AuditXYZ

Compliance Framework

Regulation (EU) 2022/2554 — Digital Operational Resilience Act

DORA establishes ICT risk management and resilience requirements for EU financial entities. Learn how to comply with this regulation covering testing, incidents, and third-party risk.

$50,000–$500,0006–24 monthsAudit Required2022
Request a ConsultationSee process
Issuing BodyEuropean Parliament and Council of the European Union
First Published2023-01-16
Latest Version2022
Typical Cost$50,000–$500,000
Typical Timeline6–24 months
Audit RequiredYes
Audit FrequencyOngoing supervisory oversight. Threat-led penetration testing (TLPT) required every 3 years for significant entities.
Geographyeuropean-union, eea

DORA: Digital Operational Resilience Act Guide

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a comprehensive framework for digital operational resilience across the financial sector. Effective from January 2025, DORA ensures financial entities can withstand, respond to, and recover from ICT-related disruptions and threats.

What DORA Covers

DORA is built on five pillars:

ICT Risk Management — Financial entities must establish and maintain a comprehensive ICT risk management framework including identification, protection, detection, response, and recovery capabilities.

ICT-Related Incident Management — Entities must classify, manage, and report major ICT-related incidents. Significant cyber threats must also be reported on a voluntary basis.

Digital Operational Resilience Testing — Regular testing of ICT systems including vulnerability assessments, network security tests, and for significant entities, advanced threat-led penetration testing (TLPT) at least every three years.

ICT Third-Party Risk Management — Comprehensive management of risks from ICT third-party service providers, including mandatory contractual provisions, concentration risk monitoring, and exit strategies.

Information Sharing — Voluntary frameworks for sharing cyber threat intelligence among financial entities.

Who DORA Affects

DORA applies to virtually all regulated financial entities in the EU: credit institutions, payment institutions, investment firms, insurance companies, pension funds, crypto-asset service providers, crowdfunding providers, and more. Critically, it also applies to critical ICT third-party service providers (CTPPs) serving these entities — including cloud providers, data analytics firms, and software vendors.

Compliance Approach

  1. Gap assessment — Map current ICT risk management practices against DORA requirements
  2. ICT risk framework — Establish or enhance your ICT risk management framework
  3. Incident management — Implement incident classification, escalation, and reporting processes
  4. Testing program — Design a resilience testing program meeting DORA's tiered requirements
  5. Third-party register — Create and maintain a register of all ICT third-party arrangements
  6. Contract remediation — Update third-party contracts to include DORA-mandated provisions
  7. Board governance — Ensure management body oversight and accountability for ICT risk

Key Differences from Existing Regulation

DORA harmonizes digital resilience requirements across EU financial services, replacing the patchwork of national guidelines. Its direct applicability as a regulation (not a directive) means consistent requirements across all member states without transposition differences.

Get the DORA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

nis2iso-27001iso-22301nist-csfcobit

Get matched with a DORA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

COBIT
Framework
COBIT 2019 is a leading IT governance framework that aligns IT with business objectives. Learn how its 40 governance and management objectives improve enterprise IT performance.
View
ISO 22301
Framework
ISO 22301 is the international standard for business continuity management systems. Learn how to build organizational resilience through structured continuity planning and testing.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
NIS2
Framework
NIS2 is the EU directive expanding cybersecurity obligations to more sectors and introducing stricter incident reporting. Learn who it affects and what compliance requires.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View