Digital Operational Resilience Act (DORA)

POSTED ON FEBRUARY 02, 2026 BY DATA SECURE

Related Blogs

Navigating the Patchwork: Challenges of Global Data Privacy Regulations in a Connected World
Data Protection by Infrastructure: Embedding Privacy in National Digital Platforms
Geo-Privacy: The Legal Dimensions of Location Data in Smart Mobility Systems

Introduction

fine

The Digital Operational Resilience Act (DORA) is an EU regulation designed to ensure that financial entities can withstand, respond to, and recover from ICT (“Information and Communication Technology”) disruptions such as cyberattacks, outages, third-party failures, and operational incidents. The Act came into force on 17 January 2025, making compliance mandatory for entities in this sector. This blog explains what DORA compliance looks like in practice and what organisations should expect from regulators and their technology partners.

Why is DORA essential?

fine

DORA compliance is essential because it has helped the EU close a real supervisory gap. Financial services have become highly digital and cross-border in the modern age. However, ICT and operational resilience requirements in EU were not fully or consistently harmonised across Member States. This created gaps, overlaps, and uneven expectations that were weakening the internal market and, in a crisis, could threaten financial stability and market integrity. DORA sets a single common baseline, so entities are expected to maintain stronger, more consistent controls over technology risk and service continuity, and supervisors can rely on clearer, more comparable oversight across the EU.

Who needs to Comply with DORA?

fine

Article 2(1) of DORA enlists a wide range of entities that fall under the scope of DORA. This includes both financial entities and third-party ICT providers:

1. Financial entities in scope (include but are not limited to)

  • Banks and credit institutions
  • Payment institutions and e-money institutions
  • Investment firms and trading venues
  • Asset managers and fund-related entities (including certain management companies)
  • Insurance and reinsurance undertakings and intermediaries
  • Central securities depositories and other market infrastructure providers
  • Crypto-asset service providers (in the EU regulatory framework)
  • Certain credit rating agencies and other regulated financial market participants

2. ICT third-party service providers that support financial entities Scope of DORA extends to third-party providers delivering services that are essential to core operations such as:

  • Cloud infrastructure and hosting
  • Cybersecurity services (e.g., SOC, threat monitoring, incident response)
  • Core banking service providers
  • Trading & payments platforms
  • Data analytics, data centres, and network services
  • Software-as-a-service tools used for critical or important functions

3. Organisations designated as Critical ICT Third-Party Service Providers (CTPPs) by competent EU authorities fall within DORA’s direct oversight regime

Five Core Pillars of DORA Compliance

fine

1. ICT Risk Management (Chapter 2, Articles 6-16)

It requires financial entities to establish an ICT risk management framework to identify, assess, manage, and mitigate ICT-related risks across the organisation. It mandates that this framework is properly documented and reviewed on a regular basis, at least annually, so it remains aligned with changing systems, threats, and dependencies. It encourages financial entities to take proactive steps by defining a clear risk tolerance for ICT disruptions and addressing vulnerabilities early through preventive and detective controls, supported by practical response, backup, and continuity arrangements.

2. Incident management and reporting (Chapter 3, Articles 17-23)

DORA mandates that financial entities report major ICT-related incidents to the relevant competent authorities. It states that financial entities must implement processes and systems to detect, manage, and record all ICT-related incidents and significant cyber threats. The impact of incidents must be classified using consistent criteria such as severity, duration and downtime, geographical spread, affected services or clients, data impact, and economic losses. Along with this, reports should include clear information on the nature of the incident, the cause where known, the impact on operations and customers, and the measures taken to contain the incident and restore services, with updates provided as the situation develops and a final report once resolved.

In practice, the challenge is not only what to report, but how fast a financial entity can classify and submit staged reports with a clear audit trail. European supervisory authorities have finalised incident reporting notification timeline as three step process:

  • Initial notification: as early as possible within 4 hours of classifying the incident as major, and no later than 24 hours from detection
  • Intermediate report: submit within 72 hours (and provide further updates when the incident status/handling changes materially).
  • Final report: within 1 month submit within 1 month, with full detail on root cause, impact, and remediation.

The Regulation highlights the importance for a threat to be notified quickly and reported once the full root-cause analysis is complete.

3. Digital operational resilience testing (Chapter 4, Articles 24-27)

DORA states that financial entities must perform regular and periodic testing of their ICT systems, processes, and controls as part of a digital operational resilience testing programme. These tests has to be carried out by independent parties, either internal or external, and may include activities such as vulnerability assessments, network security assessments, scenario-based testing, and gap analyses. Financial entities that fall under the advanced testing requirements are mandated to perform Threat-Led Penetration Testing (TLPT), which simulates realistic attack scenarios and assesses the effectiveness of controls and response capabilities, and this should be conducted at least every three years.

4. ICT third-party risk management (Chapter 5, Articles 28-44)

Chapter 5 of DORA requires financial entities to manage ICT third-party risk through stronger due diligence and oversight of service providers, especially where outsourced services support important or critical functions. DORA uses the concept of “critical or important functions” as a practical threshold for when ICT dependencies require the strongest governance, contractual, and exit controls, and a function is considered critical or important if its disruption would materially impair financial performance, the continuity/soundness of services, or ongoing compliance with authorisation and regulatory obligations as stated in Article 3(22) of the Act. DORA expects firms to reduce risks arising from third parties by assessing providers upfront and monitoring them on an ongoing basis. Financial entities must also provide the competent authorities with an annual overview of their ICT outsourcing, including the number of new ICT service arrangements, the types of ICT providers used, the contractual arrangement categories, and which ICT services or functions those providers’ support. They must ensure robust contracts are in place, covering key areas such as security and data protection, incident support and cooperation, access and audit rights, subcontractor controls, and clear exit or termination arrangements. To evidence compliance in a supervisory review, firms typically demonstrate the following core artefacts and controls aligned to Chapter 5 requirements:

ICT dependency mapping and documentation (as per Article 8)

  • Classify and document ICT-supported business functions and their dependencies
  • Identify and document processes dependent on ICT third-party service providers, including interconnections supporting critical or important functions
  • Maintain inventories of those dependencies

Third-party register and upfront criticality assessment

  • Article 28(3) states duty of financial entities to keep a register of all ICT third-party arrangements and distinguish those supporting critical or important functions
  • Assess upfront whether an arrangement supports a critical or important function Article 28(4)(a).

Enhanced controls and contractual requirements for critical or important functions

  • Article 28(3) requires financial entities to maintain a register of ICT third-party arrangements and identify those supporting a critical or important function; where this applies, financial entities must implement stronger controls, including exit strategies
  • Ensure enhanced contractual protections, including baseline contract elements and additional requirements for critical or important functions as per Article 30(2) and Article 30(3) of the Act.

5. Information sharing (Chapter 6, Article 45)

Article 45 of DORA encourages financial entities to exchange cyber threat information and intelligence amongst themselves to strengthen digital operational resilience. This can include sharing practical items such as threat indicators, tactics and techniques, alerts, and defensive measures, typically through trusted communities or formal information-sharing arrangements. These arrangements should be governed by clear participation conditions and appropriate safeguards, and financial entities must notify the competent authorities when they join information-sharing arrangement. The aim is to help firms detect threats earlier and respond more consistently across the sector, while ensuring that any sharing is done responsibly and in line with confidentiality, data protection, and other legal obligations.

Common Pitfalls:

There are several common pitfalls for financial entities under DORA, especially during early implementation. These typically are:

  • Treating DORA as an IT-only exercise: DORA is not limited to security controls. It requires clear governance and cross-functional ownership across IT, risk, compliance, and procurement.
  • Not being ready to report within tight timelines: Many firms can investigate incidents, but struggle to classify and notify quickly. DORA reporting works in stages, so the process must support early notification and controlled updates.
  • Inconsistent major-incident classification: If the severity is decided informally, reporting becomes inconsistent and hard to evidence. Firms should use defined criteria and maintain a clear record of classification decisions.
  • Incomplete visibility of third-party ICT dependencies: Organisations often track direct suppliers but miss underlying ICT dependencies and subcontractors, especially those supporting critical or important functions.
  • Contracts that do not meet DORA expectations: Contracts should clearly cover security and data protection, incident support and cooperation, access and audit rights, subcontractor controls, and clear exit or termination arrangements.
  • Exit strategies that are not operational: Exit plans are often documented but not practical. Firms should be able to execute a controlled transition or termination for services supporting critical or important functions.
  • Not aligning with regulator processes: Even where requirements are harmonised, reporting and notification mechanics may vary by competent authority, so firms should document how submissions are made and test the process.
  • Information sharing without structure: Threat intelligence sharing is encouraged, but it should be done through trusted arrangements with compromising confidentiality and data protection safeguards.

Penalties for Non-Compliance under DORA

fine

Financial entities and ICT third party providers are liable for penalties under DORA, these can be:

  • Civil penalties: There are no fixed penalties for non-compliance under DORA. As per Article 50(3) Member States must set effective, proportionate and dissuasive administrative penalties and remedial measures
  • Criminal Penalties: DORA allows Member States to apply criminal penalties for breaches under national law as per Article 52.
  • Penalties for Critical third-party providers: As per Article 35(8) violations by critical third-party providers shall be charged daily penalty payments up to 1% of average daily worldwide turnover (up to 6 months)
  • Suspension of Service for Critical third-party providers: Article 42(6) states that if the identified risks are not adequately addressed, the competent authority may, as a last resort, require the financial entity to temporarily suspend or stop using a service provided by a critical ICT third-party provider until those risks are remedied.

Conclusion

With DORA, EU regulators have streamlined previously inconsistent resilience standards across member states. By setting one common baseline, DORA pushes financial entities to treat ICT risk, incident readiness, testing, and third-party dependency as part of day-to-day governance rather than a periodic compliance exercise. If organisations implement these processes and maintain a clear evidence trail of how digital resilience is embedded in their operations, it will strengthen customer trust, reduce disruption risk, and put the firm in a stronger position with supervisory authorities.

How can Data Secure help you?

Perform gap assessment

We assess your current ICT risk, incident, and third-party practices against DORA and identify clear, prioritised gaps.

Policy and documentation support

We help you create or update the key DORA policies, procedures, and supporting documentation so they remain consistent, regularly reviewed, and ready for audit and supervisory scrutiny.

Third-party and vendor compliance support

We help you map ICT third-party dependencies and strengthen due diligence, oversight, and contractual controls for services supporting critical or important functions.

Security and risk mitigation

Implement incident response processes covering detection, escalation, investigation, and regulatory reporting, including DORA aligned ICT incident classification and reporting where applicable, supported by standard reporting templates.

We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution  can help you to understand Privacy and Trust while lawfully processing the personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.

For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025

We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025

We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – AI Nexus Your Trusted Partner in AI Risk Assessment and Privacy Compliance|AI-Nexus