DORA compliance became a binding obligation for financial entities across the European Union on 17 January 2025. The Digital Operational Resilience Act, formally Regulation (EU) 2022/2554, establishes a uniform framework for managing ICT risk across the entire financial sector. According to the European Banking Authority, tens of thousands of financial entities and their critical ICT service providers now fall within scope.
This article examines the full structure of the regulation, the obligations it imposes across its five pillars, and what organisations must do to achieve and maintain DORA compliance.
What Is DORA and Why Does It Exist?
The Digital Operational Resilience Act responds to the financial sector’s escalating dependence on information and communication technology, coupled with a regulatory landscape that failed to keep pace. Before DORA, ICT risk management was governed by a patchwork of national rules and non-binding guidelines.
DORA replaces this fragmentation with a single legislative instrument that applies directly in all Member States without requiring national transposition. It covers twenty-one categories of financial entities, including credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, crypto-asset service providers authorised under MiCA, central securities depositories, central counterparties, credit rating agencies, crowdfunding service providers, and ICT third-party service providers designated as critical.
What Are the Five Pillars of DORA Compliance?
DORA is structured around five interconnected pillars. Each addresses a distinct dimension of digital operational resilience, and together they form the comprehensive framework that financial entities must implement.
ICT risk management
The first and most extensive pillar requires financial entities to establish, maintain, and continuously review an ICT risk management framework. Article 6 mandates that this framework be documented, comprehensive, and integrated into the entity’s overall risk management system. Key obligations include classifying all ICT-supported business functions, conducting regular risk assessments, implementing protection and detection measures, and maintaining tested business continuity procedures.
The management body bears direct responsibility. Article 5 requires that the board defines, approves, and oversees the framework. Personal accountability attaches at the highest governance level.
Incident reporting and resilience testing
DORA creates a harmonised incident classification and reporting regime. Major incidents must be reported to the competent authority within strict timeframes: an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. These timelines operate alongside the GDPR breach notification requirements, and many ICT incidents will trigger both obligations simultaneously.
On resilience testing, all entities must implement a testing programme proportionate to their size and risk profile. For significant entities, DORA mandates advanced threat-led penetration testing at least every three years following the TIBER-EU framework.
Third-party risk management and information sharing
The fourth pillar is arguably DORA’s most consequential innovation. Financial entities must maintain a comprehensive register of all contractual arrangements with ICT third-party providers, reported to competent authorities annually. Contracts must contain specific clauses covering service-level descriptions, data location, audit rights, exit strategies, and incident notification obligations.
Entities familiar with GDPR data processing agreements will recognise substantial overlap, but DORA imposes additional requirements around resilience testing access and termination provisions. For ICT providers designated as critical, a Lead Overseer drawn from the EBA, ESMA, or EIOPA conducts direct oversight including inspections and penalty payments.
The fifth pillar encourages participation in cyber threat intelligence sharing among financial entities, subject to applicable confidentiality and data protection rules.
How Does DORA Relate to GDPR?
Financial entities subject to DORA are almost universally subject to GDPR as well. The two regulations operate in parallel, and their requirements converge in several areas.
ICT incident reporting under DORA frequently coincides with personal data breach notification under GDPR. When an incident involves the compromise of personal data, both reporting obligations activate concurrently. Entities need integrated incident response procedures that satisfy both regimes.
Third-party risk management under DORA and processor oversight under GDPR share a common logic: documented contractual arrangements, audit and access rights, and sub-processing transparency. Organizations already using compliance platforms like Legiscope for GDPR find that 60% of DORA documentation requirements overlap with existing data protection records. The Record of Processing Activities required under GDPR provides a substantial foundation for the ICT service register mandated by DORA.
Risk assessment methodologies also converge. The data protection impact assessment process familiar from GDPR compliance programmes and the ICT risk assessment under DORA both require systematic identification of threats, evaluation of severity, and documented mitigation measures.
What Penalties Apply for Non-Compliance?
DORA grants competent authorities broad enforcement powers operating at two levels.
For financial entities, Member States must provide for administrative penalties that are effective, proportionate and dissuasive. Penalties can reach up to 2% of total annual worldwide turnover for the most serious infringements. Competent authorities may also impose periodic penalty payments to compel compliance.
For critical ICT third-party providers subject to direct oversight, the Lead Overseer can impose penalty payments of up to five million euros. For legal persons, this figure can rise to 1% of average daily worldwide turnover per day of non-compliance, for a maximum of six months.
Personal liability is a distinctive feature. Article 50 empowers competent authorities to impose supervisory measures on individual members of the management body, including temporary bans from management functions and public identification of individuals responsible for breaches.
How Should Financial Entities Prepare?
Achieving DORA compliance requires a structured approach across four workstreams that build on one another.
Gap analysis and governance reform
Start with a gap analysis against all five pillars. Map existing ICT risk management, incident reporting, testing, and third-party arrangements against DORA’s specific requirements. This exercise reveals where current practices fall short and where existing controls already satisfy the regulation.
Next, strengthen governance at the board level. Ensure the management body has formally approved the ICT risk management framework and that individual accountability for ICT resilience is clearly assigned. Board members should receive structured reporting on ICT risk posture, incident trends, and testing outcomes. Without visible board engagement, supervisory authorities are unlikely to view an entity’s DORA compliance programme as credible.
Operational integration and contract remediation
Rather than building parallel compliance structures for DORA and GDPR, leverage existing data protection documentation. Unified incident classification procedures, shared third-party registers, and integrated risk assessments reduce operational cost and improve consistency across both regulatory regimes.
Finally, review all existing agreements with ICT third-party providers against DORA’s contractual requirements. Prioritise contracts supporting critical or important functions, and negotiate amendments covering audit rights, exit strategies, subcontracting transparency, and resilience testing access. This is consistently the most time-intensive workstream, given the volume of contracts and the commercial sensitivity of the required changes.
Frequently Asked Questions
Does DORA apply to small financial firms? Yes, although proportionality applies. Microenterprises with fewer than ten employees and turnover below two million euros benefit from a simplified ICT risk management framework under Article 16, while remaining subject to incident reporting and third-party risk obligations.
How do DORA incident reporting timelines compare to GDPR? DORA requires an initial notification within 4 hours of classification, versus GDPR’s 72-hour window from awareness of a personal data breach. When an ICT incident also constitutes a data breach, both timelines run concurrently, making integrated incident response procedures essential.
Can supervisory authorities penalise individual board members? Yes. Article 50 empowers competent authorities to impose measures on individual members of the management body, including temporary bans from management functions. This personal liability dimension underscores the importance of board-level engagement with ICT risk.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope