Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

EU Regulation | Financial Sector

DORA: Digital Operational
Resilience Act

Since 17 January 2025, DORA (Regulation EU 2022/2554) applies directly across all EU member states. Banks, insurers, and all other financial entities must systematically demonstrate their digital operational resilience - with mandatory penetration tests, strict incident reporting obligations, and a comprehensive ICT third-party register.

Request DORA consulting Book a free consultation

Last updated: March 2026

Applicable since
17 Jan 2025
Directly applicable across all EU member states (no national transposition required)
In scope
20 categories
Financial entities + critical ICT third-party providers
Reporting
4h / 72h
Initial notification / intermediate report for major incidents
Sanctions
up to 1% turnover
CTP daily fine (Art. 35 DORA)
Applicable since
17 Jan 2025
Categories of financial entities
20
Incident reporting deadlines
4h / 72h
CTP fine (daily global turnover)
1%

Definition

What is DORA?

The Digital Operational Resilience Act (Regulation EU 2022/2554) has been directly and bindingly applicable in all EU member states since 17 January 2025. As an EU regulation - not a directive - DORA applies without national transposition into domestic law.

DORA creates the first harmonized legal framework for digital operational resilience across the entire European financial sector. Financial entities must demonstrate that they can absorb, adapt to, and recover from ICT-related disruptions, cyberattacks, and system failures.

Particularly significant: DORA regulates not only the financial entities themselves but also their critical ICT third-party providers directly - cloud hyperscalers such as AWS, Microsoft Azure, or Google Cloud may be designated as Critical Third-Party Providers (CTPs) subject to direct European supervision.

DORA vs. NIS2 Comparison

Aspect DORA NIS2
Legal form EU Regulation (direct) EU Directive (national transposition)
Scope Financial sector only All critical sectors
ICT third parties Directly regulated Indirect (supply chain)
Penetration tests TLPT mandatory No specific requirement
Supervisory authority National FSA / ECB National cybersec. authority
Lex specialis Yes, takes precedence General rule

Lex specialis: For financial entities subject to both DORA and NIS2, DORA takes precedence as sector-specific law. Most DORA requirements simultaneously satisfy NIS2 obligations.

Applicability

Who is subject to DORA?

Art. 2 DORA defines 20 categories of financial entities and critical ICT third-party providers in scope. The range spans from traditional credit institutions to crypto-asset service providers.

Financial Entities

  • Credit institutions and investment firms
  • Payment institutions and e-money institutions
  • Insurance and reinsurance undertakings
  • Institutions for occupational retirement provision (IORPs)
  • Alternative investment fund managers (AIFMs) and UCITS management companies
  • Crypto-asset service providers (under MiCA)
  • Crowdfunding service providers
  • Central counterparties (CCPs) and central securities depositories
  • Trading venues (Regulated Markets, MTF, OTF)
  • Trade repositories and securitisation repositories

Critical ICT Third-Party Providers (CTPs)

For the first time, ICT service providers delivering systemically important services to the financial sector are directly regulated by the European Supervisory Authorities (ESAs):

  • Cloud computing providers (AWS, Azure, Google Cloud)
  • Data centres and colocation services
  • Data analytics and market data platforms
  • Core banking software providers
  • Payment processors and clearing houses

CTP sanctions: Up to 1% of average daily global turnover - levied daily until remedied (Art. 35 DORA)

Requirements

The 5 DORA Pillars

DORA structures the requirements for digital operational resilience into five pillars. All five areas are mandatory for in-scope financial entities.

01
Art. 5-16

ICT Risk Management

Financial entities must establish a comprehensive ICT risk management framework that systematically identifies, classifies, and assesses all ICT risks. This includes an up-to-date ICT asset inventory mapping all hardware, software, and data, plus implemented protective measures: access control, patch management, data backup, and encryption. Business continuity and contingency plans for ICT systems must be defined and regularly tested.

Key obligations

  • Complete ICT asset inventory
  • Risk appetite strategy (board-approved)
  • Business Continuity Plan
  • Patch management processes
  • Personal management accountability
02
Art. 17-23

ICT-Related Incident Reporting

DORA establishes a harmonized EU-wide three-tier reporting procedure for major ICT-related incidents to the national competent authority. Classification as major is determined according to EBA regulatory technical standards and considers factors such as number of affected clients, service downtime, and data loss.

Key obligations

  • Initial notification: 4 hours after classification
  • Intermediate report: 72 hours
  • Final report: 1 month
  • Internal classification processes
  • Predefined escalation paths
03
Art. 24-27

Digital Operational Resilience Testing

DORA mandates regular, binding tests. All financial entities must conduct at least annual baseline tests: vulnerability assessments, open-source analyses, and network security assessments. Significant institutions are additionally required to conduct Threat-Led Penetration Tests (TLPT) under TIBER-EU - every three years, based on real threat intelligence.

Key obligations

  • Annual baseline tests (all entities)
  • TLPT every 3 years (significant institutions)
  • TIBER-EU-accredited service providers
  • Live production system tests
  • Supervisory approval required
04
Art. 28-44

ICT Third-Party Risk Management

This is one of the most significant DORA aspects: financial entities must maintain a complete register of all ICT third-party providers. For critical providers, minimum contractual clause requirements apply: audit and inspection rights, SLA definitions, exit strategies, and concentration risk analyses. The ESAs may designate systemically important providers as CTPs and supervise them directly.

Key obligations

  • Complete third-party register
  • Criticality classification of all providers
  • DORA-compliant contractual clauses
  • Concentration risk analysis
  • Exit strategies per provider
05
Art. 45

Information Sharing

DORA encourages financial entities to voluntarily exchange structured cyber threat intelligence (threat intel) within trusted communities. This information sharing is intended to strengthen the collective resilience of the financial sector and is legally underpinned by DORA - subject to data protection requirements.

Key obligations

  • Voluntary participation
  • Trusted communities
  • Data-protection-compliant exchange
  • Strengthening collective resilience
  • ISACs and TIBER networks

Art. 28-44 DORA

ICT Third-Party Risk: The Heart of DORA

ICT third-party risk management is one of the most demanding and innovative aspects of DORA. For the first time, an EU regulation creates direct supervision over critical technology providers in the financial sector.

Financial entities must maintain a complete, continuously updated register of all ICT third-party providers. Each provider must be classified by criticality: if it supports critical or important functions, enhanced contractual requirements apply - including audit and inspection rights for supervisory authorities.

The concentration risk analysis is a novel requirement: financial entities must assess and document their dependency on individual providers - and maintain functioning exit strategies in the event of provider failure.

Third-party register
Complete record of all ICT providers including criticality classification, services provided, and sub-contractors
DORA minimum contractual clauses
Supervisory audit rights, defined SLAs, data access rights, exit strategy, and data localisation information
CTP direct supervision
ESAs may designate systemically important providers as critical ICT third-party providers (CTPs) and directly inspect them
„DORA requires a holistic approach that combines ISMS methodology with offensive security. Financial entities that rely solely on documentation will fail at their first TLPT exercise. We combine ISO 27001 expertise with genuine red team experience - that is the only way to substantively satisfy DORA.“

Oskar Braun

ISO 27001 Lead Auditor (IRCA certified) · AWARE7 GmbH

Implementation

Implementing DORA: The 6-Step Process

DORA has been in force since January 2025 - financial entities that have not yet started must act now. This structured process leads to demonstrable compliance.

01

Applicability assessment

Determine whether and to what extent DORA applies to your entity: classification under Art. 2 categories, review of proportionality rules, and identification of all relevant ICT systems and processes.

02

Gap analysis

Structured comparison of existing ICT risk management, incident processes, and third-party contracts against all DORA requirements. Output: prioritized action plan with effort estimates.

03

ICT risk management framework

Build or enhance the ICT risk management framework under Art. 5-16: asset inventory, risk assessment procedures, protective measures, Business Continuity Plan, and board-level anchoring.

04

Third-party register

Create and maintain the complete ICT third-party register per Art. 28. Criticality classification of all providers, contract updates to DORA minimum requirements, and concentration risk analysis.

05

Resilience testing programme

Establish an annual testing programme for vulnerability assessments and penetration tests per Art. 25. For significant institutions: preparation and execution of TLPT under TIBER-EU with accredited providers.

06

Continuous improvement

DORA demands not a one-off project but a living compliance system: annual updates of the third-party register, regular risk reviews, lessons from incident reports, and management reviews.

Relationship between frameworks

DORA and NIS2: Lex Specialis

For financial entities subject to both DORA and NIS2, DORA applies as sector-specific law (lex specialis) and takes precedence over the general NIS2 rules. Recital 16 DORA clarifies: financial entities that satisfy all DORA requirements are deemed compliant with the corresponding NIS2 obligations.

In practice this means: DORA sets higher standards than NIS2 in the financial sector. Implementing DORA exceeds NIS2 minimum requirements. An integrated ISMS based on ISO 27001 provides the optimal foundation for both frameworks.

NIS2 topic page NIS2 consulting

Shared requirements

Both frameworks
  • - ICT risk management
  • - Incident reporting obligations
  • - Management accountability
  • - Supply chain security

DORA-specific (takes precedence)

DORA only
  • - TLPT under TIBER-EU (every 3 years)
  • - Direct CTP regulation
  • - 4-hour initial notification
  • - Third-party register under Art. 28
  • - Concentration risk analysis

NIS2-specific

NIS2 only
  • - Cross-sector scope
  • - National implementing legislation
  • - National cybersecurity authority
  • - Critical infrastructure classification

Why AWARE7 for DORA compliance

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Frequently asked questions about DORA

Answers to the most common questions about the Digital Operational Resilience Act and its requirements for financial entities.

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554, has been directly applicable in all EU member states since 17 January 2025. As an EU regulation - unlike the NIS2 Directive - DORA required no national transposition and applies directly. DORA requires financial entities to demonstrate and permanently maintain their digital operational resilience against ICT-related disruptions, cyberattacks, and system failures. The regulation creates the first harmonized framework for digital operational resilience across the entire European financial sector, and regulates not only financial entities themselves but also their critical ICT third-party providers directly.
DORA applies to a broad spectrum of financial entities: credit institutions, investment firms, payment institutions, e-money institutions, insurance and reinsurance undertakings, institutions for occupational retirement provision (IORPs), management companies, crypto-asset service providers under MiCA, crowdfunding service providers, and central counterparties. For the first time, critical ICT third-party providers (CTPs) such as cloud providers and data centres are also directly regulated by the European Supervisory Authorities (EBA, ESMA, EIOPA). Microenterprises with fewer than 10 employees and under EUR 2 million annual turnover are subject to simplified requirements under the proportionality principle.
DORA structures requirements into five pillars: First, ICT risk management (Art. 5-16): a comprehensive framework for identifying, assessing, and treating all ICT risks with personal board responsibility. Second, incident reporting (Art. 17-23): a harmonized EU-wide reporting system with a 4-hour initial notification, 72-hour intermediate report, and monthly report. Third, resilience testing (Art. 24-27): annual baseline tests for all entities plus threat-led penetration testing (TLPT) under TIBER-EU for significant institutions every three years. Fourth, ICT third-party risk management (Art. 28-44): complete ICT provider registry, minimum contractual clauses, and direct regulation of critical providers. Fifth, information sharing (Art. 45): voluntary exchange of cyber threat intelligence within trusted communities.
DORA is an EU regulation and applies directly without national transposition, whereas NIS2 is a directive requiring implementation by member states. DORA is sector-specific for financial services and goes significantly further than NIS2 in its requirements: it mandates binding penetration tests (TLPT), directly regulates ICT third-party providers, and contains more detailed incident reporting obligations. For financial entities, DORA operates as lex specialis - where both frameworks overlap, DORA takes precedence. A DORA-compliant entity will typically also satisfy the corresponding NIS2 requirements.
Threat-Led Penetration Testing (TLPT) is the European standard for advanced red team testing in the financial sector, based on the ECB's TIBER-EU framework. DORA mandates TLPT in Art. 26 for significant financial institutions at least every three years. Unlike conventional penetration tests, TLPT uses real threat intelligence as its foundation: external threat intelligence providers first analyse specific threat actors for the institution, after which accredited red teams conduct simulated attacks on live production systems. The tests must be approved by the competent supervisory authority and documented in a report submitted to the authority.
Art. 28 DORA requires all in-scope financial entities to maintain a comprehensive register of all ICT third-party providers, including criticality classification. The register must include all contracts, services provided, sub-contractors, and an assessment of whether the provider supports critical or important functions. For critical providers, enhanced contractual requirements apply: audit and inspection rights for supervisors, defined service level agreements, exit strategies, and concentration risk analyses. Entities must update the register annually and make it available to the supervisory authority on request. The ESAs may designate major providers such as cloud hyperscalers as critical ICT third-party providers (CTPs) subject to direct European supervision.
DORA establishes in Art. 17-23 a three-tier reporting system for major ICT-related incidents to the national competent authority: The initial notification must be submitted within 4 hours of classifying an incident as major and includes first information, timing, and initial measures. The intermediate report follows no later than 72 hours after the initial notification with an updated status, scope of impact, and containment measures. The final report must be submitted one month after the initial notification and must include root cause, all measures taken, and lessons learned. Classification as major is determined according to EBA regulatory technical standards (RTS) and considers factors such as number of affected clients, downtime of critical services, and data loss.
DORA applies in principle to all financial entities listed in Art. 2, but includes a proportionality principle. Microenterprises with fewer than 10 employees and annual turnover below EUR 2 million are covered by simplified requirements - in particular, they are not required to conduct full TLPT exercises. Small and medium-sized financial entities are also subject to graduated requirements for ICT risk management. However, the core obligations - ICT risk management, incident reporting, and basic resilience testing - apply to all in-scope entities regardless of size.
DORA provides for significant sanctions: For financial entities, national supervisory authorities may impose fines at the levels provided for in sectoral law (e.g., CRR, Solvency II). For critical ICT third-party providers (CTPs) under direct ESA supervision, Art. 35 DORA provides for fines of up to 1% of average daily global turnover - levied daily until the violation is remedied. Supervisors may also prohibit the use of certain ICT service providers, order public disclosures, and in the case of serious violations take measures against management. Similar to NIS2, the management body bears personal responsibility for ICT risk management.
AWARE7 guides financial entities throughout the DORA implementation journey: we begin with a scope assessment and a structured gap analysis against all DORA requirements. On this basis we develop a prioritized action plan and support the build-out of the ICT risk management framework, the third-party register, and incident management processes. As an offensive security company with OSCP-certified penetration testers, we conduct the annual resilience tests required under Art. 25 DORA and prepare significant institutions for TLPT under TIBER-EU.

Aus dem Blog

Weiterführende Artikel

DORA is already in force - act now

We analyse your DORA compliance gaps and create a prioritized action plan - concrete, actionable, and on a fixed-price basis.

Book a free DORA consultation

Kostenlos · 30 Minuten · Unverbindlich