.png){kind=small}
Don't let an incident catch you off guard - download our new Incident Comms Playbook for effective incident comms strategies!
By submitting this form, you agree to the Privacy Policy and Terms of Use and agree to sharing your information with Rootly and Google.
February 27, 2025
11 mins
This guide covers everything you need to know about DORA compliance, including deadlines, penalties, and a step-by-step checklist to meet the new EU regulation.
.png)
I live in Barcelona and have a Spanish bank account at one of the largest banks in the country. In the past six months, I have received four phishing SMS messages through the official bank phone number, registered under the bank’s name. You read that right: four breaches of the bank’s messaging system in six months.
Turns out, it’s not just my bank that’s finding itself in a pickle when it comes to cybersecurity. A recent study discovered that 78% of European Union financial institutions experienced a third-party breach last year. And let’s not talk about how often I can’t complete an online purchase because my bank’s payment verification is down or how many times the app is so slow it’s unusable.
The EU’s financial institutions jumped into the digitalization wave, yes. But they are running into incidents and facing cybersecurity threats that will only continue to grow in complexity and scale. That’s why the European Commission launched the Digital Operational Resilience Act (DORA), a framework meant to improve the robustness of digital operations across the European financial community.
In this article, you’ll learn the key aspects of this new regulation and practical advice on how to make your organization compliant without overburdening your team with reports.
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to provide the European financial sector with a unified framework to navigate severe digital disruptions. DORA includes aspects of ICT risk management, incident management, pen-testing, and third-party assessment.
The objective of having a common framework across the union members is to strengthen security and improve information sharing within the financial services sector and between the European Supervisory Authorities (ESAs).
Pretty much every financial entity operating in the European Union must comply with the DORA requirements unless they’re small or micro-enterprises.
This regulation applies to banks, insurance companies, crypto-asset managers, credit rating agencies, trading platforms, pension funds, and other types of institutions. There is a total of 20 types of financial institutions in scope for DORA compliance.
However, DORA compliance requirements also apply to critical third-party providers even if they are based outside the European Union. Examples of critical third-party providers include cloud services and cybersecurity firms.
The DORA proposal was initially drafted back in late 2020 and wasn’t approved until late 2022. Financial institutions had to prepare for DORA compliance in 2023 and 2024.
Since January 17th, 2025, financial institutions in the EU are required to be DORA-compliant in their digital operations.
DORA does not establish a maximum fine, but it states that the penalties and measures shall be effective, proportionate, and dissuasive.
For critical third-party vendors, failing to comply with the regulation may result in a periodic fine of 1% of worldwide daily turnover.
Competent authorities can also force institutions to suspend, temporarily or permanently, working with third-party vendors in breach of DORA requirements.
Beyond the penalties and possible business disruptions, non-compliant entities will also face reputational damage, as the authorities will publish offenders and the penalties on their websites.
The ICT Risk Management pillar aims to guide institutions in identifying, managing, and mitigating digital risks as part of their digital operations. It prompts the board of directors and senior management to oversee ICT risk and dedicate resources to managing it proactively.
Financial institutions must develop a comprehensive risk management framework that lets them identify their Critical Functions (CIFs) and ensure these functions remain resilient.
Continuous monitoring and assessment of ICT risks through scenario testing to evaluate the potential impact of severe disruptions on these critical functions are also expected.
DORA’s second pillar requires financial institutions to establish ICT incident management programs. Financial institutions must be able to classify, manage, and report incidents, including cyber threats, that may affect financial stability.
Incident classification is an important factor in the DORA framework, as severity carries obligations. For example, major DORA incidents must be notified to the competent authority within four hours, and an intermediate report is expected within 72 hours, regardless of holidays.
To respond swiftly to incidents, financial institutions are turning to software like Rootly to establish their incident management programs, train staff in the incident management process, and generate reports with ease thanks to Rootly’s incident audit trails.
The third pillar of the DORA framework requires financial institutions to put the safety of their systems to the test through Threat-Led Penetration Testing (TLPT). Institutions must focus on the pathways around their critical functions and services to identify vulnerabilities before they are exploited.
On top of a comprehensive pen-testing strategy, financial institutions are also expected to conduct regular vulnerability assessments to evaluate the resilience of their ICT systems. DORA compliance requirements also include critical third-party providers in these assessments.
Given that third-party threats are one of the most common affecting the EU’s financial institutions, DORA establishes a comprehensive set of guidelines to assess third-party risks. Even firms that already had regulations for third-party vendors are facing tighter controls.
DORA requires a thorough due diligence process for ICT service providers, ensuring that new vendors comply with the framework’s standards. Contracts must explicitly outline responsibilities for operational resilience, incident reporting, and regulatory compliance.
However, third-party management under DORA doesn’t end after onboarding a vendor. The framework mandates continuous monitoring of third-party providers.
Finally, DORA introduces Information Sharing Agreements between financial institutions and the competent authorities. The objective is to foster collaboration in the sector and improve understanding of the challenges the bloc is facing.
DORA also encourages financial institutions to join Information Sharing and Analysis Centers (ISACs), which develop best practices collectively and share threat intelligence.
The first step is to find out if your organization must comply with DORA.
If you’re a financial institution of any type operating in the European Union, you’re most likely required to comply with DORA. There are a few exceptions, such as insurance intermediaries or occupational pension schemes with fewer than 15 members.
If you provide services to financial institutions in the EU, you’ll need to comply with DORA even if you’re not based in the EU if you’re considered a critical vendor. You’re deemed a critical vendor when an incident on your side can take several financial institutions down.
However, you don’t become a critical vendor just by having several customers in the EU. The European Supervisory Authorities (ESAs) will formally notify you if they have determined you’re a critical vendor.
DORA compliance requires you to meet criteria throughout the five pillars presented above. You’ll need to go through your ICT risk management strategy, analyze your vendors, review your pentesting contracts, and understand where you stand.
ICT incident management is a particularly demanding new requirement introduced by DORA in the EU’s financial institutions. You’ll want to assess how much time it has taken your teams to compile post-incident reports. The initial format notification with meaningful details about the situation is expected by authorities within four hours, and an initial report must be submitted within 72 hours.
Based on your findings in the gap analysis step, break down a plan to tackle them. You’ll probably need to plan different initiatives to cover the various DORA compliance pillars. Prioritize actions based on risk assessment and the type of audit required.
For example, some organizations only need to provide internal audits of their DORA compliance, while larger ones need to provide external audits. Critical vendors, on top of internal and external audits, are also directly supervised by European Supervisory Authorities (ESAs) and National Authorities.
DORA requires financial institutions to have stringent supervision of their vendors, especially those critical to their operation, such as cloud providers or security consultants.
DORA compliance goes beyond technical SLOs for vendors and ties into the contractual relationship between financial institutions and vendors. The aim is to ensure a commitment to resilience.
Even though the European Supervisory Authorities (ESAs) determine which vendors operating in the community are considered critical, you may have different providers that are critical for you.
Work with your cybersecurity contractors to allocate sufficient Threat-Led Penetration Testing (TLPT) and similar strategies to find the cracks in your system before a bad actor does. Review the schedule for each of your critical service paths and ensure your vendors are covered in that path.
Make sure that your strategy involves acting on the findings by the security firm so the pentest review doesn’t become just a bureaucratic document but a way of actively improving your resilience.
To meet the DORA compliance requirements regarding ICT incident management, you’ll need to establish an effective incident management process.
You may start by defining an Incident Response Playbook, where you outline what responders should know when an incident occurs: how to classify severity (accounting for the DORA criteria), how to assemble a team, how to submit the initial DORA notification, and how to run a postmortem.
Using an incident management software like Rootly can help you codify these practices into a platform to make it easier for your team to comply with these practices. Rootly also automates tasks like incident audit trails and evidence gathering to make the DORA reports easier to compile in time.
In order to meet the DORA compliance deadline, most organizations had to rush to set up processes that may not yet be ideal. As your organization begins to exercise these processes, take note of how effective they are at achieving the goal of this regulation: making you more resilient when facing digital disruptions.
Another factor that you’ll likely be able to improve is the processes themselves. In the beginning, your team may be performing significant toil work to meet the DORA compliance requirements. But as everyone experiences what is needed, you’ll get a better sense of what can be automated so your staff can focus on delivering business value rather than writing reports.
Rootly can help you simplify your ICT incident management for DORA compliance. Rootly offers an all-in-one on-call and incident management suite that lets you organize rotations so there’s always someone ready to deal with digital disruptions. It also provides tools to manage incidents effectively and gather the information needed to compile DORA reports in no time.
Download our DORA Incident Management Guide to get a more in-depth look at how to manage incidents under the new regulation.
.png)
Get more features at half the cost of legacy tools.
Get more features at half the cost of legacy tools.
.jpg)
Get more features at half the cost of legacy tools.
Get more features at half the cost of legacy tools.
.jpg)
Get more features at half the cost of legacy tools.
.avif)
.png){kind=icon}
.png){kind=icon}
