DORA · Reg. (EU) 2022/2554 · applicable since 2025-01-17

DORA: resilience is measured, not declared.

DORA requires financial entities to prove demonstrable digital operational resilience: ICT risk governed by the board, major incidents reported within hours, tests driven by the real threat. An attack on the financial sector is not a balance-sheet event: it is someone, with a name and known TTPs.

4hInitial notification
72hIntermediate report
1 monthFinal report
Regulatory framework
Reg. (EU) 2022/2554
RTS 2025/301
TIBER-EU
ESAs · EBA · ESMA · EIOPA
Operations
European SOC 24·7·365
Milan · since 2017
The five DORA pillars

Five obligations, one implicit requirement: operational capability.

DORA does not ask for policies: it asks you to detect, classify, report, test and oversee. Every pillar presupposes an operation that actually works, 24·7·365.

01 ·

ICT risk management

A documented ICT risk framework approved by the management body: accountability sits with the board, not just IT. Asset mapping, protection, detection, response and recovery.

02 ·

Incident reporting

Classification of ICT incidents and reporting of major ones to the supervisor: 4 hours from classification, intermediate report at 72 hours, final within 1 month. Harmonised templates (RTS 2025/301).

03 ·

Resilience testing

A risk-proportionate testing programme, up to TIBER-EU based TLPT at least every 3 years for significant entities: scenarios built on the actors that actually target the sector.

04 ·

ICT third-party risk

Register of ICT contracts, mandatory clauses, exit strategies, direct European oversight of critical providers. Your supplier's resilience becomes part of yours.

05 ·

Information sharing

Voluntary exchange of cyber threat intelligence between financial entities: IOCs, TTPs, sector alerts. Sector defence is collective or it is nothing.

Proof · the timings DORA presupposes

Reporting in 4 hours requires detecting in minutes.

4h
initial notification
from classification (≤24h from detection)
<15 min
Fortgale median TTD
from telemetry to alert
<30 min
Fortgale median TTC
from detection to analyst action
287
tracked adversary groups
and attack tools in our CTI
Scope

Who is in scope of DORA.

More than 20 categories of financial entities: banks, investment firms, insurers and reinsurers, payment and e-money institutions, fund managers, trading venues, crypto-asset service providers, plus critical ICT providers designated by the European authorities. Unlike NIS2, DORA is a regulation: identical across the EU, no national transposition, applicable since 17 January 2025.

FAQ

Frequently asked about DORA.

Who is in scope of the DORA Regulation?

EU financial entities: banks, investment firms, insurers, payment and e-money institutions, fund managers, trading venues, crypto-asset service providers, plus designated critical ICT providers. Supervision sits with your national financial authority together with the ESAs (EBA, ESMA, EIOPA).

What are the incident reporting deadlines?

Three stages (RTS 2025/301): initial notification within 4 hours of classifying the incident as major, and no later than 24 hours from detection; intermediate report within 72 hours; final report within 1 month with complete root cause analysis.

Does DORA replace NIS2 for banks?

DORA is lex specialis: on the obligations it covers (ICT risk, reporting, testing) it prevails over NIS2 for financial entities. Non-financial suppliers in the chain remain in the NIS2 perimeter.

What are TLPT?

Threat-led penetration tests on the TIBER-EU framework: scenarios built on the actors and TTPs that actually target your sector. Mandatory at least every 3 years for significant entities. Their quality depends on the threat intelligence behind them.

Is DORA already in force?

Yes, since 17 January 2025, in all Member States and with no national transposition. The technical standards on reporting, testing and third parties are operational too.

Where to start

Knowing the adversary is the first act of defence. Stopping them in time is the second.

A DORA assessment clarifies the distance between your operational capability and the one the regulation presupposes. European SOC headquartered in Milan since 2017, 24·7·365: we reply within one business day.

Response time: < 1 business day.