Try for free

DORA: what the financial sector and its IT vendors must comply with

DORA (the Digital Operational Resilience Act, Regulation (EU) 2022/2554) is the EU regulation on the digital operational resilience of the financial sector. Unlike the NIS2 Directive, it is directly applicable in all member states — no national transposition needed — and has applied since January 2025. Supervision is carried out by the national competent financial authorities in each member state.

Who does DORA apply to

Practically the entire financial ecosystem — the regulation lists over 20 types of entities: banks, insurance and reinsurance undertakings, investment firms, asset management companies, payment institutions, electronic money institutions, crypto-asset service providers, pension funds and insurance intermediaries (above a certain size).

The key peculiarity: DORA also reaches ICT vendors of financial institutions. If you provide software, hosting, cloud or IT services to a bank or an insurer, its DORA obligations will flow down into your contract — and critical ICT third-party service providers can fall under the direct oversight of the European Supervisory Authorities.

The five pillars of DORA

1. ICT risk management

A risk management framework approved by the management body: identification of assets, protection, detection, response and recovery. Management bears full responsibility — just as under NIS2.

2. ICT incident reporting

Classification of incidents against uniform criteria and reporting of major incidents to the regulator within set deadlines (initial notification, intermediate report, final report). This requires a working incident log with timestamps.

3. Digital operational resilience testing

Regular testing — from vulnerability scans to penetration tests. The largest institutions must undergo advanced threat-led penetration testing (TLPT) once every three years.

4. Third-party risk management

For most companies the most labour-intensive pillar: a Register of Information covering all contractual arrangements with ICT providers, concentration risk assessments, mandatory contractual clauses and exit strategies for critical services. The register is submitted to the regulator.

5. Information sharing

Voluntary exchange of threat intelligence within the sector.

DORA and ISO 27001: an overlap worth exploiting

DORA does not require certification, but its requirements mirror the structure of an ISMS under ISO 27001: risk management (Clause 6), incidents (A.5.24–A.5.27), suppliers (A.5.19–A.5.22), continuity (A.5.29–A.5.30), testing and monitoring. An institution with a working ISO 27001 already meets a significant part of the DORA requirements and can prove it with documentation.

A practical approach for smaller financial entities and their IT vendors:

  1. ISMS documentation — policies, risk management, incident response plans. ISOForge generates it tailored to your organisation.
  2. ICT vendor register — track providers, their criticality and contract review dates (ISOForge has a dedicated module for this, with DORA labelling of ICT providers).
  3. Incident log — with deadline tracking and records for the regulator.
  4. Annual cycle — document reviews, risk reassessments, training and internal audits in a compliance calendar.

Summary

Need ISO documentation?

ISOForge generates audit-ready documentation tailored to your company — in English, at a fraction of consultant cost.

Learn more