DORA Regulation
Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is an EU regulation establishing uniform requirements for financial entities to manage ICT risk, report ICT-related incidents, test digital operational resilience, and oversee third-party ICT service providers. Unlike directives such as NIS2, DORA applies directly across all 27 EU Member States without national transposition — creating a single, harmonised ICT risk management rulebook for the financial sector. It covers 21 categories of financial entities, from credit institutions and investment firms to crypto-asset service providers, and introduces an unprecedented oversight framework for critical third-party ICT providers designated by the European Supervisory Authorities. FortisEU operationalises DORA compliance with automated ICT risk assessments, incident classification workflows, third-party register management, and TLPT coordination.
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector
Fine Calculator
Estimate your organisation's maximum DORA penalty exposure based on entity classification, daily turnover, and infringement type.
DORA Template Pack
Pre-built ICT risk management frameworks, incident reporting templates, register of information workbooks, and TLPT coordination plans mapped to DORA requirements.
NIS2 vs DORA Comparison
Side-by-side analysis of NIS2 and DORA requirements, scope, enforcement mechanisms, and lex specialis boundaries for dual-regulated financial entities.
Common Questions
Who is in scope of DORA?
DORA applies to 21 categories of financial entities as defined in Article 2, including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. It also applies to ICT third-party service providers that serve these entities.
How does DORA relate to NIS2?
DORA is lex specialis to NIS2 under Article 1(2) of the DORA Regulation. This means that where DORA imposes ICT risk management, incident reporting, or digital operational resilience testing requirements on financial entities, those provisions take precedence over the corresponding general requirements in NIS2. Financial entities subject to DORA remain within NIS2 scope but comply with DORA's more specific provisions rather than NIS2 Article 21 measures. The lex specialis relationship operates at the level of individual obligations — NIS2 still applies where DORA does not provide equivalent coverage.
What are the TLPT requirements under DORA?
Threat-led penetration testing (TLPT) under Articles 26-27 is mandatory for financial entities identified by competent authorities based on systemic importance, ICT maturity, and risk profile. TLPT must be conducted at least every three years using the TIBER-EU framework, covering critical or important functions, and performed by qualified external testers (though internal testers may participate under strict conditions). The scope is agreed with the competent authority, and results must be validated by the authority before remediation plans are finalised.
What is the register of information for ICT third-party providers?
Under Article 28(3), financial entities must maintain a complete register of information for all contractual arrangements with ICT third-party service providers. This register must include details of the ICT services provided, the identity of the provider and any sub-contractors, the jurisdictions where data is processed and stored, and the criticality of the functions supported. The register must be made available to competent authorities on request and is a key input into the ESA oversight framework for identifying critical third-party providers.
Does DORA apply proportionally to smaller entities?
Yes. Article 4 establishes a proportionality principle requiring financial entities to implement DORA requirements in a manner proportionate to their size, overall risk profile, and the nature, scale, and complexity of their services, activities, and operations. Microenterprises (fewer than 10 employees and turnover/balance sheet under EUR 2 million) benefit from a simplified ICT risk management framework under Article 16. However, all in-scope entities — regardless of size — must comply with incident reporting, maintain a third-party register, and establish basic digital operational resilience testing.
What are the penalties for DORA non-compliance?
DORA empowers competent authorities to impose administrative penalties and remedial measures proportionate to the infringement. For financial entities, penalties are determined by national competent authorities in line with existing sectoral financial legislation. For critical ICT third-party providers, Article 35(8) allows the Lead Overseer to impose periodic penalty payments of up to 1% of the provider's average daily worldwide turnover for each day of non-compliance, for a maximum of six months. Member States may also provide for criminal penalties where their national law so permits.
Operationalise DORA Compliance
Turn DORA requirements into automated workflows, evidence collection, and audit-ready outputs. Create an account or schedule a personalised demo.