DORA Compliance Guide: Digital Operational Resilience for Financial Services

What is DORA?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554), known as DORA, establishes a comprehensive framework for ICT risk management in the financial sector. It entered into force on January 16, 2023, and became fully applicable on January 17, 2025.

DORA recognizes that the financial sector's increasing dependence on digital technology creates systemic risks that go beyond traditional financial regulation. It aims to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Who must comply?

DORA applies to virtually all regulated financial entities in the EU, including:

• Credit institutions (banks)
• Payment institutions and e-money institutions
• Investment firms and trading venues
• Insurance and reinsurance undertakings
• Crypto-asset service providers
• Central securities depositories and central counterparties
• Credit rating agencies and crowdfunding service providers
• Critical third-party ICT service providers (including cloud providers serving the financial sector)

Five pillars of DORA

1. ICT risk management (Chapter II)

Financial entities must establish a comprehensive ICT risk management framework that includes identification of ICT-supported business functions, classification and mapping of ICT assets, continuous monitoring and detection, business continuity and disaster recovery planning, and regular testing and updating of these capabilities.

The management body bears ultimate responsibility for the ICT risk management framework and must allocate sufficient budget and resources.

2. ICT-related incident management (Chapter III)

Entities must implement processes to detect, manage, and report ICT-related incidents. Major incidents must be reported to the relevant competent authority using standardized templates. The classification of incidents considers client impact, data losses, geographic spread, duration, and criticality of affected services.

3. Digital operational resilience testing (Chapter IV)

All financial entities must conduct regular testing of their ICT systems, including vulnerability assessments, network security assessments, and scenario-based testing. Significant financial entities must also undergo threat-led penetration testing (TLPT) at least every three years.

4. ICT third-party risk management (Chapter V)

Financial entities must manage risks from ICT third-party service providers throughout the entire lifecycle — from due diligence and contract negotiation to ongoing monitoring and exit strategies. Contracts with ICT providers must include specific provisions on service levels, data security, audit rights, and termination.

5. Information sharing (Chapter VI)

DORA encourages financial entities to share cyber threat intelligence and information about vulnerabilities, tactics, techniques, and procedures among themselves and with competent authorities.

DORA and AI systems

Financial entities increasingly use AI for fraud detection, credit scoring, algorithmic trading, customer service, and risk assessment. DORA's ICT risk management framework explicitly covers these AI systems:

• AI as critical ICT — AI systems supporting core financial processes fall under DORA's ICT risk management requirements
• Third-party AI providers — Cloud-based AI services and model providers are subject to DORA's third-party risk management rules
• Resilience testing — AI systems must be included in operational resilience testing, including scenario testing for AI-specific failures
• Dual compliance — Financial entities using high-risk AI systems must comply with both DORA and the EU AI Act simultaneously

Penalties

Competent authorities can impose administrative penalties and remedial measures including:

• Orders to cease non-compliant conduct
• Temporary bans on management functions
• Administrative fines as determined by national law

Critical third-party ICT service providers that fail to comply face penalty payments of up to 1% of average daily worldwide turnover, imposed daily for up to six months.

How to prepare

1. Assess your ICT risk management framework. Map your current practices against DORA's Chapter II requirements and identify gaps.

2. Classify your ICT assets. Create a complete inventory of ICT assets, including AI systems, and assess their criticality.

3. Review third-party contracts. Ensure contracts with ICT providers (including AI service providers) meet DORA's contractual requirements.

4. Establish incident reporting. Implement processes to classify, manage, and report ICT incidents within required timelines.

5. Plan resilience testing. Develop a testing program that covers all critical ICT systems, including AI components.

6. Use complixo for multi-framework compliance. complixo helps financial entities manage DORA alongside EU AI Act and GDPR compliance, tracking requirements and identifying overlaps across frameworks.