Skip to content

Understanding DORA compliance requirements and risks

DORA compliance is now mandatory for financial entities and ICT service providers operating in the EU. Learn who’s affected, what’s required, and how to strengthen operational resilience under the regulation.
Resources / Blog / Understanding DORA compliance requirements and risks
Published by Usercentrics
10 mins to read
Apr 10, 2025

The Digital Operational Resilience Act (DORA) came into effect in the European Union (EU) on January 16, 2023, with enforcement starting January 17, 2025. The regulation introduces a unified framework to strengthen cybersecurity and operational risk management across the financial services sector in the EU.

Financial institutions and related services operating in the EU now face specific obligations related to their digital infrastructure, incident response capabilities, and third-party service provider relationships.

Below, we look at DORA compliance requirements, consequences of noncompliance, and which entities must comply.

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a regulation that applies to financial sector entities across all EU member states. It aims to reduce the impact of severe operational disruptions by strengthening IT security and risk management.

DORA requires financial entities to be able to deliver critical operations even during outages, cyberattacks, or other disruptions. This concept, known as operational resilience, is central to the regulation and reflects growing concerns about the sector’s reliance on digital systems and third-party providers.

Who must comply with DORA?

DORA applies to a wide range of organizations operating in the EU’s financial sector. This includes 20 types of financial entities under the following categories:

  • banking and payments 
  • investment and trading
  • crypto and digital assets
  • market infrastructure 
  • insurance and pensions
  • credit and ratings
  • crowdfunding 

It also applies to information and communications technology (ICT) third-party service providers that offer digital and data services to these financial entities through ICT systems on an ongoing basis. This includes both software and hardware services, but not traditional analog telephone services. 

  • Cloud computing services: DORA explicitly includes cloud providers due to their central role in financial infrastructure
  • Software services: this covers software licensing (including SaaS providers), custom development, maintenance, and support
  • Data analytics services: providers that process and analyze data to support decision-making in financial entities
  • Data center services: firms that host and manage critical data and applications
  • Hardware services: providers offering technical support via software or firmware updates
  • Payment services: including payment processors, gateways, service providers, and card networks
  • ICT security management services: services focused on monitoring and protecting systems from cyber threats
  • ICT support services: help desks, incident response, and other services that keep ICT systems running smoothly

Some providers fall under the category of critical ICT third-party service providers. These entities, designated by European Supervisory Authorities (ESA), face stricter oversight and must meet specific contractual obligations.

Microenterprises receive certain exemptions from DORA requirements. These are defined as financial entities with fewer than 10 employees and an annual turnover or balance sheet total below EUR 2 million. However, trading venues, central counterparties, trade repositories, and central securities depositories are not exempt even if they meet the microenterprise criteria.

DORA also has extraterritorial reach and applies to non-EU financial entities and ICT service providers. The regulation requires designated critical ICT third-party providers to establish an EU subsidiary within 12 months from the designation.

What is the DORA compliance deadline?

The European Parliament and Council passed DORA on December 14, 2022. The regulation came into effect on January 16, 2023, and enforcement began on January 17, 2025. 

The two-year period between enactment and enforcement enabled financial organizations and ICT service providers to modify their systems and develop appropriate procedures to comply with DORA’s requirements. 

From the January 2025 enforcement date, all organizations that fall within DORA’s scope must demonstrate compliance with its provisions.

DORA compliance requirements

DORA introduces several obligations beyond technical fixes to strengthen operational resilience across the financial sector. These requirements dictate how financial entities manage risk, respond to incidents, work with third-party service providers, and prepare for disruptions.

ICT risk management and governance

DORA outlines certain requirements for organizations to implement ICT risk management and governance control frameworks.

The regulation places responsibility for ICT risk management and governance squarely on an entity’s management body, which must implement policies to maintain high standards of data availability, authenticity, integrity, and confidentiality.

Management body members have an ongoing obligation to stay informed about ICT risks and their potential impact on operations.

The Commission Delegated Regulation (EU) 2024/1774, adopted on March 13, 2024, supplements and builds on DORA by introducing technical standards for how financial entities must manage ICT risks. These standards provide further clarity on what effective risk management looks like in practice, helping institutions align their internal DORA compliance frameworks with the regulation’s requirements.

ICT risk management framework

Financial entities must establish a documented ICT risk management framework with independent oversight, annual reviews, internal audits, and a digital operational resilience strategy. It should define the strategies, policies, and tools used to protect information and ICT assets from risks.

ICT systems, protocols and tools

ICT systems must be reliable, scalable, and resilient to handle operational demands, including peak processing loads and adverse conditions.

Identification

Financial entities must identify and document all ICT-supported business functions, assets, and dependencies. They should continuously assess cyber threats and conduct risk assessments after major changes in the network and information system infrastructure. Risk assessments on legacy systems should also be conducted yearly.

Protection and prevention

Financial entities must monitor ICT system security and implement policies to maintain availability, authenticity, integrity, and data confidentiality. These measures should protect against data corruption, loss, and unauthorized access. Entities must limit access to necessary functions and implement authentication protocols.

Detection

Entities must establish mechanisms to detect ICT anomalies, incidents, and failures, supported by regular testing and automated alerts for response teams. Data reporting service providers must verify report completeness.

Response and recovery

Financial entities must implement business continuity, response, and recovery plans for operational resilience, crisis communication, and regular impact analysis. These plans must be tested frequently, including under cyberattack scenarios.

Backup policies and procedures

There must be backup policies in place to restore ICT systems with minimal downtime without compromising data security. After an ICT-related incident, financial entities should verify that they have maintained the highest level of data integrity.

Learning and evolving

Financial entities must gather information on vulnerabilities and conduct post-incident reviews to improve ICT operations. Lessons learned from incidents should be incorporated into the ICT risk management framework.

Communication

Crisis communication plans must enable responsible disclosure of major ICT incidents, with designated staff managing public and internal communication.

Simplified ICT risk management framework

Small entities must maintain a simplified ICT risk management framework that includes mechanisms for managing ICT risk and maintaining business continuity. They should identify dependencies on ICT third-party service providers and regularly test business continuity plans.

DORA requires financial entities to implement a process to detect, manage, and report ICT incidents. The process should involve consistent monitoring and cover incident classification, response, and communication protocols. Major ICT-related incidents must be escalated to senior management, with measures put in place to prevent recurrence.

Incidents must be classified based on factors like affected clients, downtime, geographical spread, data loss, criticality of services affected, and financial impact, while significant cyber threats are those that pose risks to critical services. Cyber threats are classified as significant based on service criticality, geographical risk, and client targeting.

Financial entities must report major ICT incidents to competent authorities with initial, intermediate, and final reports. Clients must be informed about incidents affecting their financial interests and any measures taken to reduce adverse effects.

The European Commission adopted the Commission Delegated Regulation (EU) 2024/1772 on March 13, 2024, as a supplement to DORA. It outlines specific thresholds that determine whether an incident is considered major and sets clear expectations for the content and format of incident reports.

Digital operational resilience testing

Financial entities, excluding microenterprises, must establish a comprehensive digital operational resilience testing program to evaluate preparedness for ICT incidents and identify weaknesses. This program should include various assessments conducted by independent parties to confirm that corrective measures are in place.

Testing must include a wide range of assessments to validate the security of ICT systems, including vulnerability assessments, network security assessments, gap analyses, and compatibility testing, among others.

Competent authorities will designate which financial entities are required to conduct threat-led penetration testing (TLPT) every three years to assess critical functions within live production systems. These tests must cover relevant ICT systems and services, including those provided by third-party service providers.

TLPT testers must be reputable, possess specific technical expertise, and be certified by an accreditation body. They must provide independent assurance and be covered by professional indemnity insurance.

ICT third-party risk management

Under DORA, financial entities are fully responsible for digital operational resilience, even when key services are outsourced to third parties.

DORA requires financial entities to integrate ICT third-party risk into their risk management framework, maintain a register of contractual arrangements, conduct due diligence, and comply with security standards. 

Before entering into a contract, financial entities must assess whether it involves a critical or important function and identify and assess all relevant risks. They should weigh the benefits and costs of alternative solutions and consider subcontracting risks, especially with third-country providers.

Contracts must include service level descriptions, specify termination rights and notice periods, and obligate third-party service providers to assist if an ICT-related incident involving their service takes place.

DORA establishes an Oversight Framework for critical ICT third-party service providers in the EU financial sector. This framework allows European Supervisory Authorities (ESAs) to designate lead overseers who can monitor compliance, demand corrective action, and prohibit contracts with noncompliant providers.

The Commission Delegated Regulation (EU) 2024/1773, adopted on March 13, 2024, supplements and expands on DORA by outlining detailed policy requirements for contractual arrangements involving ICT services that support critical or important functions provided by third-party service providers.

Information sharing under DORA

Although it is not a DORA EU compliance requirement, the regulation encourages financial entities to collaborate on cyber threat intelligence as a way to strengthen the sector’s overall resilience. By sharing timely information on vulnerabilities, attack methods, and mitigation tactics, institutions can improve their ability to detect threats early and respond more effectively when incidents occur.

This type of information exchange must happen within trusted communities and following strict safeguards. Shared data, such as indicators of compromise or cybersecurity alerts, must be handled in line with the provisions of the General Data Protection Regulation (GDPR), business confidentiality rules, and competition law. The goal is to help institutions prevent isolated threats from escalating into broader disruptions while protecting sensitive information.

These arrangements — especially when the information shared is sensitive — must define the conditions for participation and whether any public authorities are involved. Financial entities that join or leave these arrangements must notify the relevant competent authorities.

Data encryption for DORA compliance

Under DORA’s ICT risk management requirements, financial entities must implement comprehensive data encryption policies that address the following:

  • Data encryption at rest and in transit: Information must be protected from unauthorized access whether it is stored in databases or moving between systems.
  • Data encryption in use, where necessary: Data must be protected during active processing operations. If encryption isn’t technically feasible, data must be handled in a separate, secure environment, or equivalent measures must be taken to maintain its confidentiality, integrity, authenticity, and availability.
  • Encryption of internal and external network traffic: Secure communication channels against interception or tampering.
  • Cryptographic key management: Define rules for how keys are used, protected, and managed throughout their lifecycle.

DORA noncompliance risks

Financial entities that fail to meet DORA EU compliance requirements face significant regulatory consequences from competent authorities. 

  • Competent authorities can impose administrative penalties for DORA breaches
  • Authorities may demand temporary or permanent cessation of any practice or conduct that infringes DORA’s requirements to prevent repeat violations
  • Financial penalties can be levied against entities to promote ongoing adherence to legal requirements
  • Authorities can issue public statements identifying the responsible entity or individual and detailing the nature of the breach. This creates reputational risk for the offending entity
  • Financial entities can contest imposed penalties or measures through established appeal processes within the legal framework

DORA compliance checklist 

Below is a non-exhaustive checklist to help your organization with DORA compliance. For advice specific to your organization, consulting a qualified legal professional is strongly recommended.

For the first part of your DORA compliance assessment, verify whether the regulation applies to your organization before proceeding.

ICT risk management and governance

  • Establish a documented ICT risk management framework with oversight, audits, reviews, and a resilience strategy.
  • Use ICT systems that are reliable, scalable, and resilient under stress and peak demand.
  • Identify and document ICT-supported functions, assets, and dependencies.
  • Continuously assess cyber threats and conduct risk assessments after major changes or annually for legacy systems.
  • Implement policies to maintain data availability, authenticity, integrity, and confidentiality.
  • Limit access to essential functions and apply strong authentication and encryption protocols.
  • Monitor ICT systems for anomalies, using mechanisms for detection, alerts, and incident response.
  • Create business continuity, response, and recovery plans with regular testing, including for cyberattack scenarios.
  • Set up secure, physically separate backups to restore systems with minimal downtime.
  • Conduct post-incident reviews and update the risk framework with lessons learned.
  • Develop a crisis communication plan with designated staff for internal and public disclosure.

ICT-related incident management, classification, and reporting

  • Create a structured process to detect, classify, respond to, and report ICT-related incidents.
  • Classify incidents based on client impact, downtime, location, data loss, criticality, and financial consequences.
  • Identify significant cyber threats based on affected services, location, and client targeting.
  • Prepare and submit initial, intermediate, and final reports to competent authorities for major ICT-related incidents.
  • Notify clients when incidents affect their financial interests and explain mitigation steps.

Digital operational resilience testing

  • Implement a resilience testing program to evaluate readiness and identify vulnerabilities.
  • Include tests such as vulnerability assessments, network security checks, and penetration testing.
  • Use independent testers to conduct assessments and confirm that corrective measures are in place.
  • If required, perform threat-led penetration testing (TLPT) every three years for critical systems.
  • Verify that TLPT covers ICT systems and third-party services relevant to critical operations.
  • Use certified, accredited testers with professional indemnity insurance and technical expertise.
  • Cooperate with competent authorities on TLPT scope and recognition across jurisdictions.

Third-party risk management

  • Incorporate third-party ICT risk into your overall risk management framework.
  • Maintain a register of all contractual arrangements with ICT service providers.
  • Conduct due diligence on providers and evaluate risks before entering into contracts.
  • Assess whether services are critical or important and consider the risks of subcontracting and possible alternatives.
  • Draft contracts to include service levels, termination clauses, and incident support obligations.
  • Follow the Oversight Framework for critical ICT third-party service providers designated by ESAs.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

What is DORA compliance?

DORA compliance refers to meeting the requirements of the Digital Operational Resilience Act (DORA), a regulation designed to strengthen IT security and operational risk management in the EU financial sector. It includes obligations around managing information and communication technology (ICT) risk, responding to incidents, overseeing third-party providers, and maintaining business continuity during digital disruptions.

Which organizations must comply with DORA regulations?

DORA applies to a wide range of organizations operating in the EU financial services sector across banking and payments, investment and trading, crypto and digital assets, market infrastructure, insurance and pensions, credit and ratings, and crowdfunding. It also covers ICT third-party service providers — such as cloud services, software vendors, and data analytics firms — that deliver digital services to financial entities.

How does DORA handle third-party service provider risks?

DORA places full responsibility for digital operational resilience on financial entities, even when services are outsourced. Organizations must integrate ICT third-party risk into their management frameworks, maintain contractual registers, conduct due diligence, and follow security standards, especially when the service supports critical or important functions. The regulation establishes an Oversight Framework for critical ICT third-party providers, allowing European Supervisory Authorities to designate lead overseers who monitor compliance and can prohibit contracts with noncompliant providers.

What is the DORA compliance deadline?

DORA came into effect on January 16, 2023, and enforcement began on January 17, 2025. From this date, all organizations within the regulation’s scope must demonstrate full compliance with its requirements.

What happens if an organization is not DORA compliant?

Organizations that fail to meet DORA requirements face significant regulatory consequences. Competent authorities can impose administrative penalties for breaches, demand temporary or permanent cessation of noncompliant practices, levy financial penalties, and issue public statements identifying the entity and detailing the nature of the breach. Noncompliant organizations face both regulatory and reputational risks, though entities can contest imposed penalties through established appeal processes.

Does DORA apply to non-EU ICT service providers?

Yes, DORA has extraterritorial reach and applies to non-EU ICT service providers that offer services to EU-based financial institutions. If an ICT third-party service provider outside the EU is designated as critical by European Supervisory Authorities, it must establish a subsidiary within the EU within 12 months of the designation.