DORA Compliance: What the Technical Requirements Actually Mean
The EU Digital Operational Resilience Act entered application in January 2025. Financial entities face concrete obligations around ICT risk, testing, and third-party management.
Adrien Fontaine
GRC Director · 10 January 2025
DORA introduces five pillars of digital operational resilience that financial entities — banks, insurers, investment firms — must comply with by January 2025.
ICT Risk Management. Entities must maintain a comprehensive ICT risk framework with dedicated risk management functions, annual risk assessments, and a protection strategy covering detection, response, and recovery. Crucially, the framework must be board-approved and reviewed annually.
ICT Incident Reporting. Major ICT incidents must be reported to competent authorities within 4 hours of classification, with an intermediate report within 72 hours and a final report within one month. Incident classification criteria are specific — revenue impact, client count, and duration all factor in.
Digital Operational Resilience Testing. All entities must run basic testing (vulnerability assessments, scenario-based tests) annually. Significant entities must conduct Threat-Led Penetration Testing (TLPT) every 3 years against production systems — TIBER-EU methodology is the benchmark.
Third-Party Risk. DORA imposes strict requirements on ICT third-party contracts, including mandatory exit strategies, concentration risk assessments, and enhanced oversight for critical providers designated by ESAs.
Information Sharing. Entities are encouraged — and in some cases required — to participate in threat intelligence sharing arrangements. Establish your TLP-compliant sharing process now.