Quick answer: The Digital Operational Resilience Act (DORA) became enforceable on January 17, 2025. It requires financial entities and their ICT providers in the EU to implement strict cybersecurity, incident reporting, and resilience testing measures. Unlike GDPR, DORA is a regulation (directly applicable — no national transposition needed).
What Is DORA?
DORA (Regulation (EU) 2022/2554) establishes a unified framework for digital operational resilience across the EU financial sector. It ensures that banks, insurance companies, investment firms, and their technology providers can withstand, respond to, and recover from ICT-related disruptions and cyber threats.
Who Must Comply?
| Entity Type | Examples | Must comply? |
|---|---|---|
| Banks & credit institutions | All EU-licensed banks | Yes |
| Insurance & reinsurance | All EU-regulated insurers | Yes |
| Investment firms | MiFID-regulated firms | Yes |
| Payment institutions | PSPs, e-money issuers | Yes |
| Crypto-asset service providers | MiCA-regulated entities | Yes |
| Crowdfunding platforms | EU-regulated platforms | Yes |
| ICT third-party providers | Cloud providers, SaaS, fintech tools | Yes (critical providers) |
| Microenterprises (<10 employees) | Small fintechs | Simplified regime |
The 5 Pillars of DORA Compliance
Pillar 1: ICT Risk Management (Articles 5-16)
- Establish a comprehensive ICT risk management framework
- Identify, classify, and document all ICT assets and dependencies
- Implement protection measures: encryption, access controls, patch management
- Define detection mechanisms: monitoring, logging, anomaly detection
- Create response & recovery plans with defined RTOs and RPOs
- Assign a dedicated function for ICT risk management (or CISO)
- Management body responsibility — board members are personally accountable
Pillar 2: ICT Incident Reporting (Articles 17-23)
- Classify incidents by severity (major vs non-major)
- Initial notification within 4 hours of classifying a major incident
- Intermediate report within 72 hours
- Final report within 1 month
- Report to the competent authority (national financial regulator)
- Voluntary reporting for significant cyber threats
Pillar 3: Digital Operational Resilience Testing (Articles 24-27)
- Basic testing: Vulnerability assessments, network security testing, gap analyses — at least annually
- Advanced testing (TLPT): Threat-Led Penetration Testing every 3 years for significant financial entities
- TLPT must follow the TIBER-EU framework
- Tests must cover critical ICT systems and be performed by qualified independent testers
Pillar 4: Third-Party Risk Management (Articles 28-44)
- Maintain a register of all ICT third-party contracts
- Perform due diligence before contracting with ICT providers
- Include mandatory contractual clauses: audit rights, incident notification, subcontracting limits, exit strategies
- Critical ICT providers (designated by ESAs) are subject to direct EU-level oversight
- Concentration risk assessment — avoid over-dependence on a single provider
Pillar 5: Information Sharing (Article 45)
- Participate in voluntary cyber threat intelligence sharing arrangements
- Share anonymized threat data with peers and authorities
- Establish information exchange agreements with appropriate safeguards
DORA Compliance Checklist
| # | Action | Pillar | Priority |
|---|---|---|---|
| 1 | Appoint ICT risk management function / CISO | 1 | Critical |
| 2 | Document all ICT assets, systems, and dependencies | 1 | Critical |
| 3 | Create/update ICT risk management policy | 1 | Critical |
| 4 | Implement incident classification framework | 2 | Critical |
| 5 | Set up 4-hour incident notification process | 2 | Critical |
| 6 | Build ICT third-party provider register | 4 | High |
| 7 | Review all ICT contracts for DORA-required clauses | 4 | High |
| 8 | Conduct annual resilience testing program | 3 | High |
| 9 | Assess concentration risk for critical providers | 4 | High |
| 10 | Train board/management on ICT risk responsibilities | 1 | High |
| 11 | Define business continuity & disaster recovery plans | 1 | High |
| 12 | Plan first TLPT (if significant entity) | 3 | Medium |
| 13 | Establish information sharing arrangements | 5 | Medium |
| 14 | Review exit strategies for critical ICT providers | 4 | Medium |
DORA vs GDPR vs NIS2: Key Differences
| Aspect | DORA | GDPR | NIS2 |
|---|---|---|---|
| Focus | Financial sector ICT resilience | Personal data protection | Network & information security |
| Scope | Financial entities + their ICT providers | All organizations processing EU personal data | Essential & important entities (broad sectors) |
| Type | Regulation (directly applicable) | Regulation (directly applicable) | Directive (requires national transposition) |
| Incident reporting | 4 hours (initial), 72h, 1 month | 72 hours to DPA | 24 hours (early warning), 72h, 1 month |
| Fines | Up to 1% of avg daily worldwide turnover (critical providers: up to €5M) | Up to €20M or 4% of revenue | Up to €10M or 2% of revenue |
| Testing | Annual + TLPT every 3 years | No specific testing requirement | Risk-appropriate measures |
Impact on Website Compliance
If you're a financial entity or an ICT provider to the financial sector, DORA impacts your website and online services:
- Security headers: Mandatory implementation of CSP, HSTS, X-Frame-Options — scan your headers with PrivacyChecker
- Third-party scripts: Every external dependency (analytics, fonts, CDNs) must be documented and risk-assessed
- Incident response: Your website is a critical ICT system — downtime and breaches must be reported
- Penetration testing: Customer-facing web applications must be included in resilience testing
Frequently Asked Questions
Does DORA apply to fintech startups?
Yes, if you're an EU-regulated financial entity (even a small payment institution or e-money issuer). However, microenterprises (<10 employees, <€2M turnover) benefit from asimplified ICT risk management framework under Article 16.
Does DORA apply to SaaS providers used by banks?
Yes. If your SaaS product is used by financial entities for critical or important functions, you're an "ICT third-party service provider" under DORA. You must be prepared for: contractual audit rights, incident notification obligations, and possibly direct oversight by European Supervisory Authorities (if designated as "critical").
What are the fines for DORA non-compliance?
Individual financial entities face enforcement by their national regulator (which can impose fines, suspend activities, or revoke licenses). Critical ICT third-party providers face fines of up to1% of average daily worldwide turnover per day, or up to €5 millionfor natural persons.