What is DORA and why it changes the game
The Digital Operational Resilience Act (DORA) is an EU regulation (2022/2554) effective since January 17, 2025. DORA introduces uniform digital operational resilience requirements for the entire financial sector in Europe — from the largest banks to small fintechs.
Before DORA, financial cybersecurity requirements were scattered across national regulations, sectoral standards (PCI DSS), and general legislation (NIS2, GDPR). DORA harmonizes these requirements and adds new ones: resilience testing, ICT third-party risk management, and standardized incident reporting.
The 5 pillars of DORA
Pillar 1: ICT risk management
Financial institutions must implement a comprehensive ICT risk management framework covering: asset and dependency identification, risk assessment, protection measures, threat detection, incident response, and disaster recovery. The management board bears direct responsibility for ICT risk oversight.
Pillar 2: ICT incident reporting
Mandatory reporting of major ICT incidents in a standardized format: initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month. Incident classification based on impact on financial services, number of clients, and losses.
Pillar 3: Operational resilience testing
Regular testing including: vulnerability scanning, penetration testing, scenario testing, business continuity testing. For systemically important institutions — mandatory TLPT (Threat-Led Penetration Testing) every 3 years, conducted by certified providers.
Pillar 4: ICT third-party risk management
Registry of all ICT providers, concentration risk assessment, contractual security clauses, audit and testing rights, exit strategies in case of provider loss. European supervisory authorities can directly oversee critical ICT providers.
Pillar 5: Threat intelligence sharing
Financial institutions may (but are not required to) participate in cyber threat information sharing programs. DORA defines rules for secure exchange of indicators of compromise (IoC) and attacker tactics (TTP).
DORA implementation timeline
| Phase | Action | Duration |
|---|---|---|
| 1 | Gap analysis — current state vs DORA requirements | 1-2 months |
| 2 | ICT risk management framework — policies, procedures, roles | 3-4 months |
| 3 | ICT provider registry — inventory, risk assessment, contracts | 2-3 months |
| 4 | Incident reporting system — processes, tools, training | 2-3 months |
| 5 | Testing program — test plan, TLPT, continuity tests | 2-3 months |
| 6 | Continuous improvement — audits, updates, training | Ongoing |
Step by step: How to implement DORA
Step 1: Gap analysis
A security audit covering assessment of current cybersecurity posture against DORA requirements. Identifying gaps in ICT risk management, incident reporting, resilience testing, and vendor management.
Step 2: Implement ICT risk management framework
Develop policies and procedures: ICT asset registry, risk assessment methodology, protection measures, incident response plan, business continuity plan. Assign board-level accountability.
Step 3: Vendor contract review
Review all technology vendor agreements for DORA compliance: security clauses, audit rights, resilience SLAs, exit plans. Create a central ICT provider registry.
Step 4: Incident reporting system
Implement ICT incident classification and reporting processes per DORA timeline. Integrate with SOC for automatic incident detection and escalation.
Step 5: Resilience testing program
Develop an annual test plan covering: vulnerability scanning, penetration testing, scenario testing (DDoS, ransomware, BEC), business continuity testing, TLPT for systemically important institutions.
Step 6: Training and awareness
Training programs for the board (DORA accountability), IT staff (technical procedures), all employees (threat recognition), and compliance teams (reporting requirements).
DORA and other regulations
DORA vs NIS2: DORA is lex specialis — for the financial sector, it takes precedence over NIS2, but both must be met where they don’t overlap.
DORA vs PCI DSS: PCI DSS covers payment card data security, DORA covers general operational resilience. Card-processing institutions must comply with both.
DORA vs national regulations: DORA supersedes national ICT risk requirements and creates a unified EU-wide framework for financial sector cybersecurity.
How nFlo supports DORA implementation
- Security audits — DORA gap analysis, cybersecurity maturity assessment
- Penetration testing — TLPT, scenario testing, banking API tests
- SOC as a Service — 24/7 monitoring meeting DORA detection and reporting requirements
- NIS2 compliance support — DORA and NIS2 implementation guidance
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
