Frameworks

DORA Explained: Who It Affects, Requirements & Penalties

MT
Metrica.uno Team
5 min read
#DORA #digital operational resilience #financial services #ICT risk #compliance
DORA Explained: Who It Affects, Requirements & Penalties
Share:

The Digital Operational Resilience Act (DORA) is the EU’s regulation for ensuring that the financial sector can withstand, respond to, and recover from ICT-related disruptions. Finance can’t afford downtime — and DORA makes sure organizations treat digital resilience as seriously as financial resilience.

DORA has been applicable since January 2025. If you’re in financial services and haven’t started, you’re already behind.

Who Does DORA Affect?

DORA casts a wide net across the financial ecosystem:

Financial Entities

  • Banks and credit institutions
  • Investment firms
  • Insurance and reinsurance companies
  • Payment institutions and electronic money institutions
  • Crypto-asset service providers
  • Central securities depositories
  • Trading venues
  • Trade repositories
  • Fund managers (UCITS and AIFMs)
  • Credit rating agencies
  • Crowdfunding service providers
  • Securitization repositories

Critical ICT Third-Party Providers

This is the game-changer. DORA doesn’t just regulate financial entities — it creates a direct oversight framework for their critical ICT providers. If you’re a cloud provider, data center operator, software vendor, or managed service provider that serves financial institutions, you may be designated as a “critical ICT third-party provider” and subject to direct regulatory oversight.

Size and Scope

DORA applies to virtually all regulated financial entities in the EU, with proportionality principles for smaller entities. Microenterprises (fewer than 10 employees and under €2M turnover) face simplified requirements, but they’re not exempt.

Key Requirements

1. ICT Risk Management Framework

Financial entities must establish a comprehensive ICT risk management framework that includes:

  • Governance structures with clear accountability at management level
  • ICT risk identification, classification, and documentation
  • Protection and prevention measures
  • Detection of anomalous activities
  • Response and recovery plans
  • Learning and evolving from incidents
  • Communication protocols for stakeholders

2. ICT Incident Reporting

DORA mandates a structured incident reporting regime:

TimelineObligation
4 hoursInitial notification to competent authority (after classification)
24-72 hoursIntermediate report with updated details
1 monthFinal report with root cause and remediation

Major ICT-related incidents must also be reported to clients if their financial interests are affected.

3. Digital Operational Resilience Testing

Financial entities must test their ICT systems regularly:

  • Basic testing (all entities): vulnerability assessments, network security testing, gap analysis, source code reviews, performance testing
  • Advanced testing (significant entities): Threat-Led Penetration Testing (TLPT) at least every 3 years, conducted by qualified testers using real-world threat intelligence

4. Third-Party Risk Management

Organizations must manage risks from ICT third-party providers throughout the relationship lifecycle:

  • Pre-contractual due diligence and risk assessment
  • Contractual requirements (service levels, audit rights, data location, exit strategies)
  • Ongoing monitoring and performance review
  • Exit strategies — you must be able to switch providers without disrupting critical services

5. Information Sharing

DORA encourages (but doesn’t mandate) cyber threat intelligence sharing among financial entities to improve collective resilience.

Why DORA Matters

  • Systemic risk: A single ICT failure at a major financial institution can cascade across the entire financial system. DORA prevents this.
  • Customer protection: When banks go offline, people can’t pay rent, buy groceries, or receive salaries. DORA ensures continuity of essential financial services.
  • Harmonization: Before DORA, each EU country had different ICT risk rules for finance. DORA creates one standard across the entire EU.
  • Cloud oversight: For the first time, critical cloud providers serving financial institutions face direct regulatory oversight — not just indirect pressure through their clients.

What Happens If You Don’t Comply

The Penalties

DORA penalties are determined by national competent authorities and can include:

  • Periodic penalty payments
  • Public reprimands
  • Temporary prohibition of management functions
  • Orders to cease specific practices
  • Administrative fines (amounts determined by member states)

For critical ICT third-party providers, the EU oversight framework can impose:

  • Penalty payments of up to 1% of average daily worldwide turnover per day of non-compliance
  • Remediation requirements
  • Temporary restrictions on providing services to financial entities

A Scenario Nobody Wants to Live

This is an illustrative scenario based on real operational disruption patterns.

A regional bank with 200,000 customers relies on a single cloud provider for its core banking platform. The cloud provider suffers a 48-hour outage due to a cascading infrastructure failure.

The bank has no tested business continuity plan for this scenario. No disaster recovery site, no tested failover, no manual procedures for critical services.

The impact:

  • 200,000 customers can’t access their accounts for 48 hours
  • ATMs go offline across the region
  • Salary payments scheduled for that Friday bounce for 30,000 employees
  • Social media panic begins, with customers posting screenshots of error messages
  • Businesses can’t process card payments, losing revenue during a holiday weekend

The regulatory investigation reveals:

  • The bank never tested its disaster recovery plan
  • No third-party risk assessment was conducted on the cloud provider
  • No exit strategy existed — the bank was 100% dependent on a single provider
  • The CIO approved the cloud contract without reviewing the resilience terms
  • The board was never briefed on ICT concentration risk

Under DORA: Regulatory sanctions, mandatory remediation plan, public disclosure, potential prohibition of management functions for the CIO. The bank’s reputation takes years to recover.

How to Get Started

1. Map Your ICT Landscape

Document every ICT system, service, and provider that supports your financial operations. Identify dependencies, single points of failure, and critical functions.

2. Assess Third-Party Risks

Evaluate each ICT third-party provider against DORA requirements: data location, audit rights, exit strategies, subcontracting chains. Update contracts where needed.

3. Build Incident Response

Establish ICT incident classification, reporting workflows, and communication protocols aligned with DORA’s 4h/24-72h/1month timeline.

4. Test Your Resilience

Start with basic testing (vulnerability assessments, gap analysis) and plan for TLPT if you’re a significant entity. Test your business continuity plans — not just on paper, but with real exercises.

5. Engage the Board

DORA requires board-level accountability for ICT risk. Ensure your management body understands its obligations and receives regular ICT risk reports.

DORA doesn’t ask if you’ll face an ICT disruption — it assumes you will. The question is whether you’ll survive it with your operations, reputation, and customers intact. Start preparing now.

Ready to assess your compliance?

Start your free assessment today and find out where you stand with GDPR, NIS2, DORA, ISO 27001, and more.

Get Started Free
MT

Written by

Metrica.uno Team

Content Team

Metrica.uno Team is part of the Metrica.uno team, helping organizations navigate AI compliance with practical insights and guidance.

Related Articles