Digital operational resilience for financial entities. Manage ICT risks, test resilience, and oversee third-party providers.
The Digital Operational Resilience Act (DORA, Regulation 2022/2554) establishes a comprehensive ICT risk management framework for the EU financial sector. It ensures that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats.
DORA applies to virtually all regulated financial entities — banks, insurance companies, investment firms, crypto-asset service providers, and more — plus their critical ICT third-party service providers. It creates a unified approach to digital resilience that replaces fragmented national rules.
The regulation has been in force since January 2025 and covers five core pillars: ICT risk management, ICT incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing arrangements.
The most important articles and obligations you need to address.
Comprehensive framework covering governance, risk identification, protection, detection, response, and recovery from ICT risks.
Classification, reporting, and notification of major ICT-related incidents to competent authorities, with harmonized templates.
Annual basic testing and triennial threat-led penetration testing (TLPT) for significant financial entities.
Due diligence, contractual requirements, and ongoing monitoring of ICT third-party service providers, including cloud.
Voluntary arrangements for sharing cyber threat intelligence between financial entities in trusted communities.
Critical ICT third-party providers are subject to direct oversight by European Supervisory Authorities (ESAs).
Key enforcement milestones
Jan 2023
DORA entered into force
In effectJan 2025
Full application date
In effectJan 2025
RTS/ITS standards apply
In effect2025-26
Supervisory enforcement begins
Purpose-built features to get you from zero to compliant.
Pre-built controls covering all DORA ICT risk management requirements: identification, protection, detection, response, and recovery.
Manage annual testing programs and TLPT with test strategies, plans, cases, and execution cycles linked to DORA requirements.
Track and assess ICT third-party providers with due diligence checklists, contractual requirements, and ongoing monitoring.
Classify and track ICT incidents with the structured reporting timelines and templates DORA requires.
Map controls to specific DORA articles, collect evidence, and maintain full traceability for supervisory reviews.
Generate audit-ready reports for competent authorities and ESAs in PDF, Excel, or Word format.
DORA applies to 21 types of financial entities including banks, insurers, investment firms, payment providers, crypto-asset service providers, and their critical ICT third-party service providers (cloud providers, data analytics firms, software vendors).
DORA is a sector-specific regulation for financial services that takes precedence over NIS2 for covered entities (lex specialis). Financial entities comply with DORA instead of NIS2 for ICT risk management and incident reporting. However, they may still need NIS2 compliance for non-ICT aspects.
All financial entities must conduct annual basic ICT testing (vulnerability scanning, network security tests, gap analysis). Significant entities must additionally perform threat-led penetration testing (TLPT) at least every three years using qualified external testers.
Major ICT incidents must be reported to the competent authority using standardized templates. Initial notification within 4 hours of classification, intermediate report within 72 hours, and final report within 1 month.
complixo covers all five DORA pillars: ICT risk management with structured risk registers, incident tracking and documentation, control testing for resilience testing, third-party vendor assessments, and audit-ready reports for supervisory authority reviews.
Pre-built checks, structured evidence, and audit-ready reports. No credit card required.