DORA Complete Guide

DORA Complete Guide

The EU’s Digital Operational Resilience Act, explained the way you’d explain it to someone who actually has to comply with it.

What Is DORA?

The EU’s rulebook for surviving a tech outage, not just a market crash.

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is the European Union’s binding framework for managing information and communication technology (ICT) risk across the financial sector. It entered into force on 16 January 2023 and became fully applicable on 17 January 2025 – as a Regulation rather than a Directive, it applies directly and identically in every Member State, with no national transposition needed.

Also learn the Digital Operational Resilience Act – EU REGULATION from this video:

DORA marks a deliberate shift in what financial regulation actually protects against. Older rules were built to ensure a bank had enough capital to survive a market shock. DORA assumes a different failure mode – a cyberattack or a system outage – and requires entities to prove they can withstand it, respond to it, and recover from it, not just absorb the financial cost afterward.

KEY TERMS TO KNOW Financial entity – any of the 21 categories DORA covers: banks, insurers, investment firms, payment institutions, and more. ICT third-party provider – a vendor supplying technology services a financial entity relies on to operate. Critical ICT third-party provider (CTPP) – a vendor designated systemically important and placed under direct EU oversight. Register of Information (RoI) – the mandatory record of every ICT vendor contract, submitted to regulators annually.

 

DORA also consolidates rules that used to sit scattered across PSD2, MiFID II, and Solvency II into one consistent ICT risk framework – closing gaps where some Member States previously had strict requirements and others had almost none.

Related reading: Who Must Comply With DORA?  ·  The Five Pillars of DORA  ·  DORA Penalties & Enforcement

How GCAI helps: GCAI maps your existing PSD2, MiFID II, or Solvency II controls against DORA’s five pillars first, so you’re not rebuilding governance work that already satisfies part of the requirement.

 

Who Must Comply With DORA?

Far wider than “banks” – and it reaches non-EU firms too.

Article 2 of the Regulation lists 21 categories of financial entity in scope, covering effectively the entire EU financial ecosystem – credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and several more besides. Estimates put the total number of entities covered at roughly 22,000 across the EU.

The reach extends beyond EU borders. Any entity providing financial services within the EU falls into scope, including UK, US, or other non-EU institutions that operate EU subsidiaries or offer EU-facing services – physical headquarters location doesn’t exempt an organisation if it’s serving EU clients.

PROPORTIONALITY MATTERS Requirements scale to size, complexity, and risk profile Microenterprises and certain smaller entities get a simplified ICT framework under Article 16 Smaller firms are not held to the same testing or documentation standard as major institutions But the core obligation – demonstrable resilience – still applies to everyone in scope

 

ICT third-party providers are pulled into the regulatory perimeter too – not directly regulated the way a bank is, but contractually bound through the financial entities that use them, and in the case of the largest providers, placed under direct supervision.

Related reading: What Is DORA?  ·  Critical ICT Third-Party Providers  ·  The Five Pillars of DORA

How GCAI helps: GCAI confirms your exact entity classification under Article 2 and checks whether the Article 16 simplified framework applies, so you’re scoped to the right tier of obligation from day one.

The Five Pillars of DORA

Every requirement in the Regulation sits under one of five interconnected domains.

DORA’s obligations are organised into five pillars, and the volume of supervisory attention on each one has shifted as enforcement has matured through 2025 and into 2026 – third-party risk management and the Register of Information have drawn the most scrutiny so far.

 

Pillar	What it requires
ICT risk management & governance	Board-owned risk framework, asset inventory, continuous monitoring
Incident management & reporting	Classification, escalation, and regulator notification within set timeframes
Digital operational resilience testing	Regular testing; Threat-Led Penetration Testing (TLPT) every 3 years for significant entities
ICT third-party risk management	Due diligence, key contractual provisions, the Register of Information
Information & intelligence sharing	Voluntary exchange of cyber threat intelligence across the sector

 

Governance sits underneath all five: the management body – the board, in practice – owns the ICT risk framework directly. That means a documented resilience strategy, a defined risk appetite, and senior leaders who can show active engagement with ICT risk in a supervisory review, not just a governance chart that exists on paper.

Related reading: Who Must Comply With DORA?  ·  Incident Reporting Under DORA  ·  The Register of Information

How GCAI helps: GCAI builds evidence trails for each of the five pillars from the start, since 2026 supervisory reviews are checking whether controls are actively working, not just whether they exist.

 

Incident Reporting Under DORA

The clock starts the moment an event is classified — not when it’s discovered.

DORA introduces standardized, time-bound reporting for major ICT-related incidents. Once a financial entity classifies an event as “major” against the Regulation’s materiality thresholds, it must notify its national competent authority within hours – not days – using a set reporting template, and follow up with intermediate and final reports as the incident develops and resolves.

WHAT A MAJOR INCIDENT REPORT COVERS Nature and timing of the disruption Number of clients or counterparties affected Service downtime and operational impact Root cause, where known, and remediation steps taken

 

Significant cyber threats can also be reported on a voluntary basis even when they don’t rise to a major incident – the Regulation is deliberately built to capture near-misses and emerging patterns, not just confirmed breaches, so authorities can spot sector-wide risk before it cascades.

Related reading: The Five Pillars of DORA  ·  Resilience Testing & TLPT  ·  DORA Penalties & Enforcement

How GCAI helps: GCAI builds your incident classification and escalation workflow against the actual materiality thresholds, so a real event doesn’t stall while someone debates whether it counts as “major.”

 

Resilience Testing & TLPT

Compliance isn’t a document review — it’s a controlled attack on your own systems.

DORA requires every covered entity to test its ICT systems regularly, including vulnerability assessments and gap analyses scaled to the entity’s size and risk profile. For entities identified as systemically important, that baseline testing isn’t enough – they must also undergo Threat-Led Penetration Testing (TLPT) at least once every three years.

TLPT is a live, controlled cyberattack carried out by accredited red-team testers against production systems, designed to verify that defences hold up under realistic pressure rather than in a sandboxed test environment. The TIBER-EU framework – maintained by the Eurosystem and updated in February 2025 to align with DORA’s regulatory technical standards – sets the common methodology authorities expect entities and testers to follow across all 27 Member States.

TLPT AT A GLANCE Mandatory at least every 3 years for systemically important entities Run against live production systems, not test environments Carried out by accredited threat intelligence and red-team providers Follows the TIBER-EU methodology for consistency across the EU

 

Related reading: The Five Pillars of DORA  ·  Incident Reporting Under DORA  ·  Critical ICT Third-Party Providers

How GCAI helps: GCAI scopes whether your entity meets the TLPT threshold and, if so, coordinates the test against TIBER-EU methodology so the results hold up under regulatory review.

The Register of Information

The single requirement that’s tripped up the most organisations so far.

Article 28(3) requires every in-scope entity to maintain a Register of Information – a structured record of every contractual arrangement with an ICT third-party provider, kept at entity, sub-consolidated, and consolidated group levels. It’s not an internal document: the register goes to the national competent authority, which in turn feeds it to the European Supervisory Authorities for systemic risk monitoring and the designation of Critical ICT Third-Party Providers.

This has proven to be the hardest single piece of DORA in practice. Industry research from Deloitte found that a large share of financial entities name the Register of Information as the most challenging requirement to satisfy, typically because vendor metadata is inconsistent, contract inventories are incomplete, and ownership of subcontractor and intra-group ICT relationships is unclear across business units.

WHAT THE REGISTER MUST CAPTURE Every ICT third-party contract, including subcontractors where relevant Service criticality and substitutability of each provider Data location and the type of data processed Audit rights, termination rights, and exit strategy provisions

 

Related reading: Critical ICT Third-Party Providers  ·  The Five Pillars of DORA  ·  DORA Penalties & Enforcement

How GCAI helps: GCAI centralises your scattered vendor contracts into a single Register of Information structure before the annual submission deadline, rather than reconstructing it from procurement, legal, and business-unit records under time pressure.

Critical ICT Third-Party Providers

The largest tech vendors are now directly supervised by EU regulators — not just contractually bound.

DORA establishes an EU-wide oversight framework for Critical ICT Third-Party Providers (CTPPs) – vendors whose failure could create systemic risk across the financial sector because so many entities depend on them. Designation isn’t voluntary or self-declared; the European Supervisory Authorities assess and designate CTPPs based on factors including market concentration and the scale of financial entities relying on a given provider.

As of November 2025, 19 ICT service providers – including the major hyperscale cloud platforms – have been designated critical and are now subject to direct EU supervisory oversight, rather than oversight that flows only indirectly through the financial entities that use them. A designated Lead Overseer can fine a non-compliant CTPP up to 1 percent of its average daily worldwide turnover for each day of continued non-compliance.

Related reading: The Register of Information  ·  Resilience Testing & TLPT  ·  DORA Penalties & Enforcement

How GCAI helps: GCAI checks which of your ICT vendors sit on the CTPP designation list, since that changes the contractual leverage and audit rights you should be negotiating into the relationship.

DORA Penalties & Enforcement

2026 is the year supervisors stopped reviewing paperwork and started demanding proof.

Financial entities that breach DORA face fines that can reach 10 percent of annual turnover or €10 million, whichever applies under the relevant national regime, with individual senior managers personally exposed to fines of up to €1 million – a deliberate design choice that makes ICT governance a personal accountability matter for the board, not just a compliance line item.

Party	Maximum exposure
Financial entity (serious breach)	Up to 10% of annual turnover or €10 million
Individual senior manager	Up to €1 million personally
Critical ICT Third-Party Provider	Up to 1% of average daily worldwide turnover, per day

 

The informal tolerance period that followed the January 2025 application date is over. National Competent Authorities are now running active supervisory reviews, and the working assumption among legal advisors is that 2026 marks DORA’s shift into a genuine enforcement maturity phase – supervisors checking whether controls are actually operating and evidenceable on demand, not simply whether a policy document exists.

Related reading: The Register of Information  ·  Critical ICT Third-Party Providers  ·  DORA FAQ

How GCAI helps: GCAI builds your compliance evidence to be supervisor-ready on demand — logs, test results, and incident records organised the way an examiner will actually ask for them, not just filed away as policy.

DORA FAQ

The questions that come up most once the basics are out of the way.

Is DORA already in force? Yes. It entered into force in January 2023 and became fully applicable on 17 January 2025. The initial supervisory tolerance period has ended, and active enforcement is underway through 2026.

Does DORA apply to companies outside the EU? Yes, if they provide financial services within the EU. UK, US, and other non-EU institutions with EU operations or EU-facing services fall into scope just as EU-headquartered entities do.

How is DORA different from NIS2? NIS2 sets baseline cybersecurity rules across many critical sectors EU-wide. For financial services specifically, DORA is the specialised rulebook – it takes precedence over NIS2’s general requirements for entities that fall under both.

What’s the single hardest requirement to meet? In practice, the Register of Information. Surveys of financial entities consistently name it the most difficult DORA obligation, largely due to scattered vendor contracts and unclear ownership of subcontractor relationships across business units.

Do smaller firms face the same obligations as major banks? Not identically. DORA is built on proportionality – microenterprises and certain smaller entities can use a simplified ICT risk framework under Article 16 – but every in-scope entity still has to demonstrate the core obligation of operational resilience.

What should we be doing right now? Centralise your ICT vendor contracts into a single Register of Information, confirm whether your entity meets the TLPT threshold, and make sure board-level engagement with ICT risk is documented and evidenceable – not just a policy that exists on paper.

 

Related reading: What Is DORA?  ·  The Five Pillars of DORA  ·  DORA Penalties & Enforcement

How GCAI helps: GCAI’s DORA readiness review can answer most of the questions above for your specific entity in a single working session, including whether your current vendor contracts already meet the key contractual provisions DORA requires.