What is DORA?
The Digital Operational Resilience Act (DORA) is a European regulation that came into force on 17 January 2025. Unlike a directive — such as NIS2, which must first be transposed into national legislation — DORA is directly applicable in all EU member states. There is no room for interpretation or delay: the rules apply now.
DORA specifically targets the financial sector with one central objective: ensuring that financial institutions can withstand ICT-related disruptions and cyber attacks. In a world where banking, insurance, and investment have become entirely digital, this is not a luxury but a necessity.
Who Does DORA Apply To?
DORA's scope is broad. The regulation applies to more than 22,000 financial entities in the EU, including:
- Banks and credit institutions
- Insurers and reinsurers
- Investment firms and fund managers
- Payment institutions and e-money institutions
- Crypto-asset service providers
- Pension funds
- Critical ICT service providers to the financial sector
That last point is crucial: even if your organisation is not a financial institution but does provide services to the sector — think cloud providers, software vendors, or managed service providers — you may fall under DORA.
The Five Pillars of DORA
1. ICT Risk Management
Financial institutions must have a robust framework for managing ICT risks. This goes beyond traditional IT risk management: DORA requires an integrated approach where ICT risks are treated as part of broader operational risk management.
Concretely, this means: identification of all ICT assets, continuous risk assessment, protection measures, detection capabilities, and recovery procedures. The board bears ultimate responsibility — as with NIS2, personal board liability applies.
2. ICT-Related Incident Reporting
DORA introduces a harmonised system for reporting ICT incidents. Financial institutions must report serious ICT incidents to competent authorities within strict timeframes:
- Initial notification: within 4 hours of classification as a serious incident
- Intermediate report: within 72 hours
- Final report: within 1 month
This requires not only the technical capability to detect and classify incidents but also streamlined internal processes to execute reporting on time.
3. Digital Operational Resilience Testing
Organisations must regularly test their digital resilience. DORA distinguishes two levels:
- Basic testing: annual vulnerability scans, penetration tests, and scenario-based testing for all financial entities
- Threat-Led Penetration Testing (TLPT): advanced, threat-intelligence-driven tests for the largest and most systemically relevant institutions, at least every three years
4. ICT Third-Party Risk Management
The financial sector's dependence on external ICT service providers is enormous. DORA sets strict requirements for managing these risks:
- Mandatory register of all ICT service providers
- Risk assessments before entering into contracts
- Specific contractual provisions (exit strategies, audit rights, security requirements)
- Continuous monitoring of service delivery
Additionally, DORA introduces a new oversight framework for 'critical ICT service providers' designated by European supervisory authorities.
5. Information Sharing
DORA encourages financial institutions to share threat information with each other. This voluntary mechanism aims to strengthen the collective resilience of the sector.
DORA and NIS2: What's the Difference?
For organisations that fall under both DORA and NIS2, DORA applies as lex specialis — the more specific law takes precedence. In practice, DORA sets stricter and more detailed requirements than NIS2, specifically tailored to the financial sector.
But the underlying principles overlap: risk management, incident reporting, supply chain security, and board accountability feature in both frameworks. Organisations that have prepared for NIS2 already have a solid foundation for DORA.
The Consequences of Non-Compliance
DORA gives national supervisory authorities far-reaching powers. They can:
- Impose fines of up to 1% of average daily global turnover, for a period of up to six months
- Hold board members personally liable
- Temporarily or permanently prohibit activities
- Require termination of contracts with ICT service providers
For critical ICT service providers under the European oversight framework, fines can reach up to €5 million (or €500,000 per day for ongoing violations).
How Do You Prepare?
- Gap analysis: Map where your organisation stands relative to the five DORA pillars
- Governance: Ensure the board is demonstrably involved in ICT risk management
- Supplier register: Inventory all ICT service providers and assess risks
- Incident process: Establish a reporting process that meets DORA timeframes
- Testing programme: Plan and execute resilience tests
- Human factor: Don't forget that technical measures only work when people apply them correctly
Nexus-7 and DORA Compliance
Nexus-7 helps financial institutions implement DORA by combining technical assessment with behavioural analysis. Our Q-Method approach maps how employees handle ICT risks — a dimension that traditional compliance tools miss, but that DORA very much addresses.
From gap analysis to threat-led penetration testing, and from supplier risk assessment to awareness programmes: Nexus-7 offers an integrated approach that matches DORA's broad scope.
Want to know how DORA-ready your organisation is? Schedule a demo and discover how Nexus-7 helps you implement all five DORA pillars.
