What is DORA (Digital Operational Resilience Act)?
What is DORA (Digital Operational Resilience Act)?
DORA, or the Digital Operational Resilience Act, is an EU Regulation that came into force in January 2025 to help financial institutions withstand, respond to, and recover from ICT disruptions and threats. Unlike previous fragmented approaches to ICT risk, DORA creates standardised requirements for Information and Communication Technology (ICT) risk management across all EU member states. The regulation applies to all types of financial entities — from large banks to payment institutions, investment firms, cryptocurrency platforms, and third-party service providers.
The financial sector's increasing dependence on technology creates a myriad of systemic risks. DORA closes this critical gap by creating uniform requirements across all EU member states to prevent and mitigate cyber threats and attacks. This approach ensures that digital operational resilience becomes as fundamental to financial regulation as traditional financial resilience.
Why DORA matters for financial services
DORA represents a fundamental shift in how the EU regulates technology risk in finance. For decades, financial institutions have been held to strict standards for financial resilience. However, as the sector has grown increasingly dependent on digital infrastructure, regulatory bodies have struggled to keep up. And, given that a major cyber incident or ICT failure at a highly integrated company could affect the entire financial system, the stakes for mitigating risk are especially high.
For financial companies, the impact of DORA is huge. It requires businesses across the industry to examine all areas of their operations: strategy, governance, reporting lines, product design, operational policies, and personnel management.
Both financial entities and their business partners fall under DORA's scope. It mandates that firms maintain high standards of availability, authenticity, integrity, and confidentiality of data — points which are enforceable under the regulation. The goal here is that institutions become agile enough to manage ICT risk quickly, efficiently, and comprehensively, demonstrating that they can be trusted with their customers' finances.
Understanding the five pillars of DORA
Often referred to in the industry as the "five pillars," DORA establishes key requirements covering every aspect of ICT risk management, from prevention and detection to response and recovery. Together, they create a comprehensive framework, helping to ensure that financial institutions can protect their operations, respond effectively to incidents, and maintain critical services in the event of a cyber attack or technology failure.
The following table gives a broad overview of the pillars:
Pillar | Requirements | Why it matters |
|---|---|---|
ICT risk management | Comprehensive framework with board accountability, independent oversight, and annual reviews | Elevates digital resilience to board-level governance; ensures ongoing protection of all ICT assets |
Incident reporting | Classify incidents and report major ones within strict timelines (24h/72h/one month) | Creates a unified EU view of threats; enables coordinated regulatory response to systemic risks |
Resilience testing | Regular testing; threat-led penetration testing (TLPT) every three years for significant entities | Proves defences actually work under pressure, not just on paper |
Third-party risk | Maintain registers, conduct due diligence, include audit rights in contracts; assess concentration risk | You can outsource services, but not accountability; organizations remain liable for vendor compliance |
Information sharing | Voluntary participation in threat intelligence sharing arrangements | Collective defence makes the entire sector more resilient than isolated institutions |
Meeting DORA requirements: Your compliance roadmap
DORA is now in full force, which means compliance is mandatory. While DORA scales its requirements based on your company’s size and risk profile, the core obligations apply to every financial services organisation. Whether you're a multinational bank or a growing fintech, here's your practical roadmap for getting (and staying) compliant.
Phase 1: Know where you stand
Start with an honest assessment of where your company stands now:
Review your ICT risk framework against DORA's five pillars to identify alignment or gaps.
Conduct a comprehensive gap analysis of existing policies, procedures, and controls. Where are your policies strong, and where do they fall apart under scrutiny?
Create a complete inventory of ICT service providers and evaluate whether they would pass a regulatory audit.
Test business continuity and disaster recovery capabilities to ensure they meet operational requirements. Could your business restore critical operations if a major incident hit tomorrow?
This assessment provides a baseline understanding of your compliance posture and identifies priority areas for improvement.
Phase 2: Build your defences
Once you know where the gaps are, take a systematic, documented approach to filling them. Here’s where to start:
Establish board-level governance with clear ICT risk accountability and assign oversight to an independent control function
Develop a comprehensive, documented ICT risk management framework
Create detailed registers of all ICT service providers (cloud platforms, payment processors, identity verification services)
Implement incident classification and reporting procedures meeting regulatory timelines
Review ICT contracts to include audit rights, exit strategies, and incident notification provisions
Assess concentration risk and establish ongoing monitoring of third-party providers
Phase 3: Stay compliant
DORA isn't a one-off project — it's an ongoing compliance commitment. Here’s how to cover your bases and meet regulatory expectations:
Conduct annual reviews of the ICT risk management framework to reflect evolving threats and technologies
Test business continuity plans at least yearly to validate recovery capabilities
Monitor third-party arrangements on a regular basis and update your registers if needed
Provide regular staff training on ICT security awareness and incident response procedures
Stay informed about regulatory developments, supervisory guidance, and emerging cyber threats
What are the penalties for non-compliance with DORA?
Non-compliance with DORA can result in administrative fines up to €10 million or 5% of total annual turnover (whichever is higher). Member states may also impose remedial measures, increased regulatory scrutiny, and restrictions on business activities. Penalties are typically made public, causing reputational damage. Financial entities remain fully accountable for DORA compliance even when ICT services are outsourced to third parties
Simplifying DORA Compliance with Fourthline
As an EU-based identity verification provider, Fourthline helps financial institutions meet DORA's third-party risk requirements. Our security standards, EU residency, and documented compliance frameworks reduce your vendor management burden and streamline regulatory compliance. Learn more about our approach to security and compliance here.
FAQs
Q: When did DORA come into force?
The Digital Operational Resilience Act (Regulation EU 2022/2554) came into force on January 17, 2025. This means that all requirements became applicable to covered financial entities.
Q: Who does DORA apply to?
DORA applies broadly across the EU financial services ecosystem, including banks, payment institutions, investment firms, cryptocurrency service providers, and insurance companies. It also applies to third-party ICT service providers with whom these companies do business.
Q: What are the main requirements of DORA?
DORA establishes five key requirements (known across the industry as the five “pillars”): ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing arrangements.
Q: How does DORA differ from GDPR?
While GDPR focuses on data protection and privacy across industries, DORA specifically addresses digital operational resilience and ICT risk management within financial services.
Q: What is ICT risk under DORA?
ICT risk refers to any reasonably identifiable circumstance in relation to the use of network and information systems which may compromise the security of network and information systems, of data, or of the services provided by financial entities.
Q: Do companies need to report all ICT incidents under DORA?
No, only major ICT-related incidents that meet specific materiality thresholds must be reported to the relevant authorities.
DORA, or the Digital Operational Resilience Act, is an EU Regulation that came into force in January 2025 to help financial institutions withstand, respond to, and recover from ICT disruptions and threats. Unlike previous fragmented approaches to ICT risk, DORA creates standardised requirements for Information and Communication Technology (ICT) risk management across all EU member states. The regulation applies to all types of financial entities — from large banks to payment institutions, investment firms, cryptocurrency platforms, and third-party service providers.
The financial sector's increasing dependence on technology creates a myriad of systemic risks. DORA closes this critical gap by creating uniform requirements across all EU member states to prevent and mitigate cyber threats and attacks. This approach ensures that digital operational resilience becomes as fundamental to financial regulation as traditional financial resilience.
Why DORA matters for financial services
DORA represents a fundamental shift in how the EU regulates technology risk in finance. For decades, financial institutions have been held to strict standards for financial resilience. However, as the sector has grown increasingly dependent on digital infrastructure, regulatory bodies have struggled to keep up. And, given that a major cyber incident or ICT failure at a highly integrated company could affect the entire financial system, the stakes for mitigating risk are especially high.
For financial companies, the impact of DORA is huge. It requires businesses across the industry to examine all areas of their operations: strategy, governance, reporting lines, product design, operational policies, and personnel management.
Both financial entities and their business partners fall under DORA's scope. It mandates that firms maintain high standards of availability, authenticity, integrity, and confidentiality of data — points which are enforceable under the regulation. The goal here is that institutions become agile enough to manage ICT risk quickly, efficiently, and comprehensively, demonstrating that they can be trusted with their customers' finances.
Understanding the five pillars of DORA
Often referred to in the industry as the "five pillars," DORA establishes key requirements covering every aspect of ICT risk management, from prevention and detection to response and recovery. Together, they create a comprehensive framework, helping to ensure that financial institutions can protect their operations, respond effectively to incidents, and maintain critical services in the event of a cyber attack or technology failure.
The following table gives a broad overview of the pillars:
Pillar | Requirements | Why it matters |
|---|---|---|
ICT risk management | Comprehensive framework with board accountability, independent oversight, and annual reviews | Elevates digital resilience to board-level governance; ensures ongoing protection of all ICT assets |
Incident reporting | Classify incidents and report major ones within strict timelines (24h/72h/one month) | Creates a unified EU view of threats; enables coordinated regulatory response to systemic risks |
Resilience testing | Regular testing; threat-led penetration testing (TLPT) every three years for significant entities | Proves defences actually work under pressure, not just on paper |
Third-party risk | Maintain registers, conduct due diligence, include audit rights in contracts; assess concentration risk | You can outsource services, but not accountability; organizations remain liable for vendor compliance |
Information sharing | Voluntary participation in threat intelligence sharing arrangements | Collective defence makes the entire sector more resilient than isolated institutions |
Meeting DORA requirements: Your compliance roadmap
DORA is now in full force, which means compliance is mandatory. While DORA scales its requirements based on your company’s size and risk profile, the core obligations apply to every financial services organisation. Whether you're a multinational bank or a growing fintech, here's your practical roadmap for getting (and staying) compliant.
Phase 1: Know where you stand
Start with an honest assessment of where your company stands now:
Review your ICT risk framework against DORA's five pillars to identify alignment or gaps.
Conduct a comprehensive gap analysis of existing policies, procedures, and controls. Where are your policies strong, and where do they fall apart under scrutiny?
Create a complete inventory of ICT service providers and evaluate whether they would pass a regulatory audit.
Test business continuity and disaster recovery capabilities to ensure they meet operational requirements. Could your business restore critical operations if a major incident hit tomorrow?
This assessment provides a baseline understanding of your compliance posture and identifies priority areas for improvement.
Phase 2: Build your defences
Once you know where the gaps are, take a systematic, documented approach to filling them. Here’s where to start:
Establish board-level governance with clear ICT risk accountability and assign oversight to an independent control function
Develop a comprehensive, documented ICT risk management framework
Create detailed registers of all ICT service providers (cloud platforms, payment processors, identity verification services)
Implement incident classification and reporting procedures meeting regulatory timelines
Review ICT contracts to include audit rights, exit strategies, and incident notification provisions
Assess concentration risk and establish ongoing monitoring of third-party providers
Phase 3: Stay compliant
DORA isn't a one-off project — it's an ongoing compliance commitment. Here’s how to cover your bases and meet regulatory expectations:
Conduct annual reviews of the ICT risk management framework to reflect evolving threats and technologies
Test business continuity plans at least yearly to validate recovery capabilities
Monitor third-party arrangements on a regular basis and update your registers if needed
Provide regular staff training on ICT security awareness and incident response procedures
Stay informed about regulatory developments, supervisory guidance, and emerging cyber threats
What are the penalties for non-compliance with DORA?
Non-compliance with DORA can result in administrative fines up to €10 million or 5% of total annual turnover (whichever is higher). Member states may also impose remedial measures, increased regulatory scrutiny, and restrictions on business activities. Penalties are typically made public, causing reputational damage. Financial entities remain fully accountable for DORA compliance even when ICT services are outsourced to third parties
Simplifying DORA Compliance with Fourthline
As an EU-based identity verification provider, Fourthline helps financial institutions meet DORA's third-party risk requirements. Our security standards, EU residency, and documented compliance frameworks reduce your vendor management burden and streamline regulatory compliance. Learn more about our approach to security and compliance here.
FAQs
Q: When did DORA come into force?
The Digital Operational Resilience Act (Regulation EU 2022/2554) came into force on January 17, 2025. This means that all requirements became applicable to covered financial entities.
Q: Who does DORA apply to?
DORA applies broadly across the EU financial services ecosystem, including banks, payment institutions, investment firms, cryptocurrency service providers, and insurance companies. It also applies to third-party ICT service providers with whom these companies do business.
Q: What are the main requirements of DORA?
DORA establishes five key requirements (known across the industry as the five “pillars”): ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing arrangements.
Q: How does DORA differ from GDPR?
While GDPR focuses on data protection and privacy across industries, DORA specifically addresses digital operational resilience and ICT risk management within financial services.
Q: What is ICT risk under DORA?
ICT risk refers to any reasonably identifiable circumstance in relation to the use of network and information systems which may compromise the security of network and information systems, of data, or of the services provided by financial entities.
Q: Do companies need to report all ICT incidents under DORA?
No, only major ICT-related incidents that meet specific materiality thresholds must be reported to the relevant authorities.
Solutions
Solutions
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.