DORA for Financials

Financials symbolic picture

The Digital Operational Resilience Act (DORA), EU 2022/2554, is the European framework for digital operational resilience in the EU financial sector. With DORA, the EU aims to harmonize cybersecurity and resilient infrastructures in the financial market. Financial entities are partially exempted from NIS2 and instead extensively regulated by DORA.

  1. Entities
  2. Resilience
  3. Information
  4. Oversight
  5. Providers
  6. Roadmap
  7. in German

DORA has been in force since the beginning of 2023 and applies directly in all member states as an EU regulation. Unlike EU NIS2, DORA does not have to be transposed into national laws. DORA requirements must be applied by affected companies from January 2025 - by directly regulated financial companies, but also by many IT service providers with financial customers.

This is the English version of EU DORA article on EU financial services critical infrastructure regulation. The article is a summary for critical infrastructures – DORA is very complex.

Digital Operational Resilience Act

Resilience in the finance sector

DORA regulates the EU financial sector with extensive cybersecurity obligations and oversight:




DORA and NIS2 overlap for regulated entities in the financial sector and companies that provide services for the financial sector. Financial entities are largely exempt from NIS2 (except for registration with the BSI), however some IT service providers might be subject to double NIS2 and DORA regulation.

DORA entities NIS2 DORA obligations NIS2 scope
Financial entities Finance Entities Resilience requirements for financial entitites Excempt from NIS2 regulations except for registration, if regulated by DORA.
ICT third-party service providers if critical ICT Entities DORA requirements for ICT third-party service providers Regular NIS2 requirements


Obligations in DORA and NIS2 are similar – both require risk management of IT and services provided. DORA is more comprehensive and detailed than NIS2 – obligations are much more prescriptive and detailed.

Companies affected by DORA and NIS2 must translate between the obligations.


In DORA, financial entities are subject to supervision by national supervisory authorities (e.g. Germany BaFin, Bundesbank and also ECB), which cooperate with EU authorities; ICT third-party service providers are subject to direct EU supervision.

In NIS2, institutions are primarily supervized by national authorities (in Germany BSI, BNetzA).


Enterprises in scope


DORA regulates two types of companies in the EU: financial entities, which are directly affected, and ICT third-party service providers, which are indirectly affected.

Art. 2, Absätze 1, 2 DORA
Group Institution
Financial institutions
Art. 2 (1‑2)
Credit institution
Payment institutions
Account information institutions
Electronic money institutions
Investment firms
Crypto-asset service providers (EU 2023/1114)
issuers of asset-referenced tokens
Central securities depositorie
Central counterparties
Trading venues
Trade repositories
Managers of alternative investment funds
Management companies
Data reporting service providers
Insurance and reinsurance undertakings
Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
Institutions for occupational retirement provision
Credit rating agencies
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories
ICT third-party service providers
Art. 2 (1u)
Companies that provide ICT services Art. 3 No. 19
ICT services are digital services and data services provided via ICT systems to internal or external users, including hardware and technical support from hardware providers and software or firmware updates Art. 3 No. 21


There are exclusions for the financial entities affected by DORA: Art. 2 (3)

Difference to NIS2

When financial entities are regulated by DORA, they are excluded from NIS2. However, due to the exclusions in DORA, there are also financial companies that do not fall under the scope of DORA – these could be affected in turn by NIS2.

ICT third-party service providers regulated in DORA remain regulated in NIS2 if affected there.



Financial entities

DORA aims to achieve a high level of digital operational resilience within the EU and defines uniform requirements for the security of network and information systems that support the business processes of financial companies.

Financial entities regulated by DORA must implement resilience measures and provide evidence to supervisory authorities. Depending on their classification by the supervisory authority, critical ICT service providers are also regulated with separate DORA obligations.

own compilation as of April 2024
* - probably the part that provides services for financial companies
Requirement Financial entities Critical ICT third-parties
Scope Company Business area*
Risk management Art. 5, 6, 13, 16
Protection of IT Art. 7, 8, 9
Incidents and reaction Art. 10, 14
Resilience Art. 11, 12
Tests of Resilience Art. 24, 25, 26, 27 included
Management of third parties Art. 28, 29, 30 via contracts
Incident reporting Art. 17-23
Information exchange Art. 45
Requirements for critical service providers Art. 33


Risk management


Financial institutions must implement many ICT risk management measures for DORA. The basis for ICT risk management is an internal governance and control framework for the effective and prudent management of ICT risks. The definition, approval, monitoring and responsibility for this lies with the management. Art. 5

The ICT risk management framework must be integrated into risk management and include strategies, policies, procedures and IT tools to properly and adequately protect information, IT and physical assets. Art. 6

A dedicated role must be filled in senior management for the monitoring of ICT third-party service providers. The management body should keep its knowledge and skills about ICT risks up to date and complete training courses. Art. 5 (3-4)


The management must control and be responsible for the implementation of ICT risk management, which must include the following strategic guidelines and policies: Art. 5 (2)


ICT risk management must include a strategy for digital operational resilience with methods for translating risk management into action: Art. 6 (8)

Information and IT assets must be protected with strategies, guidelines, protocols and tools, and ICT risks must be minimized by appropriate measures. Art. 6 (2)(3)

Audits and Review

ICT risk management must be documented and reviewed and regularly improved at least annually or on special request. An independent control function should monitor and manage ICT risks, and financial companies should adhere to the three lines of defence. Art. 6 (4)(5)

Internal auditors should regularly audit the ICT risk management framework as part of the financial organisation's risk-based audit plan. This requires the necessary skills and knowledge. Art. 6 (6)(7)


Protection of IT

Resilient IT

To manage ICT risks, financial organisations must use ICT systems, protocols and tools that are appropriate, reliable, sufficiently dimensioned and technologically resilient. They must always keep these up to date. Art. 7

As part of ICT risk management, solutions and processes must be designed to be resilient and ensure the availability, authenticity, integrity and confidentiality of data. This includes secure data transmission, management, protection against unauthorized access and errors. Art. 9 (3)


In ICT risk management, all ICT-supported company functions, roles and responsibilities as well as supporting assets with roles and dependencies must be identified, classified and documented. Configurations, connections and dependencies of assets must also be recorded.

All sources of ICT risks, cyber threats and vulnerabilities must be continuously identified and changes to the network, IT systems and processes must be assessed. Third-party ICT service providers must be identified and evaluated. The information collected must be documented in corresponding inventories. Art. 8


Security and functionality of ICT systems must be continuously monitored and the impact of risks minimized. Resilience, continuity and availability of ICT systems must be ensured to maintain high standards of availability, authenticity, integrity and confidentiality of data. Art. 9

As part of ICT risk management, the following requirements must be implemented: Art. 9 (4)


Incidents and Reaction


Events like ICT security incidents and performance problems in networks must be recognized immediately and potential individual material vulnerabilities identified.

Incident management needs to define alarm thresholds and criteria, response processes and automated warning mechanisms with sufficient resources for monitoring user activities, anomalies and incidents. Art. 10


Financial organisations must have communication plans in place that enable appropriate disclosure of at least serious ICT incidents or vulnerabilities to clients and other financial organisations and the public.

Communication strategies must be in place for internal communication in the event of security incidents. With the implementation of the communication strategy, a role must be defined that fulfils tasks vis-à-vis the public and the media. Art. 14

Lessons Learned

There must be sufficient capacity to investigate vulnerabilities, threats, incidents and their impact on digital operational resilience. Training for IT security and digital operational resilience must be developed and made mandatory for all employees and management. Art. 13

Following disruptions caused by ICT incidents, the cause must be investigated and improvements identified (lessons learned). Results must be incorporated into risk management. Changes following an ICT incident must be communicated to authorities on request.


Business Continuity Management


A business continuity policy must be defined and implemented with BCM plans and methods to ensure the continuity of critical and important business functions and limit damage caused by ICT incidents through a rapid, appropriate and effective response. Art. 11

Business impact analyses (BIA) must be carried out.

Response and recovery plans must be implemented in ICT risk management and be subject to internal audits. The plans must be tested regularly, at least annually, including outsourcing and third-parties. Communication and crisis management measures must be defined.


Financial organisations must report to competent authorities, on request, the estimated aggregate annual costs and losses caused by serious ICT-related incidents. Art. 11 (10)


ICT systems and data must be restored with minimum downtime and losses, data recovery must not risk its availability, integrity or confidentiality. Backup systems must be tested regularly.

Guidelines and procedures for data backup must be defined based on the criticality and confidentiality of the data. Data backup systems must be physically and logically separated.

Redundancies in resources, capabilities and functions must be maintained for business. Art. 12


Resilience testing

Financial entities must test their digital operational resilience in the ICT risk management framework and define a resilience testing programme for this purpose. Risk-based tests must be conducted by independent internal or external auditors. Findings must be addressed. Art. 24


Appropriate tests of digital operational resilience must be carried out at least annually to cover all IT systems and applications that support critical and important functions at the financial organisation. Art. 24 (6)

The test program must include vulnerability scans, open source analyses, network security, physical security checks, software scans, source code tests, scenario-based tests, compatibility tests, performance tests, end-to-end tests and penetration tests. Art. 25

Penetration testing (TLPT)

Certain financial organisations, such as significant financial institutions, need to perform extended Threat Led Penetration Tests (TLPT) at least every three years. These pentests have to cover critical and important functions and be carried out on live production systems. Art. 26

ICT third-party service providers in the scope of TLPTs have to be involved in testing. Tests must implement controls to mitigate the risk of impact of the tests on data, assets and critical and important functions. Art. 26 (2-5)

Once the tests have been completed, reports and corrective action plans must be drawn up and a summary of the results submitted to the competent supervisory authority. The authority then certifies that tests have been carried out. Art. 26 (6-7)


Financial companies are subject to guidelines as to which testers they should contract. Major financial organisations need to carry out the tests externally; for others, they must be conducted externally every third cycle. Art. 26 (8)

Auditors who carry out TLPTs are subject to special requirements such as professional suitability, technical and organisational skills, specialist knowledge, certifications, compliance with formal codes of conduct and insurance. Art. 27


Management of ICT third parties

Financial organisations must address risks of using ICT third parties (service providers) in their risk management. Responsibility for compliance with DORA requirements remains with the financial institution, even if they outsource business functions to ICT service providers with corresponding agreements. Art. 28 (1)


ICT third-party risk strategy must include guidelines for ICT third-party service providers that support critical and important functions at the institution. Management must regularly review all risks arising from ICT services supporting critical and important functions. Art. 28 (2)

Provider audits

Financial entities must audit their service providers on a regular basis. To this end, they define the frequency of audits and inspections as well as the areas to be audited and the exercise of access, inspection and audit rights at the third-party ICT service provider.

Financial organisations must ensure that internal and external auditors have the skills to audit and assess the contractual services appropriately, especially if the services are highly technically complex. Art. 28 (6)

Concentration risk

When planning the conclusion of contracts for ICT services, financial organisations must take particular account of the risks that arise: Art. 29 (1)

Financial organisations must weigh up the benefits and costs of alternative solutions, such as using different service providers, and consider whether and how the planned solutions meet the business needs and objectives set out in the digital resilience strategy.

Provider register

Financial entities must keep a register of contractual agreements with ICT third-party service providers, including whether services support critical or important functions. New agreements, service provider categories and services provided must be reported to the competent authority at least once a year.

The complete register must be provided to the competent authority upon request. If service provider are planned to support critical or important functions, the competent authority must be informed Art. 28 (3)


Financial entities must consider the risks of subcontracting in contracts with third-party ICT service providers. When subcontracting support for critical or important functions, financial organisations must consider the following: Art. 29 (2)


Contract requirements

Evaluation of providers

Before concluding contracts with ICT service providers, financial companies must: Art. 28 (4)

Contractual agreements with ICT third-party service providers may only be concluded if they comply with appropriate information security standards. If critical or important functions are supported, companies must ensure service providers apply the highes information security standards. Art. 28 (5)


Financial companies must be able to terminate service contracts in case of: Art. 28 (7)

Exit strategies

Financial companies must have exit strategies for ICT services that support critical or important functions. These must ensure maintaining business activities, compliance with regulatory requirements and continuity and quality of the services provided to customers.

Exit strategies must include concrete exit plans, alternative solutions and workarounds, as well as appropriate contingency measures for the continuation of business operations if restrictions do occur in the course of an exit. Art. 28 (8)


Contracts with ICT third-party service providers must clearly assign the rights and obligations of the financial company and the service provider and document them in writing. Art. 30 DORA prescribes specific aspects for service provider contracts, including:

Contracts for services supporting critical or important functions must fulfil higher requirements with more requirements, in particular monitoring and audit rights for financial companies and exit strategies that enable companies to change providers or switch to internal solutions.

ESA will develop technical standards (RTS) to specifyaspects that a financial organisation must evaluate when subcontracting ICT services that support critical or important functions.




DORA does not set out requirements for the registration of affected financial companies with competent authorities. Financial companies register with the competent supervisory authorities as part of (regular) national market entry procedures.


Incident reporting

Financial entities must report ICT incidents to relevant supervisory authorities and implement comprehensive internal and external processes. This includes detection, handling and reporting of incidents. All ICT-related incidents and significant cyber threats must be recorded.


Incident management processes must include indicators, procedures for detection, tracking, logging, categorisation and classification, and communication plans (employees, stakeholders, media and customers). Serious incidents must be reported to senior management. Art. 17

ICT incidents must be classified and their impact assessed. Criteria include number of affected customers, duration and geographical spread of the incident, loss of availability, authenticity, integrity or confidentiality of data, criticality of the affected services and economic impact.

Cyber threats must also be assessed using analogue criteria. Art. 18


Financial entities must report serious ICT incidents to the competent authority. In the case of credit institutions classified as significant, this report is forwarded by the authority to the ECB.

If a serious ICT incident has an impact on the financial interests of customers, entities must inform customers of the incident. Cyber threats can be reported if the threat is relevant to the financial system, users of the service or customers. Art. 19

For reporting serious ICT incidents and cyber threats and reporting deadlines, ESA will develop technical standards (RTS) with ENISA and the ECB and explore the establishment of an EU platform for reporting serious ICT incidents. Art. 20 Art. 21

Feedback by authorities

Supervisory authorities shall acknowledge reports of serious ICT incidents and provide guidance as appropriate. This may include the provision of relevant anonymized information and intelligence on similar threats and remedial actions. Art. 22

The requirements also apply to payment-related operational or security incidents, including those of a serious nature, if they concern credit institutions, payment institutions, account information service providers and e-money institutions. Art. 23


Information exchange

Financial organisations can share information and intelligence about threats, such as indicators, tactics, techniques and procedures, warnings and tools. Participation in such information exchange is voluntary. Recital 34

The exchange of information and insights is intended to strengthen the digital operational resilience of financial organisations, with agreements to protect sensitive information. Art. 45

If financial undertakings enter into or terminate such an exchange, they must notify the competent supervisory authority accordingly.



National supervision

In DORA, financial companies are supervized nationally by competent authorities, which are defined in various other EU regulations to which DORA refers. Art. 46

Critical third-party ICT service providers are monitored separately by EU.


EU supervision

In addition to the national supervision of financial entities, there is cooperation between EU supervisory authorities and mechanisms: ESA, JON and cooperation with national authorities.

European Supervisory Authorities (ESA)

ESA are the three European Supervisory Authorities which, together with the European Systemic Risk Board (ESRB), form part of the European System of Financial Supervision (ESFS):

Joint Oversight Network (JON)

The supervisory authorities EIOPA, ESMA and EBA are setting up a Joint Oversight Network (JON) to coordinate the supervisory activities of ICT third-party service providers. The ECB and ENISA may be asked for ad hoc technical advice or to participate in meetings. Art. 34

Cooperation with NIS2 authorities

ESA and competent authorities may participate in the NIS2 Cooperation Group as part of their supervision of financial entities. They may request participation in topics concerning ICT service providers that are NIS2 entities and critical ICT service providers under DORA. The authorities for DORA and NIS2 should coordinate their activities. Art. 47

Cooperation is also planned in the reporting system so that financial supervisory authorities can also pass on details of serious ICT incidents to non-financial authorities, e.g. competent authorities under NIS2. Recital 52


Competent authorities under DORA (ESA, ENISA, national authorities, etc.) should establish information exchange in financial sectors. They should develop crisis and contingency plans for cyber-attacks to analyse the interdependencies of the financial sector with other sectors and develop a coordinated response at EU level. Art. 49


ESA is developing technical standards (RTS) together with ENISA and the ECB. Art. 15



ICT risk management framework of financial entities must be regularly reviewed:

Reports must be submitted at the request of the competent supervisory authority. Art. 6 (5) The national supervisory authorities use these reports to check the consistency of the ICT risk management framework. Art. 4 (3)

If a simplified ICT risk management framework is applied, it must be documented and reviewed in accordance with regulatory instructions on a regular basis and when serious ICT-related incidents occur. Art. 16 (2)


IT Providers

Critical ICT third party service providers

Some IT providers that serve financial entities in the EU are categorized critical by ESA and monitored by an EU lead overseer. These critical third-party ICT service providers that provide high-risk services for financial entities must implement provider-specific DORA obligations.

Critical how?

The ESA (European Supervisory Authorities) categorise critical ICT third-party service providers based on several criteria: Art. 31

If a ICT third-party service provider is part of a larger group, the above criteria must be applied to the ICT services provided in the overall group structure, regardless of the company structure. This should ensure an accurate assessment of service providers. Recital 77

The ESA publish a list of service providers categorized as critical on an annual basis.


The following entities cannot be categorized as critical: Art. 31 (8)

Overlap with NIS2

For critical ICT service providers under DORA, there are overlaps and duplications with NIS2. Companies are potentially subject to multiple regulation with DORA obligations as a critical ICT service provider and NIS2 obligations as an organisation under NIS2. DORA identifies cloud computing service providers as infrastructure that also falls under NIS2.w Recital 20


Critical service providers

Critical ICT third-party service providers are monitored by an EU authority and assessed in ICT risk management. To this end, critical ICT service providers must fulfil many obligations: Art. 33

Own compilation as of April 2024
* - Probably the part that provides services for financial entities.
Obligation Critical ICT third-parties
Scope Business area*
Governance Art. 33 (3d)
Risk management Art. 33 (2)(3c)
IT protection Art. 33 (3a)
Physical security Art. 33 (3b)
Detection, response and incident reporting Art. 33 (3e)
Portability and interoperability Art. 33 (3f)
Tests and ICT audits Art. 33 (3g)(3h)
Application of relevant standards Art. 33 (3i)
Third-party management Art. 28, 29, 30 Via contracts
Resilience testing Art. 24, 25, 26, 27 Inclusion


ICT risk management in DORA must include all ICT services and processes that support critical or important functions of financial organisations. To this end, service providers must assess which services they use to pose ICT risks to financial entities, and implement DORA measures within this scope. Art. 33 (2)


Governance: Organisational structures and governance rules with clear responsibility and accountability for effective ICT risk management. Art. 33 (3) d

Risk management: Processes and policies for ICT risk management, business continuity (BCM) and IT emergency plans (ICT response and recovery plans). Art. 33 (3) c

Standards: Utilisation of relevant national and international standards in services to financial entities. Art. 33 (3) i

Interoperability: Mechanisms for data and application portability and interoperability, for effective termination rights of financial entities. Art. 33 (3) f

Technical security

IT protection: Measures for IT and TC to protect the services provided by ICT service providers for financial entities - in particular the security, availability, continuity, scalability and quality of services. This also includes data security. Art. 33 (3) a

Physical security: Protection of buildings, properties and data centres, and physical security that supports IT security. Art. 33 (3) b

Detection and incidents: Identification, monitoring and reporting of IT incidents to financial organisations and handling and remediation of these incidents and cyber attacks. Art. 33 (3) e

Tests and Audits: Testing of systems, infrastructure and controls, IT audits. Art. 33 (3) g/h


In addition to their own DORA obligations, ICT third-party service providers must also implement contractual obligations of their financial clients that arise from the DORA-prescribed provider management in contracts; they must actively participate in some obligations of financial entities.


Critical ICT third-party service providers are monitored annually by their supervisory authority for compliance with the above-mentioned obligations under Art. 33 (3). Competent authority carries out the assessment with a clear, detailed monitoring plan containing annual monitoring objectives and measures. Art. 33 (4)

The monitoring plan is sent as a draft to the critical ICT service providers, who can then propose solutions within 15 days if the monitoring activities lead to risks and negative effects for their customers outside DORA.


Supervision of service providers

ESA, European Supervisory Authorities, appoint EIOPA, ESMA or EBA as the lead supervisory authority for each critical third-party ICT service provider. Art. 33 (1b) Critical ICT third-party service providers are therefore under the direct supervision of an EU financial authority.

Monitoring forum

A monitoring forum will support the competent EU supervisory authorities on risks from ICT third parties. The forum develops common positions, discusses risks and vulnerabilities and promotes an approach to monitoring. Art. 32

Powers of the supervisory authorities

In order to assess whether critical third-party ICT service providers fulfil their DORA obligations, EU supervisory authorities have far-reaching powers over service providers:

ESA are developing technical standards (RTS) to specify the requirements for ICT third-party service providers for duties and monitoring activities. Art. 41


After monitoring activities, authorities can request reports on measures from the service providers and make recommendations for improvement. Authorities will coordinate with each other, including with NIS2 authorities, in order to avoid overlapping technical and organisational measures. Art. 35 (2)

Audit team

Authorities are supported in their activities, such as investigations and inspections, by a monitoring team that is set up for each critical ICT service provider. Art. 40

Register of providers

ESA will publish a list of ICT service providers categorized as critical on an annual basis. Art. 31





EU Parliament and Council adopted the DORA Regulation (2022/2554) on 14 December 2022. DORA entered into force on 17 January 2023 and will be applied from 17 January 2025.

DORA process, as of March 2024, from: EU PE 738.197
Version Status Date Actor
DORA Draft Sep 2020 Commission
DORA Consent DORA Dec 2022 EU Parliament
DORA Acceptance DORA Dec 2022 Council of the EU
DORA Publication Dec 2022 Official journal
DORA Entry into force Jan 2023 Member states
RTS/ITS Final draft Jan 2024 ESA
Guidelines in coordination July 2024 ESA
RTS/ITS/Guidelines Publication 2024 Official journal
DORA Implementation Jan 2025 Affected companies in member states

DORA framework

European Supervisory Authorities EBA, EIPOA and ESMA must publish supplementary regulatory technical standards (RTS) and technical implementing standards (ITS) by 17 July 2024 to specify individual requirements from DORA.

Accompanying specifications for DORA, own compilation April 2024
Type Topic Status DORA Target group
Delegated act Fees for critical ICT third-party service providers at public authorities Draft Art. 43 (2) Authorities
Third-party ICT service providers
Delegated act Criteria for the categorisation of critical ICT third-party service providers Draft Art. 31 (6) Authorities
Third-party ICT service providers
RTS ICT risk management framework Draft Art. 15
Art. 16 (3)
Financial entity
Guideline Estimation of costs and losses due to ICT incidents Consultation Art. 11 (11) Financial entity
ITS Template for agreements on the use of ICT third party servicesr Draft Art. 28 (9) Financial entity
RTS Minimum content for the guideline for ICT services Draft Art. 28 (10) Financial entity
RTS Aspects of the procurement of ICT services Consultation Art. 30 (5) Financial entity
RTS Threat-led Penetration Tests Consultation Art. 26 (11) Financial entity
RTS Criteria for the classification of security incidents Draft Art. 18 (3) Financial entity
RTS Reporting and deadlines for ICT security incidents Consultation Art. 20 a) Financial entity
ITS Templates for reporting ICT incidents or cyber threats Consultation Art. 20 b) Financial entity
RTS Harmonisation of monitoring measures Consultation Art. 41 ICT third-party service providers
Guideline Cooperation between ESA and competent authorities Consultation Art. 32 (7) Authorities
ICT‑Third-party service providers


DORA is to be reviewed periodically by the Commission after consultation with the ESA and the ESRB, with the first report in January 2028.


Further Information


  1. European System of Financial Supervision, European Central Bank, 2024.
  2. ESAs publish first set of rules under DORA for ICT and third-party risk management and incident classification, European Securities and Markets Authority, 17.01.2024.


  1. REGULATION (EU) 2022/2554 (DORA), on digital operational resilience for the financial sector, 14 December 2022