What is DORA compliance?

DORA compliance refers to meeting the requirements of the Digital Operational Resilience Act (EU Regulation 2022/2554). It requires financial entities to establish comprehensive ICT risk management frameworks, incident reporting procedures, resilience testing programmes, and third-party risk management processes — all supported by detailed documentation.

Who does the Digital Operational Resilience Act apply to?

DORA applies to virtually all regulated financial entities in the EU, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers. It also applies to entities outside the EU that provide ICT services to EU-regulated firms.

When does DORA come into force?

The Digital Operational Resilience Act entered into force on 16 January 2023 and has applied since 17 January 2025. Financial entities and their ICT third-party providers must now comply with all DORA requirements. Supervisory authorities are actively monitoring compliance.

Is DORA applicable to the UK?

DORA is an EU regulation and does not directly apply to UK-only firms post-Brexit. However, UK financial entities with EU operations, EU-regulated subsidiaries, or that provide services to EU clients are in scope. Additionally, the FCA and PRA have developed their own operational resilience framework with similar objectives, and UK firms providing ICT services to EU-regulated entities may fall under DORA's third-party oversight framework.

What are the DORA compliance requirements?

DORA has five pillars: ICT risk management (governance, policies, procedures), ICT-related incident reporting (classification, notification, post-incident review), digital operational resilience testing (basic and advanced testing programmes), ICT third-party risk management (register of information, due diligence, contractual requirements), and information sharing (voluntary threat intelligence exchange between financial entities).

What is the DORA register of information?

The register of information is a mandatory requirement under DORA Article 28(3). Financial entities must maintain a comprehensive register of all contractual arrangements with ICT third-party service providers. The register must include contract details, service descriptions, criticality assessments, subcontractor chains, and data location information. It must be reported to national competent authorities.

What are the penalties for DORA non-compliance?

National competent authorities can impose administrative penalties and remedial measures on financial entities that fail to comply with DORA. Penalties vary by member state but can include fines, public notices, orders to cease non-compliant practices, and supervisory restrictions. Critical ICT third-party providers are subject to direct oversight by European Supervisory Authorities.

DORA Compliance: Digital Operational Resilience

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act (EU Regulation 2022/2554) — commonly known as DORA — is an EU regulation that establishes a uniform framework for managing ICT risk across the financial services sector. It recognises that digital operational resilience is not just a technology concern but a fundamental requirement for financial stability.

DORA entered into force on 16 January 2023 and has applied since 17 January 2025. It applies to virtually all regulated financial entities in the EU — banks, insurers, investment firms, payment institutions, crypto-asset service providers — as well as their critical ICT third-party service providers.

Unlike previous guidance-based approaches, DORA is a directly applicable regulation. It does not need to be transposed into national law, and its requirements are binding on all entities within scope from the application date.

DORA Compliance Requirements: The Five Pillars

The Digital Operational Resilience Act is structured around five core pillars, each creating specific documentation and governance requirements.

ICT Risk Management

Establish and maintain a comprehensive ICT risk management framework including governance arrangements, risk identification and assessment processes, protection and prevention measures, detection capabilities, and response and recovery procedures.

ICT Incident Reporting

Implement processes to detect, manage, classify, and report ICT-related incidents. Major incidents must be reported to national competent authorities within defined timeframes. Post-incident reviews must be conducted and documented.

Digital Operational Resilience Testing

Conduct regular testing of ICT systems and tools. This includes basic testing (vulnerability assessments, network security reviews) and, for significant entities, advanced testing through threat-led penetration testing (TLPT).

ICT Third-Party Risk Management

Manage risks from ICT third-party service providers through due diligence, contractual requirements, ongoing monitoring, and the mandatory register of information documenting all ICT service arrangements.

Information Sharing

Participate in voluntary threat intelligence sharing arrangements with other financial entities. While not mandatory, firms must have the capability to receive and act on shared threat intelligence.

DORA Document Requirements

DORA creates extensive documentation obligations. Financial entities must produce, maintain, and make available to supervisory authorities a range of documents evidencing their compliance.

Register of Information

A mandatory register of all contractual arrangements with ICT third-party service providers, including service descriptions, criticality assessments, subcontractor chains, and data locations. Must be maintained at entity and group level.

Detailed guide to the register of information →

ICT Risk Management Policies

Documented ICT risk management framework approved by the management body, including risk appetite, tolerance levels, identification procedures, and mitigation strategies.

Incident Response Documentation

Incident classification procedures, response plans, communication protocols, escalation procedures, and post-incident review documentation.

ICT Third-Party Contractual Requirements

Contracts with ICT service providers must include specific DORA-mandated provisions covering service levels, audit rights, exit strategies, data locations, and subcontracting arrangements.

Resilience Testing Documentation

Test plans, methodologies, results, remediation actions, and management sign-off for all operational resilience testing activities.

Business Continuity Documentation

ICT business continuity policies, disaster recovery plans, communication plans, and documentation of regular testing and updates.

Is the Digital Operational Resilience Act Applicable to the UK?

DORA is an EU regulation and does not directly apply to UK-only firms following Brexit. However, UK financial entities are affected in several important ways:

•EU operations: UK firms with EU-regulated subsidiaries or branches must comply with DORA for those entities.
•EU clients: UK firms providing financial services to EU clients may fall within scope depending on the services and regulatory framework involved.
•ICT service providers: UK-based ICT service providers to EU-regulated financial entities may be designated as critical third-party providers and subject to direct oversight by European Supervisory Authorities.
•UK framework: The FCA and PRA have developed their own operational resilience framework (PS21/3 and SS1/21), which shares similar objectives with DORA. UK firms subject to both frameworks will need to manage overlapping requirements.

DORA Compliance Timeline

Key dates in the DORA compliance timeline:

27 December 2022

DORA published in the Official Journal of the EU

16 January 2023

DORA entered into force

January–July 2024

Regulatory Technical Standards (RTS) submitted to the European Commission by ESAs in two batches

17 January 2025

DORA application date — all requirements now apply to entities in scope

30 April 2025

First submission deadline for register of information to national competent authorities

2025 onwards

Ongoing supervisory activity, including designation and oversight of critical ICT third-party providers

How ComplyLoft Auditor Supports DORA Compliance

The ComplyLoft Auditor can be configured with DORA requirements as the assessment framework. It reviews documents, policies, and contractual arrangements against DORA criteria and flags potential gaps that need human attention.

•Audit ICT risk management documentation against DORA Chapter II requirements
•Review ICT third-party contracts for DORA-mandated provisions
•Support register of information completeness checks across ICT service arrangements
•Assess incident response documentation against reporting requirements
•Generate audit trail documentation for supervisory examinations

ComplyLoft Auditor identifies potential compliance gaps and provides a structured starting point for review. All outputs require human review and sign-off. ComplyLoft does not guarantee compliance.

Explore the Auditor Tool Request a Demo

DORA Non-Compliance Penalties

National competent authorities have the power to impose administrative penalties and remedial measures on financial entities that fail to comply with DORA. The penalty framework includes:

•Administrative fines determined by each member state's national legislation
•Public notices identifying the entity and the nature of the breach
•Orders to cease non-compliant conduct and take specific remedial actions
•Supervisory restrictions on activities or services

Critical ICT third-party providers are subject to a separate oversight regime conducted directly by the European Supervisory Authorities (ESAs). The Lead Overseer can impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover to compel compliance.

DORA Compliance: Digital Operational Resilience Act Requirements for Financial Services