The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has been fully applicable since 17 January 2025, and for banks it is no longer a project on the horizon — it is a live supervisory expectation. For credit institutions, DORA reframes IT security from an operational concern owned by the CISO into a board-level resilience obligation with hard reporting deadlines, mandatory testing, and direct oversight of the cloud and software vendors banks depend on.

This guide sets out what DORA actually requires of banks: who is in scope, the five pillars, the incident-reporting clock, the testing regime, and how third-party oversight works — with a practical roadmap to evidence compliance. It is written for compliance, risk, and ICT teams at banks and credit institutions.

Does DORA apply to my bank?

Yes. Credit institutions are expressly within DORA's scope, alongside payment and e-money institutions, investment firms, crypto-asset service providers, insurers, and many others — around 20 categories of financial entity in total. DORA applies directly as an EU regulation, so it took effect uniformly across all Member States without national transposition.

DORA does build in proportionality: requirements scale with an entity's size, risk profile, and the nature and complexity of its services. A simplified ICT risk-management framework is available to certain small and non-interconnected entities — but large and significant banks sit firmly at the full-requirements end of the spectrum.

The five pillars of DORA for banks

DORA is built on five interlocking pillars. Banks need evidence across all of them.

1. ICT risk management

The foundation. Under DORA's risk-management provisions, a bank must maintain a documented ICT risk-management framework covering identification, protection, detection, response, and recovery. Critically, DORA makes the management body ultimately responsible: the board must approve the framework, set the bank's risk tolerance for ICT disruption, and stay informed. ICT risk can no longer be quietly delegated and forgotten — it is a governance obligation.

2. ICT-related incident reporting

Banks must classify ICT-related incidents using DORA's criteria and report major incidents to their competent authority on a strict timeline. Under the technical standards, the initial notification is due no later than 4 hours after the incident is classified as major (and within 24 hours of the bank becoming aware of it), followed by an intermediate report as the situation develops and a final report once root-cause analysis is complete. The objective is harmonised, timely supervisory visibility — and the deadlines are tight enough that banks need pre-built classification and escalation playbooks, not ad-hoc decisions mid-incident.

3. Digital operational resilience testing

Banks must run a testing programme that includes vulnerability assessments, scenario-based tests, and reviews on at least an annual basis. Significant institutions face a higher bar: threat-led penetration testing (TLPT), based on the TIBER-EU framework, at least every three years, carried out by qualified testers against live production systems. TLPT is where many banks discover the gap between their documented resilience and their actual resilience.

4. ICT third-party risk management

This is the pillar with the biggest operational footprint for banks. DORA requires institutions to:

maintain a **register of information** on all contractual arrangements with ICT third-party providers;
ensure contracts contain DORA-mandated provisions (audit and access rights, sub-outsourcing controls, security, exit strategies);
assess **concentration risk** before relying on a single provider for critical functions; and
maintain **documented exit strategies** for critical ICT services.

Above the entity level, the EU's supervisory authorities now directly oversee Critical ICT Third-Party Providers (CTPPs) — the major cloud and software vendors — but the obligation to manage each vendor relationship still sits with the bank.

5. Information sharing

The fifth pillar encourages financial entities to share cyber-threat intelligence among trusted communities. Unlike the others, this pillar is voluntary — but supervisors increasingly view active participation as a marker of maturity.

What supervisors expect from banks specifically

Beyond the pillars, examiners are focusing on a few areas where banks frequently fall short:

**Board ownership and evidence.** Minutes, approved policies, and a clear risk-tolerance statement showing the management body engaged with ICT risk — not a framework signed off in name only.
**A complete and accurate register of information.** The third-party register is one of the first artefacts a supervisor will ask for, and gaps are immediately visible.
**Tested incident playbooks.** Demonstrable classification logic and escalation paths that meet the 4-hour clock.
**Exit and concentration analysis** for critical cloud dependencies.

How DORA fits with your existing frameworks

For banks, DORA does not sit in isolation. It consolidates and supersedes the older patchwork of supervisory ICT guidance, raising it to directly applicable law. It also interacts with NIS2: where both could apply, DORA operates as *lex specialis* for the financial sector, so DORA's specific requirements take precedence for banks. Our explainer on [NIS2 vs DORA](/blog/nis2-vs-dora-financial-sector-overlap-explained) covers the overlap in detail.

A practical roadmap to DORA compliance

**Map your ICT estate** — systems, data flows, and the critical or important functions they support.

**Stand up the ICT risk-management framework** with explicit board approval and a risk-tolerance statement.

**Build the register of information** and remediate non-compliant third-party contracts.

**Operationalise incident classification and reporting** to meet the 4-hour notification clock.

**Run the testing programme** — annual testing for all, TLPT every three years for significant banks.

**Evidence everything** — DORA compliance is proven through documentation, not intentions.

You can score your framework against the five pillars with our free [DORA compliance checker](/tools/dora-compliance-checker), and work through the full requirement set with our [DORA compliance checklist](/blog/dora-compliance-checklist-2026) and [DORA regulation guide](/regulations/dora).

Frequently Asked Questions

When did DORA become applicable to banks?

DORA has been fully applicable since 17 January 2025. As an EU regulation it applies directly in all Member States, so banks have been subject to its requirements — and to supervisory examination — since that date.

What are the five pillars of DORA?

DORA is built on five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. The first four are mandatory; information sharing is voluntary.

How quickly must a bank report a major ICT incident under DORA?

Under the technical standards, a bank must submit an initial notification of a major ICT-related incident no later than 4 hours after classifying it as major, and within 24 hours of becoming aware of it, followed by intermediate and final reports.

Do all banks have to perform threat-led penetration testing?

No. All in-scope entities must run a testing programme including annual vulnerability and scenario testing, but threat-led penetration testing (TLPT) at least every three years applies to significant institutions identified by their supervisors, based on the TIBER-EU framework.

How does DORA relate to NIS2 for banks?

Where both DORA and NIS2 could apply, DORA acts as lex specialis for the financial sector, so its specific operational-resilience requirements take precedence for banks and other financial entities.

Meet DORA requirements with FinlexPro

DORA spans five pillars, dozens of articles, and a growing body of ESA technical standards. FinlexPro lets banks' compliance and ICT teams search 2,700+ EU regulatory documents — including the full DORA text and its RTS/ITS — in context, and pair that with our [DORA compliance solutions for banks](/solutions/banks) and free [DORA compliance checker](/tools/dora-compliance-checker). Turn a sprawling regulation into a defensible, evidenced compliance programme.

*This article is for general information and does not constitute legal advice. Verify all requirements and deadlines against official EUR-Lex, ESA, and national competent authority sources, and seek qualified counsel for your specific situation.*

DORA Compliance for Banks: ICT Risk Management Requirements