DORA Regulation: Everything you need to know

Alessandro Micagni
On December 18th, 2024

DORA Regulation establishes comprehensive frameworks for ICT risk management, incident reporting, and third-party governance. Key 2024 updates include harmonized standards, resilience testing, and regulatory oversight, enhancing digital security across the EU financial sector.

DORA Regulation: Everything you need to know


This article provides a comprehensive overview of the Digital Operational Resilience Act (DORA), focusing on its significance for the EU financial sector and the key regulatory publications released in 2024. It introduces the specific frameworks, standards, and guidelines designed to enhance digital resilience, particularly addressing ICT risk management, third-party governance, incident reporting, and advanced resilience testing.



DORA Regulation: Overview of 2024 Regulatory Publications


The year 2024 is pivotal for the implementation of the Digital Operational Resilience Act (DORA), with key regulatory documents published to establish detailed frameworks and standards. These publications ensure the financial sector achieves harmonized ICT risk management, reporting, and resilience testing requirements. The documents are categorized by their issuing authorities and include specific regulations, technical standards, and industry insights.


  • European Supervisory Authorities (ESAs):
    The ESAs released a two-phase set of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS):

These publications collectively strengthen the EU financial sector's digital resilience by providing clear regulatory expectations and fostering a standardized, transparent approach to managing ICT risks and disruptions.


    • First Set of RTS (January 2024): Focuses on ICT Risk Management Framework, simplified frameworks for smaller entities, incident classification, policies for third-party ICT providers, and the standardized register of ICT-related contracts.
    • Second Batch of RTS and ITS (July 2024): Introduces standards for incident reporting, oversight activities, Threat-Led Penetration Testing (TLPT), and subcontracting ICT services. These standards aim to clarify requirements, improve cooperation among authorities, and streamline reporting obligations.

  • European Commission:
    On June 25, 2024, the European Commission adopted three Delegated Regulations to supplement DORA:

    • Regulation (EU) 2024/1772: Defines criteria for classifying ICT-related incidents and significant cyber threats, ensuring a consistent and actionable incident reporting framework.
    • Regulation (EU) 2024/1773: Establishes policies for managing ICT services supporting critical or important functions, including requirements for governance, risk assessments, and subcontractor monitoring.
    • Regulation (EU) 2024/1774: Specifies ICT risk management tools, methods, and processes, including simplified frameworks for smaller financial entities to ensure proportionality.

  • Industry Insights (Finextra):
    In November 2024, Finextra published an article analyzing mandatory ICT risk reporting requirements under DORA. The analysis highlights operational challenges and explores how the reporting obligations impact financial institutions of different sizes, emphasizing early adaptation and the need for streamlined processes.


DORA: Key Regulatory Publications by Issuing Authority


A. European Supervisory Authorities (ESAs)


January 2024: First Set of Regulatory Technical Standards (RTS)


ICT Risk Management Framework


The ICT Risk Management Framework RTS under DORA introduces a robust, harmonized structure for financial entities to manage their ICT risks effectively. This framework requires firms to design, implement, and continuously review their ICT risk management systems. Key components include clear governance arrangements, risk identification methods, and incident response protocols. The framework sets out technical and procedural standards to ensure that ICT systems remain resilient, secure, and aligned with business continuity goals.


The requirements address critical areas such as encryption, system authentication, and access controls to preserve the confidentiality, integrity, and availability of ICT systems. Financial entities must adopt policies to safeguard against intrusions, misuse of data, and service disruptions. Specifically, provisions ensure that entities can respond to threats promptly while mitigating financial and reputational damage. For scalability, proportionality principles allow smaller firms to adopt tailored approaches that match their risk profiles and operational complexity.


Simplified ICT Risk Management Framework


The Simplified Framework provides proportionate requirements tailored to smaller financial institutions with lower risk profiles. This ensures that they do not face unnecessary regulatory burdens while maintaining baseline ICT security standards. Smaller entities can leverage streamlined protocols for ICT risk governance, emphasizing cost-efficient, yet effective, controls.


Simplified measures focus on clear and concise risk management plans, reduced documentation, and prioritized efforts on areas of significant risk. The RTS aligns these measures with DORA’s overarching objective: fostering digital resilience without imposing unnecessary strain on smaller firms.



The RTS on incident classification standardizes how ICT-related incidents are identified and reported. It specifies clear criteria to determine the severity, impact, and materiality of incidents, ensuring consistent and comparable reporting across the financial sector. The key parameters include:

  • Impact on critical services – whether essential functions are disrupted.
  • Data integrity and confidentiality – unauthorized access, data loss, or manipulation.
  • Operational downtime – duration and scope of service interruptions.
  • Economic impact – financial losses incurred due to incidents.

These criteria help financial entities quickly assess incidents and determine whether they qualify as major events requiring immediate notification. By harmonizing classification thresholds, regulators can monitor systemic risks and respond to cyber threats effectively.

Policy on ICT Services from Third-Party Providers

DORA emphasizes rigorous oversight of ICT third-party service providers supporting critical or important functions. This RTS outlines mandatory governance arrangements, risk assessments, and contractual provisions to manage third-party dependencies. Financial entities are required to:

  • Conduct due diligence before entering agreements.
  • Ensure exit strategies – maintaining operational resilience in case a provider fails to deliver services.
  • Monitor third-party performance through regular audits and reviews.
  • Safeguard data shared with third-party providers, ensuring compliance with cybersecurity and data protection requirements.

For critical ICT services, the RTS mandates stronger contractual clauses to address liability, service levels, and data security, aligning third-party governance with the entity’s overall risk management framework.

ITS on Register of Information

The Implementing Technical Standards (ITS) establish standardized templates for maintaining and updating a register of information on ICT-related contractual arrangements with third-party providers. This register enhances regulatory oversight by offering a transparent view of third-party relationships across the financial sector. Key components of the register include:

  • Service provider details – identity, location, and contact information.
  • Nature of services – description of ICT services provided and their link to critical functions.
  • Risk assessments – evaluation of risks associated with third-party providers.
  • Contractual obligations – terms, conditions, and termination clauses.

The ITS ensures that the register remains dynamic and up-to-date, enabling competent authorities to assess ICT dependencies and systemic vulnerabilities across the EU financial ecosystem. Financial entities must ensure comprehensive and accurate reporting to support efficient supervision and oversight.

July 2024: Second Batch of Policy Products

In July 2024, the second batch of policy products under DORA introduced significant updates aimed at improving ICT resilience, incident reporting, oversight activities, penetration testing, and subcontracting management. These updates focused on regulatory clarity, enhanced cooperation among authorities, and streamlined reporting processes to strengthen the digital resilience of financial entities across the EU.




The Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) provide a harmonized framework for reporting major ICT-related incidents and significant cyber threats. The updates focus on timely and accurate communication to supervisory authorities while reducing administrative burdens for financial entities.


The Incident Reporting Framework establishes clear timelines for incident notification. Entities must submit initial reports within four hours of classifying an incident as "major" or within 24 hours of detection. Follow-up reports, including intermediate and final updates, are required at specific intervals to ensure progress tracking and resolution.


The reporting system includes flexibility for weekends and public holidays, prioritizing critical institutions like banks and trading venues. For smaller entities, reporting obligations are scaled to ease the compliance burden.


To simplify reporting, the templates focus on essential fields during the initial notification phase. Reports must include details such as incident classification, affected systems, timeline, recovery status, and estimated financial impact. Additional emphasis is placed on root cause analysis and lessons learned to prevent recurrence. Specific provisions address cross-border impacts, ensuring seamless cooperation among supervisory authorities.


For significant cyber threats, financial entities are encouraged to report potential risks even before they materialize into incidents. These proactive measures aim to provide regulators with early warning signals, enabling coordinated responses to mitigate systemic risks.



DORA: RTS on Harmonization of Conditions for Oversight Activities


The RTS on oversight harmonization introduces standardized conditions for supervisory authorities when assessing financial entities' ICT resilience and overseeing third-party providers.


The regulation ensures consistent risk assessment methodologies and supervisory actions across EU member states. Financial entities’ preparedness, resilience, and compliance are evaluated against uniform criteria, promoting harmonization.


The RTS strengthens cooperation mechanisms by establishing clear procedures for collaboration between European Supervisory Authorities (ESAs) and national competent authorities. It includes a structured information exchange framework to avoid duplication and ensure effective oversight, especially for cross-border financial entities.


Special attention is given to subcontracting arrangements for ICT services. Supervisors are tasked with assessing the operational resilience and risk chain associated with subcontractors, ensuring critical functions remain secure and uninterrupted.



RTS on Threat-Led Penetration Testing (TLPT)


The Threat-Led Penetration Testing (TLPT) framework introduces advanced resilience testing to identify vulnerabilities in financial entities' ICT systems. This regulation applies to entities with systemic importance or those providing critical services, based on ICT maturity, risk exposure, and overall significance to financial stability.


Aligned with the TIBER-EU framework, TLPT involves three phases:


  1. Preparation – Scoping, intelligence gathering, and planning the test.
  2. Execution – Simulating real-world cyberattacks to identify vulnerabilities.
  3. Closure – Reporting findings, implementing remediation plans, and holding a debrief session.

Financial entities must conduct TLPTs at least once every three years, overseen by competent authorities. While external testers are preferred for impartiality, internal teams may be used under strict conditions, including conflict-of-interest safeguards.




To ensure financial entities can assess and report the impact of major incidents, the guidelines provide a standardized cost estimation framework.


Entities must calculate gross costs (e.g., system recovery, remediation) and account for financial recoveries like insurance claims. Only incidents classified as “major” under DORA are included in annual estimations.


The reporting template categorizes costs into:


  • Direct losses: Recovery efforts, regulatory fines, and compensation.
  • Indirect costs: Business interruption, reputational damage, and opportunity costs.

For proportionality, smaller entities with lower ICT complexity face simplified reporting obligations, ensuring compliance remains manageable.


Guidelines on Oversight Cooperation

The oversight cooperation guidelines formalize collaboration between ESAs and national authorities. A structured framework mandates timely exchanges of risk assessments, incident reports, and oversight findings to streamline supervision and avoid duplication.


For critical third-party providers, Joint Examination Teams (JET) conduct coordinated assessments across the EU to ensure consistency and unified oversight. Follow-up mechanisms are included to monitor remediation plans and share progress among authorities.



DORA: Subcontracting ICT Services: Conditions and Assessments


The RTS on subcontracting ICT services provides a detailed framework to manage risks associated with third-party and subcontractor dependencies. Financial entities must retain full accountability for ICT service performance, regardless of subcontracting.


Entities are required to perform comprehensive risk assessments before entering subcontracting arrangements. This includes identifying subcontracting scopes and ensuring that providers have adequate technical, human, and financial resources.


To mitigate risks, stringent controls must address service disruptions, concentration risks, and compliance failures. Entities must monitor the entire subcontracting chain and ensure contractual agreements align with governance and resilience standards.


  • Data Location and Access Risks: Assessments must consider subcontractor locations, particularly in non-EU jurisdictions, and evaluate associated legal, geopolitical, and compliance risks.


Contractual and Governance Requirements

Contracts between financial entities and ICT third-party providers must include strict governance and reporting conditions, ensuring continuous oversight of the subcontracting chain. The key provisions include:


  1. Approval of Subcontractors: Financial entities must explicitly approve subcontracting arrangements and any material changes before implementation. Contracts must outline notice periods sufficient for risk analysis and approval.
  2. Monitoring Obligations:
    • The ICT third-party provider must continuously monitor subcontractor performance and compliance with service level agreements (SLAs).
    • Reporting mechanisms must ensure transparency and accountability in subcontracted services.
  3. Audit and Access Rights: Financial entities and supervisory authorities retain the right to audit subcontractors to assess their adherence to ICT risk management and security standards.

Digital Operational resilience: Ongoing Monitoring and Risk Management
Digital Operational resilience: Ongoing Monitoring and Risk Management

Digital Operational resilience: Ongoing Monitoring and Risk Management


To mitigate risks during the lifecycle of subcontracting, financial entities must:


  • Update Risk Assessments: Regularly review subcontractor risks, particularly in response to changes in business environments, ICT threats, or concentration risks.
  • Track Performance Metrics: Implement clear SLAs, KPIs, and performance monitoring frameworks to evaluate subcontractor reliability and service quality.
  • Incident Management and Continuity Plans: Contracts must include provisions for incident response and business continuity, ensuring service delivery in case of disruptions caused by subcontractor failures.


Termination Rights and Contingency Planning


The RTS empowers financial entities with clear termination rights. If subcontractors:

  • Fail to meet contractual obligations,
  • Implement unauthorized changes to subcontracting arrangements,
  • Breach compliance or pose excessive risks,
    then financial entities can terminate contracts to safeguard their ICT systems and operations.

Business continuity plans must also include clear remediation strategies to address subcontractor failures, ensuring uninterrupted provision of ICT services supporting critical functions.


B. Delegated Regulations by the European Commission

The European Commission issued three Delegated Regulations to supplement and operationalize the Digital Operational Resilience Act (DORA), focusing on ICT incident classification, governance for ICT third-party services, and ICT risk management tools. These regulations aim to standardize operational resilience frameworks across the European Union financial sector and ensure harmonized compliance. Below is an elaboration of the key areas introduced:



Commission Delegated Regulation (EU) 2024/1772: Classification Criteria for ICT Incidents and Threats


This regulation establishes a robust framework for classifying ICT-related incidents and cyber threats, ensuring financial entities adopt a unified approach.

The classification criteria are tailored to identify incidents that may disrupt financial stability or key operational processes. Key dimensions include the scale, duration, and impact of the incident on financial services, customers, and the market. Incidents must be evaluated for economic consequences, such as financial losses, operational downtime, and reputational damage. A structured threshold system is introduced to categorize incidents as “major,” requiring immediate reporting, and significant cyber threats that warrant precautionary action.

The regulation also defines procedures for continuous reassessment, ensuring financial entities remain vigilant in identifying and escalating ICT disruptions. Notably, incidents with cross-border implications are emphasized, mandating cooperation among authorities and streamlining reporting processes to reduce administrative burdens.



Commission Delegated Regulation (EU) 2024/1773: Policies on ICT Services Supporting Critical or Important Functions


The second regulation introduces stringent governance requirements for the use of ICT services from third-party providers, focusing on critical or important business operations.

Financial entities are mandated to adopt policies that comprehensively address third-party risks, ensuring accountability remains with the financial institution despite outsourcing arrangements. The regulation requires clear delineation of roles, responsibilities, and contractual terms for ICT services, including:


  • Service Continuity and Resilience: Providers must maintain uninterrupted support for critical functions, with contingency plans addressing disruptions.
  • Risk Monitoring and Management: Financial institutions are expected to conduct regular assessments of third-party providers, ensuring their operational resilience aligns with DORA requirements.
  • Subcontracting Chains: Entities must assess subcontracting arrangements, ensuring visibility and risk control throughout the service delivery chain.

This regulation emphasizes the principle of proportionality, accommodating smaller entities while ensuring systemic financial institutions adhere to higher governance standards. It also mandates a standardized information register, enabling consistent reporting and monitoring of third-party ICT relationships.



Commission Delegated Regulation (EU) 2024/1774: ICT Risk Management Tools and Simplified Frameworks


The third regulation provides detailed specifications for implementing ICT risk management frameworks.


Financial entities must integrate advanced tools, processes, and governance measures to identify, mitigate, and respond to ICT risks. The framework is designed to ensure scalability and harmonization, promoting resilience across varying entity sizes and complexity.


  • Tools and Methods: Entities must employ proactive monitoring systems, including automated tools to detect vulnerabilities, threats, and disruptions.
  • Simplified Framework for Smaller Entities: Recognizing resource constraints, the regulation outlines a proportionate risk management approach for smaller financial entities. The simplified framework allows for tailored risk identification and mitigation, while maintaining fundamental requirements for resilience and reporting.
  • Continuous Assessment: Entities are required to conduct periodic reviews of their ICT risk posture, ensuring readiness to address emerging cyber threats and operational challenges.

The regulation also integrates guidelines on identifying and documenting critical functions, ensuring that ICT risk strategies align with operational priorities. Stress testing, threat simulations, and penetration testing frameworks are explicitly defined to enhance readiness against real-world risks.



November 2024: DORA Regulation Article


At the heart of the regulation is the mandate for financial entities to maintain a comprehensive register of ICT third-party providers and associated contractual arrangements. Institutions are required to document not only direct ICT providers but also subcontractors down the supply chain, ensuring transparency into dependencies that might pose systemic risks. Each provider must be ranked to identify critical relationships, with unique identifiers enabling seamless tracking across organizational levels.


The reporting templates introduced are technology-neutral and scalable, addressing concerns around administrative burdens. Financial entities, regardless of size, must report ICT risks consistently at entity, sub-consolidated, and group levels. This approach minimizes duplication while enhancing regulatory oversight and systemic risk detection.


A critical aspect emphasized is risk assessment for ICT services supporting critical or important functions. Financial institutions must evaluate the substitutability of these services, assess the potential impact of disruptions, and implement regular audits. Subcontracting chains are scrutinized to identify vulnerabilities, particularly in concentrated ICT markets where a single service provider could become a point of failure.


Finextra also points to the operational challenges institutions face, particularly smaller firms, in adapting to the regulatory demands. Despite the proportionality measures, reporting accuracy, timeliness, and comprehensive risk monitoring remain significant hurdles. Larger institutions, on the other hand, must integrate these new frameworks into their existing governance structures while navigating complexities within intra-group and external ICT relationships.


The analysis concludes that while the mandatory reporting framework introduces significant compliance obligations, it ultimately enhances the sector’s resilience. By fostering transparency, consistency, and proactive risk management, the regulation ensures that financial institutions are better equipped to withstand ICT disruptions and systemic risks.


DORA: Key Takeaways for Financial Institutions
DORA: Key Takeaways for Financial Institutions

DORA: Key Takeaways for Financial Institutions


Financial institutions must prioritize compliance with DORA’s stringent regulatory requirements to enhance their digital operational resilience. A few critical points to focus on include:


  • Implementation of the ICT Risk Management Framework: Institutions need to establish robust systems for identifying, managing, and mitigating ICT risks. This includes adopting clear governance structures, continuous monitoring, and incident response plans. Smaller entities can leverage the simplified framework to ensure proportionate compliance without undue strain.
  • Strengthening Oversight of ICT Third-Party Providers: Firms must conduct comprehensive risk assessments of third-party service providers and their subcontractors, focusing on contractual agreements, service continuity, and resilience. This involves implementing governance mechanisms, regular audits, and exit strategies to safeguard critical functions.
  • Mandatory Incident Reporting: Timely reporting of major ICT incidents and significant cyber threats is essential. Institutions should streamline internal reporting processes to meet the specified timelines while minimizing administrative burdens.
  • Focus on Threat-Led Penetration Testing (TLPT): Systemically important financial entities must conduct TLPTs every three years to identify vulnerabilities and enhance resilience. Institutions should prepare for rigorous testing, including collaboration with internal and external teams under strict conditions.
  • Proactive Cost Estimation for ICT Disruptions: Institutions must develop standardized methods to calculate and report aggregated costs and losses from major ICT-related incidents. Proper categorization of direct and indirect losses is key to achieving transparency and supporting recovery planning.

By addressing these areas proactively, financial entities will not only comply with DORA’s requirements but also strengthen their ability to withstand ICT disruptions, ultimately safeguarding their operational stability and market integrity.


While DORA’s comprehensive regulatory framework significantly enhances digital resilience, financial institutions face considerable challenges in meeting its requirements.


  • Compliance Burden: Smaller entities, despite proportionality measures, may struggle with resource constraints when implementing ICT risk frameworks and incident reporting systems. For larger institutions, the complexity of intra-group ICT governance and oversight of extensive third-party networks presents additional hurdles.
  • Operational Readiness: Achieving the mandatory incident reporting timelines—such as four-hour and 24-hour deadlines—requires institutions to enhance internal reporting processes, automation tools, and response coordination. Maintaining accuracy while under pressure to meet these timelines remains a significant challenge.
  • Third-Party Risk Management: Growing dependencies on ICT third-party providers, particularly cloud services and external platforms, increase risks related to subcontracting chains. Managing visibility, legal compliance, and resilience across complex vendor networks remains a key area of concern.
  • Penetration Testing Demands: Threat-led penetration testing imposes operational and financial costs. Access to qualified external testers, meeting strict governance conditions for internal teams, and executing real-world attack simulations require significant preparation and investment.

Looking ahead, regulatory oversight and enforcement will likely intensify as competent authorities strengthen their monitoring and assessment mechanisms. Emerging technologies, including AI-driven cyber tools and evolving cyber threats, will necessitate continuous updates to ICT risk management strategies.

Reduce your
compliance risks

Sign Up Free Request Demo