DORA Compliance

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, became fully applicable on 17 January 2025. It is the EU's harmonized rulebook for digital operational resilience in the financial sector, and it applies to roughly 22,000 financial entities, as well as the critical ICT third-party providers they depend on. National Competent Authorities have been actively auditing since 2025, and the supervisory focus in 2026 has clearly shifted from "do you have policies" to "can you prove operational continuity."

The regulation is structured around five pillars:

• ICT risk management (Articles 5 to 16): governance, asset inventories, controls, board accountability
• ICT-related incident management (Articles 17 to 23): classification, 24-hour reporting, escalation
• Digital operational resilience testing (Articles 24 to 27): annual testing and TLPT for in-scope entities
• ICT third-party risk (Articles 28 to 44): Register of Information, contract controls, oversight
• Information sharing (Article 45)

DORA applies to banks, investment firms, insurance and reinsurance companies, payment institutions, e-money institutions, crypto-asset service providers (CASPs) authorized under MiCA, trading venues, central counterparties, and most other regulated financial entities in the EU. It also reaches ICT third parties that serve those entities through cascading obligations flowing down through customer contracts. If you've received an "ICT third-party flow-down questionnaire" from a financial-services customer, that's DORA.

The first is reactive. A regulator finding, an internal audit flag, a customer questionnaire, or a stalled remediation project has forced their hand, and they need senior compliance expertise fast.

The second is structural. Full-time compliance leadership doesn't make sense at their scale, but their regulator and their customers still expect a named compliance expert on file.

I work with both.

An assessment against all five pillars, mapped to specific Articles and the relevant Regulatory Technical Standards. The output is a prioritized remediation plan with effort estimates and owner mapping, not a 200-page report nobody reads.

End-to-end execution against the gap analysis. ICT risk management framework, governance documentation, incident classification rules and the 24-hour reporting workflow, third-party Register of Information build-out, contract clauses for ICT providers, and the policies regulators expect to see when they walk in.

Full build or rebuild of the Register of Information aligned to current ESA reporting templates. Most RoI rejections I've seen in 2026 trace back to the same handful of issues: incomplete entity hierarchies, missing function-criticality assessments, or contract data that doesn't tie back to operational reality. Fixable, but only if you start before the next reporting cycle.

If you're an ICT third party serving financial-sector customers, you're now receiving DORA flow-down questionnaires that often read like full audits. I prepare evidence packs and structured responses that hold up to scrutiny without exposing more than the questionnaire actually asks for.

ISO 27001 (information security) and ISO 22301 (business continuity) where they overlap with DORA controls. SOC 2 where useful for US-EU operating models.

Financial entities can be fined up to 2% of total annual worldwide turnover. ICT third-party providers face penalties of up to €5 million or 1% of average daily worldwide turnover, with daily fines applying for up to six months.

Yes, in two main ways. Non-EU companies providing ICT services to EU financial entities are reached through flow-down contractual obligations. Non-EU financial entities serving EU clients on a cross-border basis may also fall within scope, depending on their authorisation model.

DORA is "lex specialis" for the financial sector. Where DORA and NIS2 overlap (incident reporting, third-party risk), DORA prevails for financial entities. NIS2 still matters for non-financial parts of the same group.

The RoI is an inventory of all contractual arrangements with ICT third-party providers, mapped to the financial entity's critical or important functions. Financial entities must maintain it continuously and report it to their National Competent Authority on the ESA's annual cycle.

Threat-Led Penetration Testing is an advanced resilience test, modelled on the TIBER-EU framework, that simulates a realistic threat actor against an entity's critical functions. In-scope entities must conduct TLPT at least once every three years.

If you've received a DORA flow-down questionnaire from a customer, your last audit surfaced ICT findings, your Register of Information isn't ready for the next ESA cycle, or you need a named compliance lead without the full-time cost, get in touch. First-call diagnostic is free.