; resilience testing validates your risk management framework; and third-party oversight requires understanding your own ICT landscape first.
Key Takeaways
| Point | Summary |
|---|---|
| Five pillars | ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing |
| Interconnected | Each pillar builds on and reinforces the others |
| Mandatory | First four pillars are mandatory; information sharing is voluntary but encouraged |
| Proportionate | Implementation depth varies based on entity size and risk profile |
| Management accountability | Senior leadership must approve and oversee pillar implementation |
Quick Answer: DORA requires financial entities to implement measures across five pillars: ICT risk management (governance and controls), incident reporting (detection and notification), resilience testing (vulnerability assessments and penetration testing), third-party risk management (vendor oversight and contracts), and information sharing (threat intelligence exchange). All five pillars must be addressed, though proportionately to your organization's size and complexity.
The five pillars of DORA are:
- ICT Risk Management
- ICT Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-Party Risk Management
- Information Sharing
Pillar 1: ICT Risk Management
The foundation of DORA compliance is a comprehensive ICT risk management framework. This goes beyond traditional information security to encompass the full lifecycle of identifying, protecting against, detecting, responding to, and recovering from ICT-related disruptions.
Core Requirements
| Requirement | Description |
|---|---|
| ICT risk management framework | Documented strategies, policies, and procedures for managing ICT risk |
| Governance | Clear roles and responsibilities, with management body accountability |
| Identification | ICT asset inventory, risk assessments, and vulnerability identification |
| Protection | Technical and organizational measures including access control, encryption, and network security |
| Detection | Monitoring capabilities to identify anomalies and potential incidents |
| Response and recovery | Incident response procedures and business continuity plans |
Management Accountability
DORA places direct responsibility on the management body (board of directors or equivalent). Senior leadership must:
- Define, approve, and oversee the ICT risk management framework
- Ensure adequate ICT budget and resources
- Approve arrangements for ICT services supporting critical functions
- Undergo regular training to understand ICT risks
- Review and approve ICT-related policies
This represents a significant shift from treating ICT risk as a purely technical matter delegated to IT departments.
For detailed guidance, see our ICT Risk Management article.
Pillar 2: ICT Incident Reporting
DORA establishes a harmonized incident reporting framework that requires financial entities to detect, classify, and report major ICT-related incidents within strict timelines.
Incident Classification
Financial entities must classify ICT-related incidents based on criteria including:
| Criterion | Consideration |
|---|---|
| Number of clients affected | Scale of impact |
| Duration | How long the incident persists |
| Geographic spread | Cross-border implications |
| Data losses | Impact on data integrity or confidentiality |
| Service criticality | Whether critical functions are affected |
| Economic impact | Financial losses incurred |
Reporting Timeline
Major incidents must be reported in three stages:
| Stage | Deadline | Content |
|---|---|---|
| Initial notification | Within 4 hours of classifying as major (and no later than 24 hours after detection) | Basic incident details, systems affected, initial impact assessment |
| Intermediate report | 72 hours after initial notification | Root cause analysis (if available), full impact scope, recovery measures |
| Final report | 1 month after last intermediate report | Complete root cause analysis, remediation actions, lessons learned |
Client Notification
When a major incident affects client financial interests, entities must inform affected clients without undue delay, including measures clients can take to mitigate the impact.
For detailed guidance, see our Incident Reporting article.
Pillar 3: Digital Operational Resilience Testing
DORA mandates regular testing to validate that ICT systems and processes can withstand disruptions. Testing requirements scale with entity size and systemic importance.
Testing Requirements by Entity Type
| Entity Type | Required Testing |
|---|---|
| All in-scope entities | Vulnerability assessments, network security testing, gap analysis, software security testing |
| Non-microenterprises | Annual testing program covering all critical ICT systems |
| Significant/systemically important entities | Threat-led penetration testing (TLPT) at least every 3 years |
Threat-Led Penetration Testing (TLPT)
TLPT is an intelligence-driven form of testing that simulates real-world attack scenarios:
- Scope: Live production systems supporting critical functions
- Methodology: Red team exercises based on current threat intelligence
- Third-party inclusion: ICT providers supporting critical functions must participate
- Frequency: At least every 3 years for designated entities
- External requirement: Every third TLPT must use external testers
TLPT differs from traditional penetration testing in its scope (entire organization vs. specific systems) and approach (threat intelligence-driven vs. vulnerability scanning).
For detailed guidance, see our Resilience Testing article.
Pillar 4: ICT Third-Party Risk Management
Recognizing that financial sector resilience depends on technology supply chains, DORA establishes comprehensive requirements for managing ICT third-party providers.
Key Requirements
| Requirement | Description |
|---|---|
| Strategy | Documented strategy for ICT third-party risk, including policy for critical/important functions |
| Due diligence | Pre-contract assessment of potential providers |
| Contractual requirements | Mandatory provisions in all ICT service agreements |
| Register of Information | Comprehensive register of all ICT third-party arrangements |
| Monitoring | Ongoing oversight of provider performance and risk |
| Exit planning | Exit strategies for all ICT services, especially critical functions |
Register of Information (RoI)
Financial entities must maintain a register documenting all ICT third-party arrangements. This register serves as:
- Internal monitoring tool for ICT third-party risk
- Information source for supervisory authorities
- Input for designation of Critical ICT Third-Party Providers
The RoI must be submitted to regulators, with first submissions due in 2025/2026.
Critical ICT Third-Party Providers
Providers designated as critical face direct EU oversight through Joint Examination Teams. Designation criteria include systemic importance, concentration risk, and potential impact on financial stability.
For detailed guidance, see our Third-Party Risk Management article.
Pillar 5: Information and Intelligence Sharing
DORA's fifth pillar encourages (but does not mandate) financial entities to share cyber threat intelligence and information about ICT-related incidents.
Voluntary Framework
| Element | Description |
|---|---|
| Participation | Voluntary arrangements between financial entities |
| Content | Indicators of compromise, tactics and techniques, security alerts, mitigation tools |
| Safeguards | Must protect business confidentiality and personal data |
| Trusted communities | Sharing among entities with compatible interests and risk profiles |
Benefits
Information sharing helps financial entities:
- Identify emerging threats earlier
- Learn from incidents affecting peers
- Improve collective defense capabilities
- Reduce duplication of threat analysis efforts
Regulatory Notification
Financial entities participating in information-sharing arrangements must notify their competent authority. Supervisory authorities may themselves share relevant cyber threat information with financial entities.
For detailed guidance, see our Information Sharing article.
How the Pillars Work Together
The five pillars form an integrated approach to digital operational resilience:
ICT Risk Management (Pillar 1)
↓
Identifies risks and establishes controls
↓
Resilience Testing (Pillar 3) ←→ Third-Party Risk (Pillar 4)
↓ ↓
Validates controls Extends to supply chain
↓ ↓
Incident Reporting (Pillar 2)
↓
Captures lessons learned
↓
Information Sharing (Pillar 5)
↓
Improves collective resilienceAn incident discovered through monitoring (Pillar 1) triggers reporting obligations (Pillar 2). Testing (Pillar 3) may reveal control gaps that need to be addressed. Third-party oversight (Pillar 4) ensures your supply chain does not undermine your resilience. Information sharing (Pillar 5) enables the sector to learn collectively.
Implementation Priorities
For most financial entities, we recommend addressing the pillars in this order:
| Priority | Pillar | Rationale |
|---|---|---|
| 1 | ICT Risk Management | Foundation for all other pillars |
| 2 | Third-Party Risk Management | Register of Information has early deadlines |
| 3 | Incident Reporting | Immediate obligation once DORA applies |
| 4 | Resilience Testing | Build on established framework |
| 5 | Information Sharing | Consider once core pillars are mature |
However, specific priorities may vary based on your current maturity and gaps.
Common Questions
Are all five pillars mandatory?
The first four pillars (ICT risk management, incident reporting, resilience testing, and third-party risk management) are mandatory. Information sharing (Pillar 5) is voluntary but encouraged.
Can we address pillars sequentially?
While the pillars are interconnected, you can prioritize based on gaps and deadlines. ICT risk management is foundational and should come first. Incident reporting must be in place from day one. The Register of Information has specific submission deadlines.
How do the pillars relate to ISO 27001?
ISO 27001 provides good coverage for Pillars 1 and 4, and partial coverage for Pillars 2 and 3. However, DORA has specific requirements that go beyond ISO 27001, particularly around incident reporting timelines and TLPT.
Do microenterprises need to address all pillars?
Yes, but with proportionate implementation. Microenterprises benefit from simplified requirements, particularly for Pillar 1 (ICT risk management) and Pillar 3 (testing).
How Bastion Helps
Bastion provides end-to-end support across all five DORA pillars:
- Pillar 1: ICT risk management framework development and documentation
- Pillar 2: Incident response planning and reporting procedure design
- Pillar 3: Penetration testing coordination and TLPT preparation
- Pillar 4: Third-party risk assessment and Register of Information preparation
- Pillar 5: Guidance on information-sharing participation
Ready to address DORA's five pillars? Talk to our team
Sources
- DORA Chapters II-V - Official text covering the five pillars
- ESA Joint Technical Standards - Technical implementation standards
- EIOPA DORA Overview - Supervisory guidance on pillar implementation