DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has established uniform requirements for digital operational resilience of financial entities since January 2025. It harmonizes requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management across the entire EU financial sector.
Contents
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on January 16, 2023, and has been fully applicable since January 17, 2025. DORA establishes a unified European legal framework for digital operational resilience in the financial sector.
Before DORA, EU member states had different national regulations for IT security in financial institutions. In Germany, these were primarily BAIT (Banking Supervisory Requirements for IT) and MaRisk. DORA harmonizes these requirements at the European level and significantly expands them.
Why Was DORA Introduced?
The financial sector is increasingly dependent on digital technologies. Cyber attacks, IT outages, and vulnerabilities at third-party providers can have severe impacts – not only for individual institutions but for the stability of the entire financial system. DORA addresses these systemic risks through:
- Uniform standards for ICT risk management across the entire EU
- Strengthened resilience against cyber threats and IT failures
- Regulation of critical third-party providers such as cloud providers
- Improved information sharing about threats
Who Does DORA Apply To?
DORA has a broad scope and covers nearly all actors in the financial sector. The regulation applies to:
Financial Entities
- Credit institutions (banks)
- Payment institutions
- Electronic money institutions
- Investment firms
- Insurance companies
- Reinsurers
- Asset management companies
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding platforms
ICT Third-Party Service Providers
- Cloud service providers
- Software vendors
- Data centers
- IT outsourcing providers
- Data analytics providers
Critical ICT third-party service providers are subject to direct oversight by the ESAs (EBA, EIOPA, ESMA).
The Proportionality Principle
DORA recognizes that not all financial entities are the same. The proportionality principle allows for risk-based implementation: Smaller institutions with simpler business models must implement requirements according to their size, risk profile, and service complexity.
However, proportionality does not mean exemption. All financial entities must comply with DORA – but the scope of measures varies.
The 5 Pillars of DORA
DORA is based on five central themes that together form a comprehensive framework for digital resilience:
ICT Risk Management
The core of DORA: A robust framework for identifying, assessing, and managing all ICT-related risks.
- ICT risk strategy and governance
- Identification of critical functions and assets
- Protection and prevention measures
- Detection of anomalous activities
- Business continuity management
- Backup and recovery strategies
ICT Incident Management
Structured processes for handling and reporting ICT-related incidents.
- Incident classification
- Reporting obligations to supervisory authorities
- Deadlines: Initial notification within 4 hours
- Intermediate report after 72 hours
- Final report after 1 month
- Root cause analysis
Digital Operational Resilience Testing
Regular testing to verify resilience capabilities.
- Annual basic tests (all entities)
- Vulnerability assessments
- Penetration tests
- TLPT every 3 years (systemically important institutions)
- Scenario-based tests
- Include third-party testing
ICT Third-Party Risk
Comprehensive management of risks from outsourcing and third-party relationships.
- Minimum contractual requirements
- Information register of all ICT service providers
- Risk-based due diligence
- Exit strategies
- Concentration risk assessment
- Monitoring of critical third parties
Information Sharing
Voluntary sharing of threat information to strengthen collective resilience.
- Share cyber threat intelligence
- Participate in information sharing arrangements
- Indicators of Compromise (IoC)
- Tactics, Techniques, Procedures (TTP)
- Privacy-compliant implementation
DORA Timeline & Deadlines
Publication
DORA is published in the EU Official Journal
Entry into Force
DORA enters into force, 24-month implementation period begins
Technical Standards (RTS/ITS)
ESAs develop detailed regulatory technical standards
Application Date
DORA is fully applicable! All requirements must be met.
Information Register
First complete information register of all ICT third-party service providers due
TLPT Cycle
Systemically important institutions must conduct first TLPT
DORA Implementation: Step by Step
Implementing DORA is a complex project that should be approached systematically. We recommend the following approach:
Conduct Gap Analysis
Assess your current state and identify gaps against DORA requirements. Use our free DORA Health-Check for an initial assessment.
Establish Governance
Define clear responsibilities. Senior management must approve and oversee the ICT risk management framework. Establish an ICT risk management function.
Identify Critical Functions
Determine your critical and important functions along with supporting ICT assets. These form the basis for protection measures and resilience testing.
Build Third-Party Register
Create a complete information register of all ICT third-party service providers. Assess concentration risks and critical dependencies.
Implement Processes
Establish processes for incident management, change management, business continuity, and resilience testing in accordance with DORA requirements.
Launch Testing Program
Develop a risk-based testing program. Conduct regular vulnerability assessments, penetration tests, and TLPT where required.
Continuously Improve
DORA compliance is not a one-time project. Establish continuous monitoring, regular reviews, and an improvement process.
Costs and Effort of DORA Implementation
The costs for DORA implementation vary significantly depending on the starting situation, size, and complexity of the organization. Here is an overview:
| Company Size | Typical Costs | Timeframe | Staff Required (internal) |
|---|---|---|---|
| Small (<50 employees) | €50,000 – €150,000 | 6-12 months | 0.5-1 FTE |
| Medium (50-500 employees) | €150,000 – €500,000 | 12-18 months | 1-3 FTE |
| Large (>500 employees) | €500,000+ | 18-24 months | 3+ FTE |
FTE = Full-Time Equivalent. Costs include external consulting, tools, training, and technical measures where applicable. Basic IT security infrastructure costs are not included.
Cost Drivers in DORA Implementation
- Starting situation: Organizations with existing ISMS (e.g., ISO 27001) have advantages
- IT landscape complexity: Many legacy systems increase effort
- Number of third parties: Each ICT service provider must be documented and assessed
- TLPT requirement: Systemically important institutions have higher testing costs
- Documentation effort: DORA requires extensive evidence
Free Initial Assessment
Where does your organization stand? Our free DORA Health-Check gives you an initial indication of your maturity level and identifies the most important action areas.
Start DORA Health-Check →DORA vs. NIS2: What's the Difference?
Many financial institutions wonder how DORA and NIS2 are related. Here are the key differences:
| Aspect | DORA | NIS2 |
|---|---|---|
| Legal Form | EU Regulation (directly applicable) | EU Directive (national transposition) |
| Scope | Financial sector only | 18 critical sectors |
| Application Date | January 17, 2025 | October 18, 2024 (DE: NIS2UmsuCG) |
| Focus | Digital operational resilience | General cybersecurity |
| Third Parties | Detailed requirements, direct oversight | General supply chain security |
| Testing | Specific testing requirements incl. TLPT | No specific testing obligations |
Important for financial institutions: DORA applies as lex specialis (more specific law) over NIS2. This means: If you comply with DORA, you essentially also meet NIS2 cybersecurity requirements. However, DORA goes beyond NIS2 in many areas.
Why Niagon for Your DORA Implementation?
Focus on Financial Sector & Regulated Industries
Our focus is on banks and financial service providers – but critical infrastructure operators and regulated industrial companies also benefit from our expertise in ICT risk management and compliance.
Pragmatic Approach
No theoretical handbooks, but actionable measures. We deliver results, not PowerPoints.
Holistic Expertise
DORA, BAIT, MaRisk, NIS2, ISO 27001 – we integrate regulatory requirements into a coherent framework.
Our DORA Services
- DORA Health-Check: Free status assessment with our online assessment
- Gap Analysis: Detailed analysis of your current compliance status
- Action Planning: Prioritized implementation plan with effort estimates
- Implementation Support: Hands-on assistance with implementation
- Audit Preparation: Ready for regulatory audits
- Information Register: Building and maintaining the ICT third-party register
Frequently Asked Questions About DORA (FAQ)
What is DORA?
DORA (Digital Operational Resilience Act) is an EU regulation (EU 2022/2554) that has established uniform requirements for digital operational resilience of financial entities since January 2025. It governs ICT risk management, incident reporting, resilience testing, and third-party risk management.
Who does DORA apply to?
DORA applies to all financial entities in the EU: credit institutions, insurance companies, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, and critical ICT third-party service providers such as cloud providers.
How much does a DORA gap analysis cost?
A DORA gap analysis typically costs between €15,000 and €50,000, depending on company size, IT landscape complexity, and scope of analysis.
How long does DORA implementation take?
Implementation duration varies: Small institutions typically need 6-12 months, medium-sized companies 12-18 months, and large financial groups 18-24 months for full DORA compliance.
What is the difference between DORA and NIS2?
DORA is specifically designed for the financial sector and directly applicable as an EU regulation. NIS2 is a cross-sector directive for critical infrastructure that must be transposed into national law. For financial entities, DORA applies as lex specialis.
What penalties apply for DORA violations?
For DORA violations, supervisory authorities can impose fines of up to €10 million or 5% of global annual turnover. Additionally, reputational damage and regulatory measures up to license revocation may apply.
What are the 5 pillars of DORA?
The 5 pillars of DORA are: 1) ICT Risk Management, 2) ICT Incident Management and Reporting, 3) Digital Operational Resilience Testing, 4) ICT Third-Party Risk Management, 5) Information Sharing on Cyber Threats.
Do small banks also need DORA compliance?
Yes, DORA applies to all financial entities regardless of size. However, the proportionality principle applies: Smaller institutions must implement requirements according to their size, risk profile, and business complexity.
What is TLPT (Threat-Led Penetration Testing)?
TLPT is a threat-led penetration test that is mandatory under DORA for systemically important financial entities every three years. It simulates realistic cyber attacks based on current threat intelligence and tests the resilience of critical systems.
How does Niagon support DORA implementation?
Niagon offers a holistic DORA consulting approach: Free health check for status assessment, detailed gap analysis, action plan development, implementation support, audit preparation, and continuous compliance monitoring.
Ready for DORA?
Start now with our free DORA Health-Check and find out in 10 minutes where your organization stands.