FinlexProAll Posts
Guide

DORA Compliance Guide: ICT Risk Management for Financial Entities

Dr. Elena Vasquez
February 12, 2026
10 min read

What is DORA?

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, establishes a comprehensive framework for managing ICT (Information and Communication Technology) risks in the EU financial sector. DORA became fully applicable on January 17, 2025.

Unlike previous fragmented approaches to ICT risk, DORA creates uniform requirements across all EU member states and covers virtually all types of financial entities, from large banks to small payment institutions.

Why DORA Matters

The financial sector's increasing dependence on technology creates systemic risks. A major cyber incident or ICT failure at a critical service provider could cascade across the entire financial system. DORA addresses this by:

  • Establishing minimum ICT risk management standards
  • Creating a harmonized incident reporting framework
  • Requiring regular resilience testing
  • Introducing oversight of critical ICT third-party providers

Who Must Comply with DORA?

DORA applies to a broad range of financial entities:

Directly Covered Entities

  • Credit institutions (banks)
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers (CASPs)
  • Central securities depositories
  • Insurance and reinsurance undertakings
  • Pension funds
  • Credit rating agencies
  • Crowdfunding service providers

ICT Third-Party Providers

Critical ICT service providers designated by European Supervisory Authorities (ESAs) fall under a new oversight framework, even if they are not financial entities themselves.

The Five Pillars of DORA

Pillar 1: ICT Risk Management

Financial entities must establish a comprehensive ICT risk management framework including:

Governance Requirements

  • Management body responsibility for ICT risk strategy
  • Dedicated ICT risk management function
  • Clear roles and responsibilities
  • Regular reporting to management

Risk Identification and Assessment

  • Maintain inventory of all ICT assets
  • Identify and classify ICT-supported business functions
  • Assess risks to confidentiality, integrity, and availability
  • Document dependencies on ICT third-party providers

Protection and Prevention

  • Implement ICT security policies
  • Access control and identity management
  • Encryption and cryptographic controls
  • Network security measures
  • Physical security of ICT assets

Detection

  • Continuous monitoring of ICT systems
  • Anomaly detection mechanisms
  • Vulnerability scanning
  • Threat intelligence integration

Response and Recovery

  • ICT business continuity policy
  • Disaster recovery plans
  • Backup and restoration procedures
  • Communication plans for ICT incidents

Pillar 2: ICT Incident Management and Reporting

DORA creates a harmonized incident reporting framework:

Classification Requirements

Incidents must be classified based on:

  • Number of clients/counterparties affected
  • Duration of the incident
  • Geographic spread
  • Data losses
  • Economic impact
  • Criticality of services affected

Reporting Obligations

Major ICT-related incidents must be reported to competent authorities:

  • Initial notification: within 24 hours
  • Intermediate report: within 72 hours
  • Final report: within one month

Voluntary Reporting

Entities may voluntarily report significant cyber threats, even if they don't result in incidents.

Pillar 3: Digital Operational Resilience Testing

DORA mandates regular testing of ICT systems:

Basic Testing (All Entities)

  • Vulnerability assessments and scans
  • Open source analyses
  • Network security assessments
  • Gap analyses
  • Physical security reviews
  • Source code reviews (where feasible)
  • Scenario-based tests
  • Compatibility testing
  • Performance testing
  • End-to-end testing

Advanced Testing (Significant Entities)

Threat-led penetration testing (TLPT) every three years for entities meeting certain thresholds. TLPT must:

  • Be conducted by qualified testers
  • Cover critical functions
  • Include live production environments
  • Follow TIBER-EU framework

Pillar 4: ICT Third-Party Risk Management

Financial entities must manage risks from ICT service providers:

Pre-Contractual Assessment

  • Due diligence on potential providers
  • Risk assessment considering concentration risk
  • Evaluation of provider's resilience measures

Contractual Requirements

DORA mandates specific provisions in ICT contracts including:

  • Service level descriptions
  • Data protection provisions
  • Audit and access rights
  • Exit strategies and transition assistance
  • Incident notification obligations
  • Subcontracting limitations

Ongoing Monitoring

  • Regular assessment of provider performance
  • Review of provider's resilience measures
  • Monitoring of concentration risk

Pillar 5: Information Sharing

DORA encourages (but doesn't mandate) participation in cyber threat information sharing arrangements among financial entities, subject to appropriate confidentiality protections.

DORA and MiCA: The Intersection

For crypto-asset service providers (CASPs), DORA compliance is mandatory alongside MiCA. Key overlaps include:

  • ICT security requirements in MiCA Article 68 align with DORA
  • CASPs must apply DORA's full ICT risk management framework
  • Incident reporting follows DORA timelines
  • Third-party risk provisions apply to crypto custody providers

Proportionality Principle

DORA recognizes that one size doesn't fit all. Requirements are applied proportionally based on:

  • Size and overall risk profile
  • Nature, scale, and complexity of services
  • Systemic importance
  • Risk posed to financial stability

Smaller entities may benefit from simplified requirements in certain areas.

Penalties for Non-Compliance

Member states must establish effective penalties for DORA violations. While specific amounts vary by jurisdiction, penalties must be:

  • Effective and proportionate
  • Dissuasive
  • Made public in most cases

Compliance Checklist

Use this checklist to assess your DORA readiness:

ICT risk management framework documented and approved by management
Complete inventory of ICT assets and dependencies
ICT security policies covering all DORA requirements
Incident classification and reporting procedures
Business continuity and disaster recovery plans
Testing program established (basic tests at minimum)
Third-party provider register maintained
Contracts with ICT providers reviewed for DORA compliance
Staff training on ICT risk management
Regular reporting to management body

How FinlexPro Helps

DORA contains 64 articles plus numerous regulatory technical standards (RTS) and implementing technical standards (ITS). FinlexPro indexes:

  • Complete DORA regulation text
  • All published RTS and ITS
  • ESA guidelines and Q&As
  • Cross-references to related regulations (MiCA, PSD2, etc.)

Search specific DORA requirements and get AI-powered explanations with direct article citations.

Search Related Regulations

Use FinlexPro to find specific articles mentioned in this post.

Start Searching

Related Resources

DORA Regulation Guide
ICT risk, incident reporting, TLPT
DORA Compliance Checker
Free tool

Related Posts

The EU AML Package Explained: AMLR, AMLD6, and AMLA for Crypto & Finance

14 min read

Stablecoin Regulation in the EU: ART vs EMT - The Complete Guide

12 min read