DORA Frequently Asked Questions
Comprehensive DORA FAQ
This FAQ covers the most common questions from compliance officers, CISOs, legal counsel, and operational risk managers regarding the Digital Operational Resilience Act (Regulation (EU) 2022/2554). The answers draw directly from the Regulation's text and the European Supervisory Authorities' guidance, providing authoritative references for each response.
DORA represents the most significant regulatory change for ICT risk management in the EU financial sector. Since its application from 17 January 2025, financial entities have been required to comply with its five-pillar framework: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. The questions below address the practical implementation challenges that compliance teams encounter most frequently.
Frequently Asked Questions
Who does DORA apply to?
DORA applies to 21 categories of financial entities listed in Article 2(1)(a)-(u): credit institutions, payment institutions, account information service providers, e-money institutions, investment firms, crypto-asset service providers (under MiCA), central securities depositories, central counterparties, trading venues, trade repositories, AIFM managers, UCITS management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and ICT third-party service providers.
When did DORA start applying?
DORA entered into force on 16 January 2023 and has applied since 17 January 2025. As a regulation (not a directive), it is directly applicable in all 27 EU member states without requiring national transposition. Financial entities were given a two-year implementation period from entry into force to the application date.
How does DORA relate to NIS2?
Under Article 1(2), DORA constitutes a lex specialis to NIS2 for financial entities. This means DORA's ICT risk management and incident reporting requirements prevail over the equivalent NIS2 provisions where they are more specific or equivalent. However, NIS2 may still apply in areas where DORA does not provide equivalent coverage, such as broader supply chain security beyond ICT third parties. Financial entities should map each NIS2 obligation against DORA to identify residual requirements.
What are the five pillars of DORA?
DORA is structured around five pillars: (1) ICT Risk Management (Chapter II, Arts. 5-16) — comprehensive framework for identifying, protecting against, detecting, responding to, and recovering from ICT risks; (2) ICT-Related Incident Reporting (Chapter III, Arts. 17-23) — classification and mandatory reporting of major incidents; (3) Digital Operational Resilience Testing (Chapter IV, Arts. 24-27) — basic testing programme plus TLPT for designated entities; (4) ICT Third-Party Risk Management (Chapter V, Arts. 28-44) — contractual requirements, register of information, and critical provider oversight; (5) Information Sharing (Chapter VI, Art. 45) — voluntary cyber threat intelligence exchange.
What are the penalties for non-compliance with DORA?
DORA delegates penalty powers to national competent authorities for financial entities, which may impose administrative penalties and remedial measures under their existing supervisory frameworks (including powers under CRD, Solvency II, MiFID II, etc.). For critical ICT third-party providers, the Lead Overseer (EBA, ESMA, or EIOPA) may impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum period of six months. Member states must define effective, proportionate, and dissuasive administrative penalties in their national law.
Is DORA a directive or a regulation?
DORA is a regulation — Regulation (EU) 2022/2554. As a regulation, it is directly applicable in all EU member states from its application date (17 January 2025) without requiring transposition into national law. This is a deliberate design choice to achieve uniform requirements across the single market, unlike NIS2, which is a directive and has been transposed into national law with varying degrees of implementation across member states.
Do all DORA-regulated entities need threat-led penetration testing (TLPT)?
No. Under Article 26, TLPT is mandatory only for entities identified by their competent authority based on criteria including systemic importance, ICT risk profile, and criticality of services. However, all financial entities (except microenterprises) must maintain a basic digital operational resilience testing programme under Articles 24-25, including annual testing of systems supporting critical or important functions.
What is the register of information under DORA?
Article 28(3) requires financial entities to maintain a comprehensive register of all contractual arrangements with ICT third-party service providers. The register must include: provider identity, services provided, data storage and processing jurisdictions, sub-contractors, criticality assessments, and contract dates. It must be reported to competent authorities at least annually and available upon request. The aggregate data enables supervisors to assess sector-wide concentration risk.
How does proportionality work under DORA?
Article 4 requires implementation proportionate to the entity's size, overall risk profile, and the nature, scale, and complexity of operations. Microenterprises (under 10 employees, turnover/balance sheet under EUR 2M) may apply a simplified ICT risk management framework under Article 16. However, proportionality reduces the depth of implementation, not the scope of obligations — even microenterprises must report major incidents and maintain the ICT third-party register.
What is the incident reporting timeline under DORA?
DORA mandates three-stage reporting for major ICT-related incidents: (1) initial notification within 4 hours of classifying the incident as major (and no later than 24 hours from becoming aware of the incident), (2) intermediate report within 72 hours of the initial notification, and (3) final report within 1 month of the intermediate report. The 4-hour clock starts from classification, not from the incident occurrence — making the classification process itself time-critical.
Can we use cloud providers under DORA?
Yes. DORA does not prohibit the use of cloud computing services or any specific ICT delivery model. However, cloud arrangements are ICT third-party service arrangements subject to the full requirements of Chapter V: mandatory contractual provisions under Article 30 (including data location, audit rights, and exit strategies), inclusion in the register of information under Article 28(3), pre-contractual risk assessment, and concentration risk assessment under Article 29. If the cloud provider is designated as critical under Article 31, it will also be subject to direct ESA oversight.
What about intra-group ICT service providers?
Intra-group ICT service providers are still subject to DORA's requirements, but the Regulation allows for proportionate treatment. Article 28(1) recognises that ICT services provided within a group may present different risk characteristics than those procured externally. Contractual arrangements between group entities must still meet the requirements of Article 30, and intra-group providers must still be included in the register of information. However, the pre-contractual assessment and concentration risk analysis may reflect the lower risk profile of intra-group arrangements.
How does DORA affect outsourcing beyond existing EBA/EIOPA guidelines?
DORA goes beyond traditional outsourcing frameworks (such as the EBA Guidelines on Outsourcing Arrangements and EIOPA's guidelines) in two key ways: (1) it covers all ICT service arrangements, not just outsourcing — this includes licensing, on-premises support, managed services, and cloud computing, regardless of whether they meet the regulatory definition of outsourcing; and (2) it introduces the direct oversight framework for critical ICT third-party providers, which has no precedent in existing outsourcing guidelines.
What are the ESA Regulatory Technical Standards under DORA?
The European Supervisory Authorities (EBA, ESMA, EIOPA) are mandated to develop Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) specifying detailed requirements for: ICT risk management framework content (Art. 15), incident classification and reporting templates (Art. 20), TLPT methodology (Art. 26), register of information content and format (Art. 28), and criteria for critical ICT third-party provider designation (Art. 31). These standards have been adopted as delegated acts by the European Commission and are binding.
How should we prepare for DORA compliance?
A structured approach includes: (1) Gap assessment — map your current ICT risk management, incident reporting, testing, and third-party management practices against DORA's requirements; (2) Register build — compile the complete register of ICT third-party arrangements per Article 28(3); (3) Contract review — assess all ICT service agreements against Article 30 mandatory provisions and negotiate amendments where gaps exist; (4) Testing programme — establish or enhance your digital operational resilience testing programme per Articles 24-25; (5) Governance — ensure management body accountability per Article 5, including ICT risk training for board members; (6) Incident response — implement the three-stage reporting process with 4h/72h/1m timelines; (7) Proportionality assessment — document how proportionality is applied based on your entity's size and risk profile.
This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions.
Automate DORA Compliance with FortisEU
Turn regulatory obligations into actionable controls with evidence workflows, real-time dashboards, and EU-sovereign AI assistance.