DORA (Digital Operational Resilience Act) β the EU regulation mandating ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management for financial entities in the EU β entered into force on January 17, 2025. For IT and technology teams at banks, investment firms, insurance companies, payment institutions, and financial market infrastructure, DORA represents the most comprehensive ICT regulatory framework ever applied to financial services technology operations. This guide translates DORA's requirements into actionable IT team obligations.
DORA Scope and Obligations
Who DORA Applies To
DORA applies to: banks and credit institutions, investment firms, payment institutions and e-money institutions, insurance and reinsurance undertakings, crypto-asset service providers (CASPs), central counterparties (CCPs), trade repositories, and critically β ICT third-party service providers (cloud providers, data analytics firms, software vendors) who provide services to these entities. If you are a SaaS vendor, cloud provider, or technology company whose financial services clients are in scope for DORA, your contracts will be updated to include DORA's third-party contractual requirements. The regulation's reach extends up the supply chain to any ICT supplier of financial entities.
DORA's Five ICT Risk Pillars
| Pillar | Key Requirement | IT Team Action |
|---|---|---|
| ICT Risk Management | Documented ICT risk management framework; board oversight; risk tolerance statement | Formalise ICT risk register; board ICT risk reporting; risk tolerance documentation |
| ICT Incident Reporting | Major incidents reported to national competent authority within 4 hours (initial) and 72 hours (detailed) | Incident classification framework; regulatory notification workflow; timelining capability |
| Digital Operational Resilience Testing | Annual basic TLPT for all; significant firms: Threat-Led Penetration Testing (TLPT) every 3 years | Annual penetration test programme; TLPT framework for significant entities |
| ICT Third-Party Risk | Register of all ICT providers; contract requirements; concentration risk assessment | ICT supplier register; updated contracts with mandatory DORA clauses; exit strategies |
| Information Sharing | Voluntary cyber threat intelligence sharing with other financial entities and authorities | Participate in CERT-EU, FS-ISAC, or national financial sector ISAC |
4 hours
Initial major incident notification deadline β within 4 hours of classifying an incident as "major" under DORA's classification criteria, your national competent authority (NCA) must receive an initial notification. This requires an automated notification workflow integrated with your incident management system
TLPT
Threat-Led Penetration Testing β the advanced DORA resilience testing requirement for significant financial entities. TLPT uses real threat actor TTPs (tactics, techniques, procedures) to conduct red team exercises against live production systems. Must be performed by accredited testers using the TIBER-EU (EU) or CBEST (UK) framework
Critical ICT
DORA's third-party risk requirements focus on "critical ICT third-party service providers" (CITPPs) β designated by the European Supervisory Authorities (ESAs). Firms using CITPPs must implement enhanced oversight and exit strategy requirements. Major cloud providers (AWS, Azure, GCP) are expected to be designated as CITPPs
ICT Risk Management Framework
DORA Article 5β14 requires a documented ICT risk management framework with: (1) ICT risk appetite statement approved by management body; (2) ICT risk register with identified risks, mitigating controls, and residual risk assessment; (3) Business continuity and disaster recovery plans specific to ICT disruption scenarios; (4) ICT asset register (hardware, software, and data assets); (5) Network and information system policies; (6) Annual ICT risk review. Most financial entities have existing frameworks β the DORA compliance task is gap analysis against the specific regulatory requirements and remediation. ISACA's COBIT 2019 framework aligns well with DORA's ICT risk structure.
Incident Classification and Reporting
DORA defines "major incidents" using criteria including: number of clients affected (>10% of client base or >50,000 clients), duration (>4 hours for critical functions), geographic spread, reputational impact, and financial loss. Implement: (1) Incident classification algorithm in your SIEM/ITSM β automatic major incident flag when DORA criteria are met; (2) Automated 4-hour notification draft generation from incident ticket data; (3) DORA incident reporting register; (4) 72-hour detailed report template in ServiceNow/Jira. Test the notification workflow quarterly β the 4-hour clock starts when you classify the incident, not when you discover it.
ICT Third-Party Register and Contracts
DORA Article 28 requires a documented register of all ICT third-party service providers with: service description, data processed, hosting location, classification (critical/non-critical), and concentration risk assessment. Update all ICT supplier contracts to include DORA's mandatory contractual provisions (Article 30): clear service descriptions, data location, audit rights, incident notification obligations, termination rights, and exit assistance requirements. Prioritise: cloud providers (AWS, Azure, GCP), SaaS applications accessing client data, and network/connectivity providers. Timeline: 12β18 months for full contract remediation across all suppliers.
Penetration Testing Programme
DORA resilience testing requirements: (1) All entities: annual basic security testing β vulnerability assessments, network scans, application penetration testing of internet-facing systems; (2) Significant entities (systemically important): TLPT every 3 years β full red team exercise using TIBER-EU methodology with accredited testers. Implement: engage a qualified penetration testing firm for your annual basic testing programme; if your supervisory authority requires TLPT, begin the TIBER-EU process 18 months before your TLPT deadline (the process takes 12β15 months to complete). Our DevOps team implements DORA testing programmes.
DORA Compliance Implementation
Our DevOps, software development, and data analytics teams help financial services IT teams implement DORA ICT risk management, incident reporting, and resilience testing programmes. Book a free advisory session.