Who this page is for
This page is written for IT, risk, compliance and outsourcing leaders in the financial sector and for critical ICT third parties.
What DORA is
DORA, the Digital Operational Resilience Act, is a European legal framework for digital operational resilience in financial institutions and selected ICT third parties. It complements existing supervisory rules with consolidated requirements for ICT risk management, incident reporting, testing, third-party risk and information sharing.
Focus: digital operational resilience
The core idea is that cyber incidents and ICT disruptions are unavoidable and that financial institutions must therefore be able to respond resiliently. The focus is not only protection but also preparation, detection, response and recovery.
Pillars
DORA typically covers:
1. ICT risk management
2. Incident handling and reporting
3. Digital operational resilience testing, including advanced tests
4. Management of ICT third-party risk
5. Information sharing
The pillars interlock and are further specified through technical standards.
ICT third parties
A central focus is on outsourcing and critical ICT third parties. Contracts, concentration risk, exit strategies and ongoing monitoring become more demanding.
For some key providers, European-level oversight is foreseen.
TLPT and the link to TIBER-EU
For certain institutions DORA foresees advanced resilience testing, in particular threat-led penetration testing (TLPT). Methodologically TLPT aligns closely with the existing TIBER-EU framework.
The purpose is a realistic test of critical functions under supervision and with clear safeguards - not a classic penetration test.
Relation to NIS2
For financial institutions DORA applies as the sector-specific framework first. NIS2 remains a broader cross-sectoral reference. In practice many requirements can be addressed together.
What organisations should prepare
Sensible steps include:
- Maturity assessment against DORA
- Update of ICT risk management
- Solid third-party register and contract review
- Clear and rehearsed incident reporting
- A plan for resilience testing, including TLPT for critical functions
- Documented management accountability
Legal note
This article is editorial orientation and not legal advice. The DORA regulation and its technical standards are decisive. Qualified review is recommended.
Checklist
- DORA scope for the organisation clarified
- ICT risk management aligned with DORA
- Third-party register complete and current
- Critical contracts reviewed against DORA
- Incident reporting documented and rehearsed
- Plan for resilience tests; TLPT for critical functions
- Management accountability documented in writing
Frequently asked questions
+Is DORA mandatory for all banks?
DORA applies broadly across financial services. The exact scope depends on size, function and business model.
+How does DORA relate to NIS2?
For financial institutions DORA applies as sector-specific framework first; NIS2 remains the broader cross-sectoral reference.
+What is TLPT?
Threat-led penetration testing on live systems, methodologically aligned with TIBER-EU.
Related topics
The NIS2 directive raises the cyber security bar in the EU noticeably. This page offers editorial orientation - not legal advice.
TIBER-EU is the European framework for threat-led resilience testing of critical functions. This page explains the idea, the phases and the link to DORA and TLPT - intentionally at a high level and without describing concrete attack techniques.
A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.
A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.
Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.
A SIEM aggregates log and telemetry data, correlates it and provides the foundation for detection and incident response. This page covers function, important data sources and common mistakes.