Maintain your Register of Information, run threat-led penetration testing, manage ICT third-party risk and report major ICT incidents — the digital operational resilience DORA expects, in one workspace.
In force since
Applies since 17 January 2025
Who must comply
Banks, insurers, investment firms and other EU financial entities — plus their ICT providers
Maximum penalties
Up to 2% of total annual worldwide turnover (Art. 50)
DORA applies to a broad range of financial entities under Article 2, and brings ICT third-party service providers — including those designated critical — into scope. Proportionality applies for microenterprises. This is guidance, not legal advice.
DORA unifies digital operational resilience for the EU financial sector across five pillars:
Run an ICT risk-management framework under an accountable management body, covering protection, detection, response and recovery.
Classify ICT-related incidents by severity and report major incidents to your competent authority through an initial, intermediate and final report.
Maintain a testing programme; significant entities perform threat-led penetration testing (TLPT) at least every three years.
Manage ICT third-party risk across the lifecycle, hold the mandatory contractual provisions, and maintain a Register of Information on every ICT-services arrangement.
Turn the five pillars into tracked, evidence-backed registers and programmes — without spreadsheets.
Build and maintain your Article 28 Register of Information on all ICT contractual arrangements, ready to report to your authority.
Plan and track threat-led penetration testing across the multi-year cycle, with scope, phases and findings in one place.
Classify ICT-related incidents by severity and prepare the major-incident notifications your competent authority expects.
Reuse ICT controls across NIS2, the EU AI Act and ISO 42001 through the framework-mapping engine.
DORA applies to a broad range of EU financial entities — including banks, payment and e-money institutions, investment firms, insurers and reinsurers, fund managers, central securities depositories, trading venues and crypto-asset service providers — and to the ICT third-party service providers that support them, with a direct EU oversight regime for those designated critical.
DORA entered into force on 16 January 2023 and has applied since 17 January 2025.
Under Article 28, every financial entity must maintain a Register of Information documenting all contractual arrangements for the use of ICT services from third-party providers. Competent authorities can request it, and entities report it to them annually.
TLPT (Articles 24–27) is advanced, intelligence-led testing that mimics real attackers against live systems. Significant financial entities must perform it at least once every three years, following the TIBER-EU-aligned standards.
Member States set administrative penalties that must be effective, proportionate and dissuasive (Article 50); material non-compliance can reach up to 2% of total annual worldwide turnover. For a critical ICT third-party provider, the Lead Overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover (Article 35(6)).
Take the free self-assessment to map your DORA readiness in a few minutes — no account required.