DORA: what the financial sector and its IT vendors must comply with
DORA (the Digital Operational Resilience Act, Regulation (EU) 2022/2554) is the EU regulation on the digital operational resilience of the financial sector. Unlike the NIS2 Directive, it is directly applicable in all member states — no national transposition needed — and has applied since January 2025. Supervision is carried out by the national competent financial authorities in each member state.
Who does DORA apply to
Practically the entire financial ecosystem — the regulation lists over 20 types of entities: banks, insurance and reinsurance undertakings, investment firms, asset management companies, payment institutions, electronic money institutions, crypto-asset service providers, pension funds and insurance intermediaries (above a certain size).
The key peculiarity: DORA also reaches ICT vendors of financial institutions. If you provide software, hosting, cloud or IT services to a bank or an insurer, its DORA obligations will flow down into your contract — and critical ICT third-party service providers can fall under the direct oversight of the European Supervisory Authorities.
The five pillars of DORA
1. ICT risk management
A risk management framework approved by the management body: identification of assets, protection, detection, response and recovery. Management bears full responsibility — just as under NIS2.
2. ICT incident reporting
Classification of incidents against uniform criteria and reporting of major incidents to the regulator within set deadlines (initial notification, intermediate report, final report). This requires a working incident log with timestamps.
3. Digital operational resilience testing
Regular testing — from vulnerability scans to penetration tests. The largest institutions must undergo advanced threat-led penetration testing (TLPT) once every three years.
4. Third-party risk management
For most companies the most labour-intensive pillar: a Register of Information covering all contractual arrangements with ICT providers, concentration risk assessments, mandatory contractual clauses and exit strategies for critical services. The register is submitted to the regulator.
5. Information sharing
Voluntary exchange of threat intelligence within the sector.
DORA and ISO 27001: an overlap worth exploiting
DORA does not require certification, but its requirements mirror the structure of an ISMS under ISO 27001: risk management (Clause 6), incidents (A.5.24–A.5.27), suppliers (A.5.19–A.5.22), continuity (A.5.29–A.5.30), testing and monitoring. An institution with a working ISO 27001 already meets a significant part of the DORA requirements and can prove it with documentation.
A practical approach for smaller financial entities and their IT vendors:
- ISMS documentation — policies, risk management, incident response plans. ISOForge generates it tailored to your organisation.
- ICT vendor register — track providers, their criticality and contract review dates (ISOForge has a dedicated module for this, with DORA labelling of ICT providers).
- Incident log — with deadline tracking and records for the regulator.
- Annual cycle — document reviews, risk reassessments, training and internal audits in a compliance calendar.
Summary
- DORA is directly applicable and already in force — financial entities and their ICT vendors should act now.
- The most underestimated obligation: the Register of Information on ICT contracts.
- ISO 27001 is the most efficient framework for systematically covering and documenting the DORA requirements.