The Digital Operational Resilience Act (DORA) entered full enforcement in January 2025, and in 2026 every financial institution with EU operations faces active examination risk. DORA is not an IT checklist — it is binding EU regulation setting mandatory standards for ICT risk management, incident reporting, operational resilience testing, and third-party oversight.
What Is DORA?
DORA (Regulation EU 2022/2554) establishes a harmonised digital operational resilience framework across the EU financial sector. It replaced national IT risk rules with a single, directly applicable regulation covering banks, investment firms, insurance companies, payment services providers, crypto asset service providers, and their critical ICT third-party service providers including cloud providers and software vendors.
DORA has five pillars: (1) ICT risk management, (2) ICT-related incident classification and reporting, (3) digital operational resilience testing, (4) ICT third-party risk management, and (5) information and intelligence sharing.
The Risk Dispatch — weekly briefing
Get weekly AI risk management and compliance intelligence for financial institutions. Free, no spam.
Subscribe free →Which Institutions Are in Scope
DORA has broad jurisdictional reach. US-headquartered banks with EU-licensed entities, EU branches, or significant EU customer bases are in scope through their EU subsidiaries. The regulation applies to approximately 22,000 financial entities across the EU. If your bank has an EU banking licence or provides services to EU clients through a regulated entity, your ICT systems supporting those operations are subject to DORA.
DORA's Five Compliance Pillars
1. ICT Risk Management
Institutions must maintain a comprehensive ICT risk management framework: a risk register covering all ICT assets, documented continuity and recovery plans, and regular internal reviews. The ICT risk function must report to the management body. Banks must identify, classify, and document all ICT assets supporting critical functions with formal RTO/RPO targets.
2. Incident Classification and Reporting
DORA mandates a three-stage reporting cycle for major ICT incidents: initial notification within 4 hours of classification, intermediate report within 72 hours, and final report within one month. Institutions must maintain incident logs and a monitoring function capable of triggering the reporting workflow.
3. Digital Operational Resilience Testing
All in-scope entities must conduct basic annual testing — vulnerability assessments and scenario-based exercises. Significant institutions must additionally conduct Threat-Led Penetration Testing (TLPT) every three years using authorised testers. TLPT targets critical ICT systems and results must be shared with competent authorities.
4. ICT Third-Party Risk Management
DORA creates the most prescriptive third-party ICT oversight framework in global financial regulation. Institutions must maintain a register of all ICT third-party service providers, classify by criticality, ensure contracts include mandatory DORA provisions (audit rights, SLA standards, termination clauses, sub-outsourcing visibility), and conduct risk-based due diligence. Critical third-party providers (CTPPs) designated by the ESAs face direct supervisory oversight.
5. Information and Intelligence Sharing
DORA encourages voluntary sharing of cyber threat intelligence and vulnerability information through trusted sharing arrangements. Sharing under a compliant arrangement does not create GDPR liability for the disclosing party.
DORA Compliance Checklist for Banks
- Determine scope: Confirm which EU entities and ICT systems are subject to DORA.
- Conduct an ICT risk gap assessment against DORA's five pillars and technical standards.
- Establish the ICT risk management framework with board-level ownership and a formal ICT risk register.
- Map all critical ICT functions and set documented RTO/RPO targets.
- Build the incident classification and reporting workflow — the 4-hour initial report deadline requires new escalation paths for most banks.
- Inventory all ICT third-party providers and classify by criticality. Update contracts to include DORA-mandated provisions.
- Schedule annual resilience testing and plan TLPT if the institution qualifies.
- Designate a DORA compliance owner at CRO or CIO level with board reporting lines.
- Review sub-outsourcing chains — DORA requires visibility into your vendors' critical subcontractors.
- Check for CTPP designations affecting your cloud and data provider contracts.
Key DORA Deadlines in 2026
DORA has been in full effect since January 17, 2025. National competent authorities across EU member states are incorporating DORA compliance into their examination programmes. The first TLPT cycles for significant institutions are underway through 2025–2026. There are no further phase-in periods — full compliance is expected now.
How DORA Intersects with NIST AI RMF and FFIEC
For US banks in both jurisdictions, DORA and US frameworks overlap but don't align perfectly. DORA's ICT risk pillar is broadly compatible with NIST CSF and NIST AI RMF — but DORA is more prescriptive on third-party oversight and incident timelines. FFIEC IT guidance covers similar themes but lacks DORA's testing mandate and specific contract requirements. Map your DORA programme to existing FFIEC and NIST controls to identify gaps rather than building parallel programmes. For AI systems, DORA's ICT risk framework applies alongside SR 26-2's model risk governance requirements — see our MRM framework guide for managing this dual obligation.