DORA Compliance: What Financial Companies Must Do Now
Key Takeaways
- DORA has been mandatory since January 2025 and extends beyond banks — payment institutions, FinTechs, crypto service providers, and their critical IT suppliers are all in scope
- The regulation covers five core areas: ICT risk management, incident reporting, resilience testing, third-party risk management, and threat intelligence sharing
- Severe ICT incidents must be reported to the supervisory authority within 24 hours (early warning) and again fully within 72 hours
- Companies without a central register of ICT third-party providers and no structured risk assessment have one of the most common DORA gaps
- Organisations already operating an ISO 27001 ISMS can map many DORA requirements onto existing structures — the work is primarily extension and formalisation, not rebuilding from scratch
The Digital Operational Resilience Act (DORA) has been mandatory since January 2025 and places concrete implementation obligations on financial companies across the EU. Many mid-sized financial services providers, FinTechs, and their IT service providers underestimate the scope of the regulation. DORA goes well beyond traditional IT security requirements.
What DORA requires
DORA requires affected companies to establish a comprehensive framework for digital operational resilience. This covers five core areas: ICT risk management, incident reporting, resilience testing, third-party risk management, and the sharing of threat intelligence.
Crucially, the regulation does not only apply to banks and insurance companies. Payment institutions, securities firms, crypto service providers, and critical IT service providers to the financial sector also fall within scope. If your company provides IT services to a regulated financial institution, the requirements may be passed through to you contractually.
Where the typical gaps lie
In our consulting practice, we regularly encounter the same weaknesses at mid-sized financial companies.
ICT risk management is too superficial. Many companies have an information security management system (ISMS) but lack specific ICT risk management that meets DORA requirements. The regulation demands systematic identification, assessment, and monitoring of all ICT risks, including dependencies on third-party providers.
Incident reporting is not prepared. DORA mandates that severe ICT incidents must be reported to the relevant supervisory authority within defined timeframes. Many companies lack both the internal processes and the technical capabilities to classify and report incidents quickly enough.
Third-party management is missing. The regulation requires a complete overview of all ICT third-party providers, a risk assessment for each provider, and contractual arrangements ensuring certain minimum standards. Many companies do not even maintain a central inventory of their IT service providers, let alone a structured risk assessment.
Resilience testing is neglected. DORA requires regular testing of digital resilience. This includes vulnerability assessments, penetration tests, and for larger companies, threat-led penetration tests (TLPT) that simulate realistic attack scenarios.
Pragmatic implementation
DORA implementation does not have to disrupt your entire operation. A structured approach begins with a gap analysis: Where does your company stand today relative to DORA requirements? Which existing measures can be mapped to DORA, and where do actual gaps exist?
This analysis yields a prioritised roadmap. In our experience, many requirements can build on existing structures, particularly if an ISMS based on ISO 27001 or comparable frameworks is already in place. The effort lies less in introducing entirely new systems than in extending and formalising existing processes.
Recommendation
If you are uncertain whether and to what extent your company is affected by DORA, we recommend a structured assessment as a first step. The earlier gaps are identified, the more time remains for an orderly implementation before supervisory reviews take place.
Frequently Asked Questions
Does DORA apply to our company if we only provide IT services to a bank?
Possibly, yes. DORA requires regulated financial entities to pass certain security requirements down to their critical ICT service providers contractually. If your service is essential to the financial institution’s operations, DORA requirements may flow through to you in your contract.
What does DORA require for resilience testing specifically?
DORA mandates regular testing of digital resilience. For most organisations, this means vulnerability assessments and penetration tests on a defined schedule. Larger institutions classified as systemically important must additionally conduct Threat-Led Penetration Tests (TLPT), which simulate realistic attack scenarios using threat intelligence.
We already have ISO 27001 — do we still need to address DORA separately?
ISO 27001 and DORA overlap significantly but are not identical. DORA is more specific in areas such as the ICT third-party register, incident reporting obligations, and resilience testing requirements. A gap analysis will show which existing ISO 27001 measures can be mapped to DORA and where genuine additional work is needed.
What fines can DORA impose?
For essential entities, DORA provides for fines of up to €10 million or 5% of global annual turnover. For important entities, lower thresholds apply. Beyond fines, management personnel can be held personally liable, and supervisory authorities have broad audit and enforcement powers.