Definition

DORA — IT definition

Digital Operational Resilience Act: the EU regulation that imposes strict IT resilience requirements on financial institutions, in force since January 2025.

DORA (Digital Operational Resilience Act, EU Regulation 2022/2554) is the European regulation that imposes stricter digital operational resilience requirements on financial institutions and their critical IT providers. In force since 17 January 2025, it has a direct impact on the IT governance, cybersecurity, and IT-vendor management of any financial entity operating in the European Union.

Its ambition: harmonize and toughen, at European scale, the previously scattered IT-resilience requirements of the financial sector (EBA guidelines, ECB recommendations, local supervisors), and extend supervision to critical IT vendors (cloud providers, structuring SaaS vendors, market operators).

Who is subject to DORA

DORA covers a very wide perimeter:

•Banks: (credit institutions).
•Insurance and reinsurance: .
•Investment firms, fund managers: .
•Payment service providers, e-money institutions: .
•Crypto-asset platforms: (MiCA-compliant).
•Market infrastructures: exchanges, clearing houses, depositories.
•Designated critical IT providers: hyperscalers, structuring SaaS vendors, outsourcing providers.

More than 22,000 entities are directly concerned in Europe, with indirect impact on hundreds of thousands of IT suppliers.

The five pillars of DORA

DORA is organized around five structuring requirements:

### 1. IT risk management (Chapter II)

Set up a documented IT risk management framework, validated by senior management, updated annually. Covers identification of critical assets, impact analysis, business continuity (BCP / DRP) plans.

### 2. IT incident management (Chapter III)

Formal procedure to detect, classify, notify, and report major IT incidents. Notification within 4 hours for critical incidents, intermediate report at 72 h, final report at 1 month.

### 3. Resilience testing (Chapter IV)

Annual test program: functional tests, vulnerability scans, audits, simulations. For the most critical entities (~10 %), TLPT (Threat-Led Penetration Testing) every 3 years, based on the TIBER-EU framework.

### 4. Third-party IT risk management (Chapter V)

Complete mapping of IT vendors, framed contracts (mandatory clauses: audit, exit, subcontracting), continuous assessment, exit plans. Designation of critical IT providers subject to direct European supervision.

### 5. Information sharing (Chapter VI)

Voluntary exchange of cyber-threat intelligence between financial entities, via framework agreements.

Sanctions

DORA sanctions are severe:

•Administrative fines: up to 1 % of daily global turnover per day of violation (up to 6 months).
•Individual sanctions: for executives (up to €1M).
•Activity suspension: in extreme cases.
•Publication of sanctions: on the supervisor's website.

DORA and application mapping

DORA explicitly requires (article 8) a complete mapping of critical IT assets and their interdependencies. This obligation goes well beyond a static Excel inventory:

•Continuous identification of critical applications, infrastructure, data.
•Mapping of dependencies with external IT vendors.
•Link between IT assets and critical business processes.
•Continuous, auditable updates.

This is exactly what Kabeen provides: a live IT-estate graph, exploitable for DORA compliance and auditable to the ECB or local supervisors.

DORA and [NIS2](/en/glossary/nis2)

DORA is lex specialis relative to NIS2: financial entities are subject to DORA for cybersecurity, not NIS2. But both regulations share a common logic (risk management, incident notification, third-party supervision), and many non-financial companies look at DORA to anticipate NIS2 evolution.

Compliance roadmap

Typical 12 to 18 month program:

Gap analysis against the regulation.
Mapping of critical assets and dependencies.
Contractual review of IT vendors.
Strengthening of the risk management framework and continuity plans.
Implementation of incident reporting.
Resilience testing program.
Internal audit and annual report.

Complementary standards and references

•ISO 27001: information security management.
•ISO 22301: business continuity.
•NIST CSF: cybersecurity.
•CRI Profile: financial sector cyber risk profile.
•TIBER-EU: Threat-Led Penetration Testing framework.

Frequently asked questions

What is DORA?

DORA (Digital Operational Resilience Act, EU Regulation 2022/2554) is the European regulation that imposes stricter digital operational resilience requirements on financial institutions. In force since 17 January 2025, it covers IT risk management, incidents, resilience testing, IT vendors, and information sharing, with fines up to 1 % of daily global turnover.

Who is subject to DORA?

More than 22,000 European financial entities: banks, insurance, fund managers, payment service providers, crypto platforms, market infrastructures. But also their critical IT vendors (hyperscalers, structuring SaaS vendors, outsourcing providers), designated by European supervisors and subject to direct control.

What is the difference between DORA and NIS2?

DORA and NIS2 share a common logic (risk management, incident notification, third-party supervision) but DORA is lex specialis for the financial sector: financial entities are subject to DORA, not NIS2. NIS2 covers 18 other critical sectors (energy, healthcare, transport, water, public administration). Many non-financial organizations look at DORA to anticipate NIS2 evolution.

How do you comply with DORA?

Typical 12 to 18 month roadmap: (1) gap analysis against the regulation, (2) mapping of critical assets and dependencies (article 8), (3) contractual review of IT vendors with mandatory clauses, (4) strengthening of the risk management framework and BCP/DRP, (5) incident notification procedure (4h for critical), (6) annual resilience testing program, (7) internal audit and annual report.

Need help mapping your IT landscape?

Kabeen helps you inventory, analyze and optimize your application portfolio.

Try for free