Since 17 January 2025, financial entities operating in or serving the EU have had a new regulation to answer to: the Digital Operational Resilience Act, or DORA. If your firm handles client data, processes payments, or relies on cloud infrastructure to keep the lights on, DORA compliance is very likely on your to-do list, whether you’re based in Brussels, Berlin or Birmingham.
This guide breaks down what the DORA regulation actually requires, who it applies to, and the practical steps financial firms can take to get compliant and stay that way.
Before we continue, cybersecurity vocabulary for all sectors, let alone financial services, can be difficult to follow. Our A-Z cybersecurity glossary is here to help you with any terms you’re unfamiliar with.
What Is the DORA Regulation?
The DORA regulation, formally Regulation (EU) 2022/2554, is an EU law designed to make sure financial entities can withstand, respond to and recover from ICT-related disruptions and cyber threats. Rather than treating operational resilience as a nice-to-have, DORA makes it a binding legal requirement across the EU financial sector, with a single rulebook replacing the patchwork of national approaches that came before it.
The regulation was adopted in December 2022 and became applicable across the EU on 17 January 2025. You can read the full regulatory text on EUR-Lex if you want the legal detail, and the European Banking Authority’s DORA overview is a good source for ongoing updates from the regulators themselves.
Although DORA is an EU regulation, its reach extends beyond EU borders. UK firms that serve EU clients, or that act as ICT providers to EU financial entities, can fall within scope too. The UK’s Financial Conduct Authority, Prudential Regulation Authority and Bank of England have signed a formal cooperation agreement with the EU’s supervisory authorities specifically to oversee critical ICT providers under DORA, which tells you how seriously cross-border regulators are taking this.
Who Needs DORA Compliance?
DORA casts a wide net. The regulation applies to a long list of financial entities, including:
- Banks and credit institutions
- Insurance and reinsurance firms
- Investment firms and payment institutions
- Electronic money institutions
- Crypto-asset service providers
- Central counterparties, trade repositories and securities depositories
- Crowdfunding service providers
- Managers of alternative investment funds
- Pension schemes with more than 15 members
It also applies to the third-party ICT providers, such as cloud platforms and data centres, that these financial entities depend on. If a cloud provider is critical to a bank’s operations, that provider can be brought directly into DORA’s oversight framework, even if it isn’t a financial firm itself.
The Five Pillars of DORA Compliance
DORA compliance rests on five core requirements. Understanding each one is the first step towards building a compliance programme that actually holds up under scrutiny.
1. ICT Risk Management
Financial entities must identify, assess and manage ICT risk on an ongoing basis. In practice, this means maintaining an up-to-date inventory of ICT assets, implementing protective controls such as firewalls, encryption and access management, and monitoring systems continuously for unusual activity. When something does go wrong, firms are expected to have a documented response plan, followed by a proper post-incident review so the same gap doesn’t get exploited twice.
2. ICT-Related Incident Reporting
DORA sets out a standardised process for classifying and reporting significant ICT incidents. Entities need to monitor their systems continuously, assess incidents against defined severity criteria, and report major incidents to the relevant competent authority within set timeframes. Where an incident affects clients directly, firms are also required to communicate with those clients about what happened and what’s being done about it.
3. Digital Operational Resilience Testing
Regular testing is central to the DORA regulation, and it’s the pillar most directly relevant to cyber security teams. DORA requires periodic assessments of system resilience, and for entities identified as significant, this extends to threat-led penetration testing (TLPT), a form of advanced testing that simulates real-world attacks against production systems using red team and blue team exercises.
This is where the regulation moves from policy into practice. A resilience framework only means something if it’s been stress-tested against genuine attack techniques, not just checked against a compliance form. If your firm hasn’t had a proper technical assessment recently, our penetration testing guide covers what a thorough test should include.
4. ICT Third-Party Risk Management
Financial entities are expected to manage the risk posed by their ICT suppliers just as carefully as their own internal systems. DORA requires due diligence before onboarding a new provider, contractual terms that reflect security and incident response obligations, and ongoing monitoring of supplier performance for the life of the relationship. For firms already grappling with cloud dependency, our article on cloud security risks in finance looks at some of the specific exposure points this creates.
5. Information Sharing
The fifth pillar encourages financial entities to share threat intelligence with peers and regulators. This is voluntary in scope but reflects a broader shift in cyber security thinking: collective defence tends to outperform isolated defence, particularly against threats that move quickly across an interconnected sector.
Why DORA Compliance Matters Beyond Avoiding Fines
It’s tempting to treat DORA compliance as a box-ticking exercise, but the underlying logic is sound. Financial services remain one of the most targeted sectors for cyberattacks, and an ICT outage at a major bank doesn’t just cause internal disruption. It stops customers accessing their money, halts transactions, and does lasting damage to trust that’s expensive to rebuild.
Beyond regulatory obligation, a solid DORA compliance programme tends to deliver a few practical benefits:
- Fewer costly operational disruptions and reduced downtime risk
- Stronger security posture, which regulators and insurers increasingly expect to see evidenced
- A demonstrable commitment to resilience that clients and partners can point to during due diligence
- Better visibility over third-party and supply chain risk, which is often the weakest link in a firm’s security
Steps to Achieve DORA Compliance
There’s no single template for DORA compliance, since requirements scale with the size and complexity of the entity. That said, most firms working through this follow a broadly similar path:
- Map your scope. Identify which parts of DORA apply to your entity type and confirm whether you meet the criteria for advanced testing requirements like TLPT.
- Audit your ICT risk management framework. Compare your existing policies, controls and documentation against DORA’s requirements and flag the gaps.
- Review incident reporting processes. Make sure you have a clear, tested process for classifying and reporting incidents within the required timeframes.
- Assess your third-party contracts. Check that supplier agreements include the security and audit provisions DORA expects, particularly for critical ICT providers.
- Commission independent testing. Regular, human-led penetration testing gives you evidence that your controls actually work, not just that they exist on paper.
DORA Compliance and Penetration Testing
Testing is where DORA compliance becomes tangible. A CREST-accredited penetration test does more than satisfy an audit requirement: it gives your security team a clear, evidenced picture of where an attacker could realistically get in, and it gives your board something concrete to act on.
At Fortifi, we provide CREST-accredited penetration testing for financial services, built around the specific pressures financial firms face rather than a generic checklist. If your firm is also working towards ISO 27001 or Cyber Essentials alongside DORA, our guides to ISO 27001 and Cyber Essentials explain how those frameworks fit alongside sector-specific regulation like DORA.
Common Questions About the DORA Regulation
Is DORA the same across every EU country? Yes. Unlike a directive, DORA is a regulation, which means it applies directly and uniformly across all EU member states without needing to be transposed into national law first.
Does DORA apply to UK financial firms? Directly, no, since DORA is EU legislation. Indirectly, quite possibly. UK firms serving EU clients, or acting as critical ICT providers to EU financial entities, can be brought into scope, and UK regulators are formally cooperating with EU authorities on oversight.
What is threat-led penetration testing (TLPT)? TLPT is an advanced form of testing required under DORA for entities identified as significant. It simulates a realistic cyberattack against live production systems, combining red team offensive testing with blue team defensive monitoring to assess how well an organisation detects and responds to a genuine threat.
How often does DORA require testing? Basic resilience testing is expected on a regular, ongoing basis. Entities subject to TLPT requirements must carry out advanced testing at least every three years, though many firms choose to test more frequently given how quickly the threat landscape shifts.
Getting Started with DORA Compliance
DORA compliance isn’t a single project with a finish line. It’s an ongoing commitment to identifying risk, testing your defences, and proving that your controls work under pressure rather than just on paper. The firms that treat it this way tend to get more out of the process than a certificate; they build genuinely more resilient operations.
If you’re planning your next round of resilience testing or want to understand how penetration testing fits into your DORA compliance programme, get in touch with Fortifi for a conversation with a CREST-accredited tester, not a sales call.
Sources
EIOPA. (2025). Digital Operational Resilience Act (DORA). Www.eiopa.europa.eu. https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
Jelle Groenendaal. (2024, November 11). RiskTalk: What is DORA and why is digital resilience important? 3rdrisk.com; 3rdRisk. https://www.3rdrisk.com/blog/risktalk-dora
O’Neill, S. (2024, August 6). Digital Operational Resilience Act (DORA): Regulation Summary. Grant Thornton Ireland. https://www.grantthornton.ie/insights/factsheets/digital-operational-resilience-act-dora-regulation-summary/
Precisely Editor. (2024, September 17). DORA: What It Is and Why It Matters for Financial Entities. Precisely. https://www.precisely.com/blog/data-security/understanding-dora-what-it-is-and-why-it-matters-for-financial-entities
PricewaterhouseCoopers. (n.d.). DORA and its impact on UK financial entities and ICT service providers. PwC. https://www.pwc.co.uk/industries/financial-services/insights/dora-and-its-impact-on-uk-financial-entities-and-ict-service-providers.html
Sears, D. (2025, January 10). Why the DORA Regulation Matters Beyond the EU – Forescout. Forescout. https://www.forescout.com/blog/why-the-dora-regulation-matters-beyond-the-eu/