DORA Compliance Consulting

DORA's 5 pillars — what the regulation requires in practice

DORA is not a single obligation — it is a framework of five interconnected requirements designed to ensure that every financial entity operating in the EU can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions. Each pillar imposes specific, documented deliverables.

Where most financial organizations have existing controls in areas like ICT risk management and incident response, DORA demands a significantly higher level of documentation, testing rigor, and third-party oversight than previous frameworks. The gap between "we have processes" and "we are DORA-compliant" is frequently larger than organizations expect — and closing it before a supervisory inspection is essential.

ICT Risk Management

Requirements for Information & Communication Technology (ICT) risk management.

ICT Incident Reporting

Reporting requirements of major ICT-related incidents to the competent authorities;

Information Sharing

Information and Intelligence sharing in relation to cyber threats and vulnerabilities.

Digital Operational Resilience Testing

Requirements for Advanced testing of ICT tools, systems and processes based on Threat-Led Penetration Testing (TLPT).

ICT third-party Risk Management

Requirements for ICT third-party Risk Management.

ICT incident classification and reporting timelines under DORA

Not every ICT incident triggers a DORA reporting obligation — but misclassifying a major incident as non-reportable is itself a compliance failure. DORA establishes specific criteria for what constitutes a "major incident" requiring mandatory notification.

Classification depends on a set of impact criteria set by the European Supervisory Authorities — covering the number of clients affected, duration of disruption, data loss, criticality of affected services, geographic spread, and financial impact. Cyber-Management builds classification frameworks and decision trees into your incident response procedures so your team can make the right call quickly, under pressure.

Major ICT incident

Mandatory reporting to competent authority

An incident that has a significant adverse impact on the availability, authenticity, integrity, or confidentiality of network and information systems — assessed against specific impact thresholds set by ESA technical standards.

Reporting timeline:

4 hours — initial notification

72 hours — intermediate report

1 month — final report

Significant cyber threat

Voluntary notification encouraged

A cyber threat that, if materialized, could cause a major ICT incident. Financial entities are encouraged to voluntarily notify their competent authority of significant threats — even where no actual disruption has occurred.

Where a significant threat could affect clients, entities must also inform those clients of protective measures they can take — creating a customer communication obligation.

No mandatory deadline — prompt notification encouraged

Cyber-Management provides pre-built incident classification templates, escalation procedures, and regulatory notification drafts — so when an incident occurs, your team is not constructing a response from scratch against a 4-hour deadline.

Resilience testing and third-party ICT risk — DORA's two most demanding requirements

For most financial entities, DORA's resilience testing obligations and third-party ICT register requirement represent the most significant operational effort — and the areas where most organizations are furthest from compliance.

Threat-Led Penetration Testing (TLPT)

TLPT is not a standard penetration test. It is a controlled, intelligence-led simulation of a real attack against your live production systems — conducted by approved external testers using tactics, techniques, and procedures derived from real threat intelligence relevant to your entity.

TLPT is mandatory every three years for significant financial entities identified by competent authorities. It must cover at minimum the critical functions identified in your ICT risk management framework, and must involve your critical ICT third-party providers where they support those functions.

Testing must be conducted by approved External Test Providers (ETPs)

Scope must cover critical ICT systems supporting critical functions

Findings must be shared with competent authority

Remediation of critical findings is mandatory within defined timelines

Third-party providers may be required to participate in testing

ICT third-party service provider register

Every financial entity must maintain a complete, up-to-date register of all ICT third-party service providers — from cloud platforms and SaaS tools to managed security services and payment processors.

For each provider, the register must document the services provided, the criticality classification, data locations, sub-contractor dependencies, and contractual exit provisions. Critical ICT third-party providers face direct oversight by the relevant European Supervisory Authority.

The contractual requirements for critical providers are extensive — covering data access rights for competent authorities, audit rights, incident notification obligations, and business continuity commitments. Cyber-Management reviews your existing ICT contracts and identifies the gaps against DORA's Article 30 mandatory provisions.

What your ICT third-party register must include

DORA Article 28(3) requires financial entities to maintain a register of information on all contractual arrangements with ICT third-party service providers. At minimum, each entry must capture:

Provider name & registered address

Services provided & ICT systems supported

Criticality classification

Data storage & processing locations

Sub-contractor dependencies

Contract start / end dates

Audit and inspection rights

Exit and transition plan provisions

How DORA fits with ISO 27001, NIS2, and existing financial regulations

DORA was explicitly designed to complement — not duplicate — existing regulatory frameworks. However, it imposes a higher level of specificity and testing rigor than any predecessor framework.

Framework	Relationship with DORA	What DORA adds beyond it
ISO 27001	ISO 27001 covers the ICT risk management, incident management, and access control foundations that underpin DORA's requirements. A certified ISMS satisfies approximately 45–60% of DORA's obligations	ISO 27001 covers the ICT risk management, incident management, and access control foundations that underpin DORA's requirements. A certified ISMS satisfies approximately 45–60% of DORA's obligations
NIS2	Financial entities subject to DORA are generally exempt from NIS2 for their financial services activities — DORA is the lex specialis for the financial sector. However, where a financial entity also operates infrastructure covered by NIS2, both may apply	DORA's testing requirements (TLPT), third-party oversight framework, and financial-sector-specific incident classification criteria go significantly beyond NIS2's provisions
EBA / EIOPA / ESMA guidelines	DORA supersedes and consolidates previous ICT risk guidelines issued by EBA, EIOPA, and ESMA — replacing the patchwork of sector-specific ICT guidance with a single, directly applicable regulation	Directly applicable as an EU Regulation (no member state transposition required), broader scope including ICT third-party providers, and mandatory TLPT for significant entities
GDPR	DORA's incident reporting requirements and data security obligations overlap with GDPR Article 32's security measures and breach notification obligations — a single incident may trigger both DORA and GDPR reporting	DORA's incident reporting timelines are more demanding (4h initial vs GDPR's 72h). DORA adds specific resilience testing and third-party ICT requirements that go beyond GDPR's scope

DORA enforcement — what non-compliance costs

DORA empowers competent authorities with significant supervisory and enforcement powers — going well beyond the ability to impose fines. The full range of remedial measures available makes proactive compliance far less costly than a supervisory intervention.

Financial entities — periodic penalty

1% / day

Up to 1% of average daily worldwide turnover per day, for each day of non-compliance following a binding supervisory instruction. Can run for up to six months.

Critical ICT third-party providers

€5M

Or up to 1% of average daily worldwide turnover — whichever is higher — for critical ICT third-party providers under direct EU supervisory oversight. Individual liability also possible for management.

Non-financial penalties

Broad

Binding instructions to remedy non-conformities. Public disclosure of violations. Temporary prohibition on offering services. Suspension of senior management. Mandatory external audit at entity's own cost.

The daily penalty structure is particularly significant — unlike a one-time fine, it accrues for each day an identified compliance failure persists after a supervisory instruction. For a financial entity with €50M annual turnover, a sustained 90-day period of non-compliance following a supervisory instruction could generate penalties exceeding €120,000. Our vCISO service → provides the ongoing governance oversight to prevent compliance gaps from escalating to this point.

Why DORA Compliance matters ?

Regulatory Requirement

Compliance with DORA is not optional; it is a legal necessity for financial entities operating within the EU. Ensuring compliance protects your business from regulatory penalties and legal issues.

Enhanced Cybersecurity

Implementing DORA requirements strengthens your overall cybersecurity posture, reducing the risk of breaches and operational disruptions.

Customer Trust

Demonstrating your commitment to digital resilience builds trust with your clients, enhancing your reputation in a competitive market.

Business Continuity

DORA compliance ensures that you have robust processes in place to maintain operations, even in the face of unexpected incidents.

DORA has been in force since January 2025 —
is your organization ready for supervisory review?

Book a free 25-minute scoping call. We will assess your current DORA compliance status, identify your highest-risk gaps, and outline a practical roadmap to a defensible compliance position.

Book a free consultation

Benefits of Partnering with Us

Expertise in Cybersecurity and Financial Sector

Our team consists of seasoned professionals with extensive experience within the Financial Industry.

Peace of Mind

Focus on your core business while we handle your data protection needs, ensuring compliance and reducing risk.

Regulatory Compliance

Stay ahead of the ever-changing landscape of data privacy regulations, minimizing the risk of penalties and reputational damage.

Enhanced Customer Trust

Demonstrating a commitment to data protection can strengthen your relationship with clients and stakeholders, enhancing your brand’s reputation.

FAQs

Does DORA apply to our ICT suppliers even if they are not financial entities?

Yes — DORA directly applies to ICT third-party service providers that are designated as "critical" by the relevant European Supervisory Authority (EBA, EIOPA, or ESMA). Critical ICT third-party providers face direct EU supervisory oversight regardless of their own sector. Even non-critical ICT providers that serve DORA-covered financial entities face indirect DORA requirements through the contractual obligations their financial entity clients must impose on them — including audit rights, incident notification requirements, and business continuity commitments. If you are an ICT provider to financial entities, DORA is already shaping the contractual demands your clients are placing on you.

We already comply with EBA ICT guidelines — are we DORA compliant?

Compliance with the EBA Guidelines on ICT and Security Risk Management is a strong starting point — but it does not make you DORA compliant. DORA supersedes and goes significantly beyond the EBA guidelines in three key areas: the mandatory TLPT testing program (not required under the guidelines), the comprehensive ICT third-party register with mandatory Article 30 contract provisions (more prescriptive than the guidelines), and the specific major incident reporting timelines and classification criteria. A formal DORA gap analysis comparing your current EBA-compliant program against DORA's requirements is the most efficient way to identify exactly what still needs to be addressed.

What is the difference between basic and advanced resilience testing under DORA?

Basic resilience testing is required annually for all financial entities covered by DORA. It includes vulnerability assessments, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaire-based assessments, and scenario-based tests. Advanced testing — specifically Threat-Led Penetration Testing (TLPT) — is required every three years for financial entities identified as significant by competent authorities. TLPT must be conducted by approved external testers using real threat intelligence and must cover live production systems. Unlike basic testing, TLPT results must be shared with the competent authority and critical findings must be remediated within defined timelines.

How does DORA's incident reporting differ from GDPR and NIS2?

The key differences are the initial notification deadline and the triggering criteria. DORA requires an initial notification within 4 hours of classifying an incident as "major" — significantly faster than GDPR's 72-hour breach notification and NIS2's 24-hour early warning. DORA's classification criteria are also more specific, based on quantitative impact thresholds (number of clients affected, duration, financial impact) set by the European Supervisory Authorities. A single incident may trigger reporting obligations under all three frameworks simultaneously, with different timelines and different reporting destinations — making a pre-planned, multi-framework incident response procedure essential.

How long does DORA compliance take to implement?

For a financial entity starting from a solid ISO 27001 or EBA-compliant baseline, addressing the DORA-specific gaps typically takes 3–6 months. This covers formalizing the ICT risk management framework to DORA's specification, building the third-party register, updating contracts with critical ICT providers, implementing the incident classification and reporting procedures, and planning the basic resilience testing program. Achieving full DORA compliance including TLPT readiness for entities that require it typically takes 9–12 months end to end. Cyber-Management works to your regulatory timelines — DORA has been in force since January 2025 and supervisory inspections are underway.

Does DORA apply to our organisation if we are a small payment institution?

Yes — payment institutions are explicitly covered by DORA regardless of size. However, DORA includes a proportionality principle: micro-enterprises (fewer than 10 employees and annual turnover under €2M) may be exempt from some of the more burdensome requirements, including TLPT. The specific simplifications available to smaller entities are determined by member state implementation. Cyber-Management provides a scoping assessment that confirms exactly which DORA obligations apply to your specific entity type and size — ensuring you implement what is required without over-investing in requirements that do not apply to you. Book a scoping call →