What Is DORA Compliance?

In a rapidly evolving threat landscape, The European Union has taken a proactive approach to addressing cyber risks in the finance industry by introducing the EU Digital Operational Resilience Act (DORA). DORA aims to establish a unified framework for ICT risk management, incident reporting, resilience testing, threat intelligence sharing, and third-party risk management. DORA compliance will ensure financial entities can continue operations during a cyber attack.  

With cyber resilience stress tests commenced in 2024, financial institutions should have met compliance sooner rather than later. This article explains DORA, its scope, its objectives, and how to meet DORA compliance requirements in 2025.

What is DORA?

DORA is a unified and comprehensive EU regulation that strengthens the cybersecurity and operational resilience of the financial sector. It aids financial entities in making sure they are able to defend themselves and respond to cyberattacks.

In September 2020, the European Commission proposed the DORA regulation as part of its Digital Finance Strategy. It then came into force on January 16, 2023, initiating a 24-month transitional period for implementation. The final deadline for compliance for all impacted organizations was January 17, 2025. 

DORA aims to replace fragmented national regulatory initiatives with a unified approach to mitigating ICT-related incidents across Europe's financial industry. It functions alongside EU regulations like the General Data Protection Regulation (GDPR) and Network and Information Security Directive (NISD).

Look at the DORA compliance checklist to learn more about how organizations can stay above board.

Why is DORA needed?

Before DORA, the EU's approach to managing ICT risk in the financial sector was fragmented. This resulted in a patchwork of national regulations that were difficult for economic entities to navigate, leading to inconsistencies and gaps in cybersecurity across the bloc. The post-2008 financial services reforms had focused mainly on financial resilience, treating ICT risks as a secondary concern. DORA was introduced to address this specific regulatory gap.

DORA addresses the shortcomings of existing EU regulations by providing a unified, sector-specific framework. For example, while the Network and Information Security Directive 2 (NIS2) has a broader scope covering multiple critical sectors, DORA is a "lex specialis," or specific law, for the financial industry, taking precedence over NIS2 for financial institutions. Similarly, while the Payment Services Directive 2 (PSD2) focused on securing digital payments, DORA creates a holistic framework for operational resilience that applies to all ICT-related incidents, not just payment-related ones. 

DORA also explicitly brings critical ICT third-party service providers under direct supervision, a requirement not previously mandated by a single EU regulation. This shift to a single, legally binding framework for operational resilience ensures that financial entities and their key technology providers are held to the same standard, strengthening the entire EU financial system's stability. To help with this process, use this DORA gap analysis template workbook to help your organization stay compliant.

DORA Requirements and Pillars

DORA's framework consists of five pillars, each addressing a critical aspect of digital operational resilience.

Pillar 1: ICT risk management

Financial entities must establish a comprehensive ICT risk management framework to identify, assess, manage, and mitigate all ICT-related risks. This framework should be well-documented and reviewed at least annually. Organizations must have a robust process for preventing, detecting, and mitigating ICT risks. One such process includes having a set risk tolerance for ICT disruptions, developing and approving business continuity and disaster recovery plans, and specifying security controls for all critical assets.

Pillar 2: Incident reporting

DORA mandates a streamlined reporting process for major ICT-related incidents to relevant authorities. It consolidates multiple reporting requirements into a single, unified channel. Financial firms must have procedures to identify, track, log, and classify incidents based on their priority, severity, and criticality. For a major incident, an initial notification must be submitted as early as possible, within four hours of classifying it as major, but no later than 24 hours from becoming aware. A root cause report must be submitted within one month.

Pillar 3: Digital operational resilience testing

Financial entities must regularly test their ICT systems to assess and improve their resilience against disruptions. Independent internal or external parties must conduct these tests. All financial entities must establish a testing program that includes a full range of appropriate tests, such as vulnerability assessments, network security assessments, and gap analyses. DORA mandates a comprehensive Threat-Led Penetration Testing (TLPT) for the most significant financial entities at least every three years.

Pillar 4: ICT third-party risk management

DORA requires financial entities to manage the risks associated with third-party ICT service providers proactively. Organizations must maintain a register of information about all ICT services third parties provide. They must also conduct due diligence on providers and ensure robust contractual agreements are in place. These contracts should cover important functions like data protection and incident management. The European Supervisory Authorities (ESAs) will monitor the compliance of critical third-party providers and can impose a non-compliance fine of up to 1% of the provider's daily worldwide turnover.

A helpful tool for this process is our free DORA risk assessment template.

Pillar 5: Information Sharing

DORA permits and encourages the voluntary exchange of cyber threat information and intelligence among financial entities. This pillar encourages participation in trusted information-sharing communities to raise awareness of new cyber threats and vulnerabilities. The objective is to enhance financial entities' collective digital operational resilience by sharing accurate, relevant, and timely information.

Mapping DORA to other frameworks

Organizations can leverage existing cybersecurity and risk management efforts to help meet DORA's requirements. Many well-known frameworks, such as ISO 27001, NIST CSF, and SOC 2, have overlapping domains that can be mapped to DORA's pillars, providing a strategic path to compliance.

DORA vs. ISO 27001

ISO 27001 has long been the standard for information security management, and it is significantly aligned with DORA's requirements. Both frameworks emphasize a systematic approach to risk management, incident management, and business continuity.

• ICT risk management: The ISO 27001 requires organizations to assess information security risks and implement appropriate controls, directly supporting DORA's pillar on systematic risk management processes.
• Incident response and reporting: ISO 27001 has defined controls for managing information security incidents and improvements, which align with DORA's incident reporting pillar.
• ICT third-party risk management: ISO 27001 includes controls for managing information security with third parties and suppliers, which supports DORA's requirements for managing third-party obligations.

DORA vs. NIST Cybersecurity Framework (CSF)

The NIST CSF utilizes a comprehensive approach to managing and reducing cybersecurity risk, which maps well to DORA's pillars.

• ICT risk management: The NIST CSF's Govern Function utilizes a comprehensive approach to identifying, assessing, and managing cybersecurity risk, which corresponds with the DORA pillar of risk management.
• Incident response and reporting: The NIST CSF's response and recovery functions focus on response planning, communications, and analysis. These functions support DORA's incident reporting pillar by encouraging timely incident detection and reporting.
• ICT third-party risk management: The Govern, Identify, and Protect functions within the NIST CSF support the management of supply chain risks.

DORA vs. SOC 2

The SOC 2 is a voluntary auditing procedure that ensures service providers securely manage their data. While it shares overlapping goals with DORA, particularly in data security, it has several differences.

• Scope: SOC 2 is a voluntary framework, whereas DORA is a legally binding regulation for financial entities and their critical ICT providers within the EU.
• Risk management: Both require risk management, but DORA is more prescriptive, mandating a specific framework and regular, threat-led penetration testing for certain entities.
• Reporting: An SOC 2 report provides a snapshot of an organization's controls at a specific point in time. In contrast, DORA requires continuous monitoring and a strict, streamlined process for reporting significant incidents in near real-time to a central EU hub.

Steps for Achieving DORA Compliance

1. Identify scope and impacted entities: Determine if the DORA regulation covers your organization and ICT third-party providers.
2. Perform a gap analysis: Conduct a thorough maturity assessment against DORA's requirements to identify all compliance gaps in your ICT systems and processes.
3. Update risk management and incident processes: Strengthen your ICT risk management framework and streamline incident reporting channels to align with DORA’s requirements, including new classification criteria and reporting templates.
4. Vet and monitor third-party service providers: Map all third-party dependencies and implement a robust third-party risk management program to ensure contractual arrangements and service-level agreements meet DORA standards.‍
5. Conduct operational resilience testing: Implement a digital resilience testing program and, if required, source independent providers for Threat-Led Penetration Testing (TLPT) every three years.‍
6. Document and report progress: Maintain detailed records of your ICT risk management practices, testing results, and incident reports to be ready for inspections by competent authorities.‍
7. Train internal teams: Educate senior management, key stakeholders, and all relevant staff on their roles and responsibilities in achieving and maintaining DORA compliance.

How UpGuard helps

UpGuard provides a platform that helps organizations achieve and maintain compliance with the DORA framework, particularly through its features for vendor risk management and compliance mapping. 

We provide automatic compliance mapping and reporting against DORA by leveraging existing frameworks like the NIST CSF and ISO 27001.

The platform aids in key areas of DORA compliance:

• Third-Party risk management: UpGuard's platform helps organizations find, track, and monitor the security posture of their vendors. You can use the platform to categorize vendors, compare them against industry benchmarks, and see how their security posture changes over time. It also provides pre-configured security questionnaires, including a specific DORA questionnaire, to streamline the assessment of third parties and identify compliance gaps.
• Gap analysis and remediation: UpGuard offers a DORA maturity assessment workbook that maps relevant controls from the NIST CSF and ISO 27001 to the five main pillars of DORA. This tool helps organizations conduct a gap analysis to identify areas of non-compliance and create a remediation roadmap. UpGuard also provides automated remediation workflows, allowing you to request vendor remediation based on continuous monitoring and questionnaire responses.
• Reporting and documentation: The platform centralizes vendor data and provides automated reporting, essential for meeting DORA's documentation requirements. It helps organizations maintain a register of information for all ICT service providers and can generate risk assessment reports.

UpGuard's focus on third-party risk management and its ability to map to established security frameworks like NIST CSF and ISO 27001 simplifies the DORA compliance process. Assess your DORA compliance today.