Digital Operational Resilience Act
ICT Resilience for the Financial Sector

DORA establishes uniform, mandatory requirements for digital operational resilience for the entire European financial sector – from credit institutions to insurers to ICT third-party providers. A comprehensive framework for ICT risk management, testing and third-party governance.

Learn More

What is DORA?

Regulation (EU) 2022/2554 sets uniform requirements for digital operational resilience for practically the entire European financial sector. The goal is to strengthen resilience against ICT disruptions and cyber incidents – with harmonized rules instead of a patchwork of national requirements.

Digital Operational Resilience Act

Scope

DORA applies to financial entities and ICT third-party providers. The regulation harmonizes previously fragmented requirements for reporting, testing and third-party risk in a coherent framework – lex specialis to NIS2 for the financial sector.

Financial Institutions

Credit institutions, payment/e-money institutions, investment firms. All types of banks, payment service providers, investment firms. Full application of all DORA requirements including ICT risk management, testing, third-party risk.

Insurers & Pension Funds

Insurance/reinsurance companies, IORPs. Comprehensive ICT resilience obligations. Proportionality for smaller entities, but minimum standards for all. Special requirements for critical ICT systems.

Market Infrastructures

Trading venues, CCPs, CSDs, trade repositories. Systemically important infrastructures with highest resilience requirements. TLPT mandatory, intensive supervision, no proportionality.

Asset Managers & Crypto

AIFMs, UCITS management companies, crypto asset service providers. Fund managers, crypto asset service providers. DORA compliance for all managed vehicles. ICT third-party risk particularly relevant for custody/admin.

ICT Third-Party Providers

Cloud, software, data center services. Critical providers subject to EU oversight (EBA/EIOPA/ESMA). Lead Overseer with inspection/sanction powers. Third-country providers must establish EU subsidiary.

Proportionality

Simplifications for micro-entities. Microenterprises and small institutions receive reduced obligations (e.g. no TLPT). Nevertheless: minimum resilience standards apply to all.

The 5 Core Pillars of DORA

DORA structures digital operational resilience into five pillars – from ICT risk management to incident reporting to third-party risk management.

  1. ICT Risk Management

Comprehensive framework across entire lifecycle

  • Governance (board responsibility), strategy, inventories
  • Protection/prevention, detection, response/recovery
  • BCP, tests, audits, continuous improvement
  • Documented policies, KPIs/KRIs, annual reviews

  1. Incident Reporting

Harmonized reporting of major ICT incidents

  • Direct reporting to competent authority
  • Coordination with CSIRTs, data protection/law enforcement authorities
  • Unified taxonomy/thresholds via ESA standards
  • Fast information flow to financial supervisors

  1. Digital Resilience Testing

Broad testing spectrum up to TLPT

  • From vulnerability scans to Threat-Led Penetration Testing (TIBER-EU-oriented)
  • TLPT for large/systemically relevant institutions
  • Mutual recognition
  • Internal red teams possible, threat intel external

  1. ICT Third-Party Risk

Strategy, register, due diligence, contracts

  • Financial institution remains fully responsible
  • Minimum contract contents: SLAs, locations, audit/access/exit rights
  • Sub-contracting, resolution resilience
  • Concentration analysis mandatory

  1. EU Oversight for Critical Providers

Supervisory framework for systemically relevant ICT third-party providers

  • Lead Overseer (EBA/EIOPA/ESMA) with investigation/inspection/sanction powers
  • Critical third-country providers: EU subsidiary within 12 months
  • Enforceability ensured

ICT Risk Management in Detail

Chapter II (Art. 5-16) defines comprehensive requirements for governance, protection, detection, response and recovery. The board bears ultimate responsibility – ICT resilience becomes a board-level issue.

Governance & Board Responsibility

Board bears ultimate responsibility

  • Setting strategy, risk tolerance, budgets
  • Policies, roles, reporting channels, audit plans
  • Measurable KPIs/KRIs
  • Annual reports
  • ICT resilience anchored as strategic topic at board level

Inventories & Asset Management

Complete stocktaking

  • Inventories of functions, information/ICT assets, dependencies, third-party links
  • Annual risk assessments including legacy systems
  • CMDB mandatory for critical components

Protection & Prevention

Policies for network/infrastructure management

  • Access rights, strong authentication
  • Crypto/key management, change/patch processes
  • Network segmentation, severing capability for containment
  • Hardening of critical systems

Detection & Monitoring

Multi-layered detection mechanisms

  • Defined thresholds, alerting
  • Resources for monitoring user activities/anomalies/incidents
  • 24/7 capability
  • SIEM/SOC integration
  • Threat intelligence feeds

Response & Recovery

ICT-BCP and response/recovery plans

  • Business impact analysis, scenarios (including cyberattacks, switchover)
  • Tested backups/redundancy, RTO/RPO targets
  • Forensic checks, crisis communication, audit trails
  • Annual tests mandatory

Learning & Evolution

Post-incident reviews, lessons learned

  • Feeding into continuous improvement
  • Awareness training for all employees
  • Monitoring of technological developments
  • Annual reports to board with action plan

Incident Reporting Obligations

DORA harmonizes reporting obligations for major ICT incidents across the entire financial sector. Direct reporting to competent authority, coordinated with CSIRTs and data protection authorities. Unified taxonomy and thresholds.

Major ICT Incidents

Definition via ESA standards

  • Severe impairment of ICT systems
  • Impairment of availability, integrity or confidentiality of financial services
  • Impact on business operations, financial position or reputation

Reporting Chain

Direct reporting to competent authority

  • Coordination with CSIRT, data protection and law enforcement authorities
  • Harmonized process instead of double reporting
  • Single point of contact
  • Confidentiality maintained

Taxonomy & Thresholds

Unified classification

  • ESA regulatory standards define taxonomy, thresholds, formats
  • Comparability across jurisdictions
  • Incident categories: cyberattack, system/network outage, data integrity loss, third-party disruption

Threat Intelligence Sharing

Voluntary threat reporting

  • DORA encourages trust-based exchange of threat intelligence in “trusted environments”
  • In compliance with GDPR/competition law
  • Strengthen prevention and collective response capability

Digital Resilience Testing

Chapter IV requires a broad testing spectrum – from vulnerability scans to demanding Threat-Led Penetration Tests (TLPT) following TIBER-EU principles. Mandatory for large and systemically relevant institutions.

Vulnerability Assessments

Regular vulnerability scans

  • Mandatory for all financial institutions
  • At least annually, more frequently for material changes
  • Automated scans + manual validation
  • Remediation tracking with deadlines

Penetration Testing

Simulated attacks on systems

  • Scenario-based testing of security controls
  • Internal teams or external specialists
  • Test scope: network, application, social engineering
  • Findings with severity rating

TLPT: Threat-Led Penetration Testing

Highest test level following TIBER-EU/G7 principles

  • For large/systemically relevant/ICT-mature institutions
  • Intelligence-based red team attacks
  • External threat intel mandatory
  • Pooled testing with conditions possible
  • Mutual recognition between jurisdictions

Test Governance & Documentation

Test program with multi-year plan

  • Board approval for TLPT scope
  • Scoping phase, data flow diagrams, crown jewels identification
  • Test reports to board
  • Remediation plans with implementation tracking
  • Follow-up tests after material changes

ICT Third-Party Risk Management

Chapter V, Section I defines comprehensive requirements for managing ICT third-party risks. Financial institutions remain fully responsible – even when outsourcing critical functions.

Register & Inventory

Mandatory complete register of all ICT contracts

  • Recording of critical/important contractual relationships
  • Information: provider, services, locations, data processing, criticality, concentration risks
  • Regular updates
  • Available for supervisors

Pre-Contract Due Diligence

Systematic review before contract signing

  • Security assessments, certifications, audit reports
  • Financial stability, jurisdiction, sub-contracting
  • Risk assessment including concentration risks
  • Analyze exit complexity

Minimum Contract Contents

DORA defines mandatory clauses

  • Detailed service description/SLAs, locations/data processing
  • Complete audit/access rights (including supervisors)
  • Cooperation with authorities
  • Mandatory exit strategies with transition periods
  • Resolution resilience (non-termination)

Sub-Contracting Control

Transparency about sub-contractors

  • Provider must disclose sub-contracting
  • Financial institution must assess sub-contractor risks
  • Audit rights extend to sub-contractors
  • No critical functions outsourced without approval

Concentration Analysis

Assessment of provider concentrations

  • Identify single-provider dependencies
  • Cumulative exposure across portfolio
  • “Too-big-to-fail” third-party providers
  • Strategies for concentration reduction: multi-sourcing, diversification, exit capability

Third-Country Risks

Special diligence for non-EU providers

  • Jurisdictional risks (extraterritorial access)
  • Political/economic risks
  • Enforceability of EU law
  • Data transfer mechanisms (SCCs, Adequacy)
  • Ensure supervisory access

EU Oversight Framework for Critical ICT Providers

Chapter V, Section II establishes an EU supervisory framework for critical ICT third-party providers. Lead Overseer (EBA/EIOPA/ESMA) with comprehensive powers – from inspections to sanctions.

Designation as Critical

Systematic relevance assessment

  • Criteria: systemic relevance for financial sector, substitutability, concentration risk
  • Complexity of service
  • Dependencies between financial institutions
  • Designation by Joint Committee of ESAs

Lead Overseer Powers

Comprehensive supervisory powers

  • General investigations, on-/off-site inspections
  • Document requests, interviews with management/staff
  • Recommendations with follow-up monitoring
  • Sanction mechanisms for non-compliance

Third-Country Providers: EU Presence

Mandatory EU subsidiary

  • Critical third-country providers must establish EU subsidiary within 12 months
  • No data localization requirement, but enforceability of EU law
  • Oversight through EU subsidiary

Reporting & Transparency

Regular reports to Lead Overseer

  • Sub-outsourcing register, incident reports, material changes, risk assessments
  • Ad-hoc reports for material events
  • Participation in industry consultations
  • Cooperation with national authorities

ayedo and DORA

Our Software Delivery Platform and Managed Services systematically support financial institutions with DORA compliance – from ICT risk management to testing to third-party risk management.

ICT Risk Management Framework

ISO 27001-certified processes

  • ISMS-based operations model with documented policies
  • Change management, incident tracking
  • KPI/KRI dashboards, asset inventories (CMDB integration)
  • Annual reviews
  • Board-suitable reporting formats

Protection & Hardening

Zero-trust architecture, strong authentication

  • Network segmentation via Kubernetes policies
  • MFA/OIDC integration
  • Secrets management with customer-managed keys
  • GitOps-based change control
  • Automated patch management with policy gates

24/7 Detection & Monitoring

Comprehensive observability stack

  • Metrics, logs, traces with standardized interfaces
  • Defined alerting thresholds, escalation runbooks
  • 24/7 SOC integration
  • MTTA/MTTR tracking
  • Threat intelligence feeds
  • SIEM integration possible

BCP & Disaster Recovery

Tested backup/restore processes

  • Multi-AZ/region designs, documented RTO/RPO targets
  • Automated backups with standards-compliant object storage
  • Point-in-time recovery
  • Annual DR tests including switchover scenarios
  • Forensic backup retention
  • Segregated restore networks

Incident Response & Reporting Chains

Structured incident processes

  • Triage thresholds for “major ICT incidents”, 24/72h reporting paths
  • Coordination with authorities/CSIRTs
  • Incident timeline documentation
  • Post-incident reviews
  • Lessons-learned integration
  • Crisis comms playbooks

Digital Resilience Testing

Test infrastructure for vuln scans to TLPT

  • Staging environments for purple/red team tests
  • Policy gates in CI/CD
  • TLPT readiness: scoping support, data flow diagrams, crown jewels mapping
  • Partner network for external threat intel
  • Remediation tracking

DORA-Compliant Contract Clauses

Standard clause library

  • Detailed SLAs, location/data processing disclosure
  • Complete audit/access rights (including supervisory authorities)
  • Sub-contracting transparency
  • Exit strategies with transition periods
  • Resolution resilience (non-termination/suspension)

EU Sourcing & Jurisdiction

EU-only operating models available

  • Minimizing third-country risks
  • EU-based operations, GDPR compliance
  • Provider independence
  • Concentration reduction through multi-cloud designs
  • Transparency across entire sub-supplier chain

DORA Enablement Packages

Turnkey compliance roadmaps

  • ICT strategy templates, KPI/KRI sets
  • Inventory/CMDB integration
  • Change/patch policies, crisis comms plans
  • ICT contract register, pre-contract DD checklists
  • Board-level reporting
  • Audit preparation

DORA in Regulatory Context

DORA is part of the comprehensive EU digital/cybersecurity ecosystem. It integrates with NIS2, CRA, Cloud Sovereignty Framework, Data Act and other EU regulations.

DORA vs. NIS2

DORA is lex specialis for financial sector

NIS2 applies in principle to critical/important entities; DORA specifies and expands for financial institutions. No double compliance: DORA-compliant financial entities typically also fulfill NIS2.

More about NIS2

DORA & Cyber Resilience Act

Complementary at product/operations level

CRA addresses cybersecurity of products with digital elements (software, hardware). DORA requires operational resilience when using these products in the financial sector. Together: secure products + resilient operations.

More about CRA

DORA & Cloud Sovereignty

Digital sovereignty as risk mitigator

The EU Cloud Sovereignty Framework evaluates independence, control and exit capability – factors that directly address DORA third-party risks. EU-based, sovereign ICT stacks reduce jurisdictional and concentration risks.

More about the Framework

DORA & Data Act

Data portability and lock-in avoidance

The Data Act requires technical/contractual measures against vendor lock-in – directly relevant for DORA exit strategies with ICT third-party providers. Interoperability and standardized interfaces become the regulatory standard.

More about Data Act

DORA & GDPR

Complementary requirements

GDPR focuses on data protection and privacy. DORA addresses ICT resilience and availability. Overlaps: incident reporting (DORA to financial supervisors, GDPR to DPA), security measures (Art. 32 GDPR). Coordinated compliance required. DORA compliance presupposes GDPR-compliant data processing.

More about GDPR

Sector-Specific Integration

Integration with banking supervision/insurance law

DORA complements CRR/CRD (Banking), Solvency II (Insurance), MiFID II (Investment Firms). ICT risk management as part of operational risk. ESAs (EBA/EIOPA/ESMA) as lead supervisors. Coherent regulatory frameworks.

ayedo Compliance Overview

Comprehensive compliance approach

How ayedo systematically addresses DORA, NIS2, CRA, GDPR, ISO 27001 and other standards. Certifications, processes, technical measures and audit readiness – find our complete compliance roadmap here.

To overview

Strategic Implications

DORA fundamentally changes how financial institutions manage ICT risks, govern third-party providers and test resilience. From board responsibility to exit strategy – here are the core implications.

Board Liability & Governance

ICT resilience becomes a board-level issue

  • Board bears ultimate responsibility
  • Strategy, risk tolerance, budgets must be defined
  • Measurable KPIs/KRIs
  • Annual board reports on ICT risks
  • Non-compliance can lead to personal liability

Engineering Discipline

Comprehensive documentation mandatory

  • Complete asset inventories, data flow diagrams, dependency maps
  • Segmented architectures, credential/key management
  • Change/patch processes demonstrable
  • Signed artifacts
  • RTO/RPO defined and tested

Operations & Runbooks

24/7 monitoring/detection mandatory

  • Crisis communication, incident/major incident processes with clear thresholds
  • Reporting paths to authorities
  • Annual tests (BCP, DR, TLPT)
  • Post-mortems and lessons-learned integration

Sourcing & Contracts

Consistent DORA clauses required

  • Audit/access/exit rights, data flows/locations
  • Sub-contracting disclosure, resolution resilience
  • Register of all ICT contracts
  • Strategically address concentration risks
  • Multi-sourcing where critical

Testing Intensity

From vuln scans to TLPT

  • Regular penetration tests
  • TLPT for large/systemic institutions (intelligence-based red teams)
  • Mutual recognition between EU states
  • Remediation tracking with board oversight
  • Test roadmap over multiple years

Oversight Exposure

Critical ICT providers under direct supervision

  • Hyperscalers/cloud providers can be designated as “critical third-party providers”
  • Lead Overseer with inspection/sanction powers
  • Third-country providers: EU subsidiary within 12 months
  • Compliance effort increases