The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) has been in force since 17 January 2025. For banks, investment firms, payment institutions, crypto-asset service providers, and their critical ICT suppliers, DORA is now the primary compliance framework for operational resilience — more prescriptive than NIS2, more enforceable than voluntary standards, and directly focused on ICT risk.
Updated April 2026 · 15 min read · Not legal advice — consult qualified counsel for compliance decisions
Informational only. This guide summarises DORA obligations for planning purposes. It is not legal advice. Confirm your specific obligations with qualified legal counsel and your national competent authority's guidance.
DORA applies to financial entities operating in the EU and to the critical ICT third-party providers that serve them. Unlike NIS2, DORA applies regardless of entity size for most categories.
Microenterprises and small entities (fewer than 10 employees, annual turnover under €2M) have simplified obligations under DORA — primarily the ICT risk management framework and incident reporting requirements, with lighter testing and third-party risk requirements. Check your national competent authority's guidance to confirm your category.
Governance, strategy, and operational framework for managing ICT risks including backup, recovery, and cryptographic controls.
Classification, reporting timelines (4h / 72h / 1 month), and communication obligations for major ICT-related incidents.
Annual basic testing for all entities; advanced threat-led penetration testing (TLPT) every 3 years for significant entities.
Due diligence, contractual obligations, and oversight for critical ICT service providers including cloud, data centres, and SaaS.
Voluntary sharing of cyber threat intelligence and indicators of compromise with sector peers and authorities.
Chapter II of DORA requires financial entities to implement a comprehensive ICT risk management framework. This is not a checklist — it's an ongoing governance structure that management is accountable for.
DORA Article 12 specifically requires financial entities to have backup policies that cover:
For entities holding digital assets, cold storage architecture directly addresses these requirements. An air-gapped or immutable cold storage approach provides the geographic separation and integrity verification DORA expects. The key metric authorities focus on is Time to Clean Restore (TTCR) — your ability to recover from cold storage within acceptable timeframes.
DORA Article 9 requires policies on cryptography, including key management. For entities operating blockchain infrastructure, holding digital assets, or using cryptographic attestation for data integrity, this means:
DORA introduces a three-stage reporting process for major ICT-related incidents. These are tighter than NIS2 — particularly the 4-hour initial notification, which requires pre-built processes to work at that speed.
DORA defines major incidents by criteria including: number of clients affected, duration, geographic spread, economic impact, and criticality of the affected services. The European Supervisory Authorities (ESAs) have published classification criteria in regulatory technical standards. If in doubt, report — the penalty for under-reporting is generally worse than over-reporting.
DORA introduces mandatory resilience testing requirements — not just policies, but evidence that systems actually work.
Significant financial entities (determined by NCAs based on systemic importance) must conduct threat-led penetration testing (TLPT) at least every three years. TLPT simulates realistic attacker tactics against production systems (with safeguards) to identify vulnerabilities that automated scanning cannot find. The TIBER-EU framework provides the methodology.
One of DORA's most operationally demanding requirements is its third-party risk framework. Financial entities must:
Designated Critical Third-Party Providers (CTTPPs): The ESAs can designate specific ICT providers as CTTPPs based on their systemic importance to EU financial markets. Designated CTTPPs are subject to direct oversight by ESAs. Cloud hyperscalers (AWS, Azure, Google Cloud) are widely expected to be designated. If your institution relies on a CTTPP, the oversight framework affects your contractual and monitoring obligations.
DORA creates a voluntary framework for financial entities to share cyber threat intelligence, indicators of compromise, and attack patterns. While participation is voluntary, authorities expect significant institutions to contribute — particularly where intelligence would benefit sector-wide resilience.
| Dimension | DORA | NIS2 |
|---|---|---|
| Scope | Financial entities only | Multiple critical sectors |
| Legal instrument | Regulation (directly applicable in all EU states) | Directive (requires national transposition) |
| ICT incident reporting deadline | 4h from classification (max 24h from detection) / 72h after initial notification / 1 month | 24 hours (early warning) / 72 hours / 1 month |
| Resilience testing mandate | Annual basic + 3-yearly TLPT for significant entities | Testing effectiveness of measures (no TLPT mandate) |
| Third-party risk | Detailed mandatory framework (register, contracts, exit strategies) | Supply chain security (less prescriptive) |
| Overlap for financial entities | DORA takes precedence — financial entities exempt from NIS2 for overlapping requirements | NIS2 does not apply where DORA covers the same area |
CASPs authorised under MiCA (Markets in Crypto-Assets Regulation) are explicitly in scope for DORA. This makes DORA the primary operational resilience framework for every regulated crypto exchange, custodian, and asset manager operating in the EU.
For CASPs, the most operationally intensive DORA requirements are:
For hardware wallet selection and cold storage architecture guidance relevant to DORA compliance, see our enterprise hardware wallet comparison and crypto security audit guide.
Financial entities: NCAs can impose administrative fines, periodic penalty payments during ongoing infringements, and public statements. The maximum fine amounts are determined at member state level; DORA itself does not set harmonised maximums for entity-level fines (unlike GDPR). Sanctions can include suspension of operations and, for management bodies, personal liability.
Critical ICT third-party providers (CTTPPs): ESAs can impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of 6 months. This is among the most stringent enforcement mechanisms in EU financial regulation.
DORA is EU regulation and does not directly apply to UK entities post-Brexit. The UK has developed its own operational resilience framework (PRA/FCA Supervisory Statement SS1/21 and PS6/21), which has similar goals but different mechanics. UK entities serving EU clients through EU-authorised branches or subsidiaries will need DORA compliance for those entities.
Microenterprises (under 10 employees, under €2M turnover) have simplified obligations. Payment institutions and electronic money institutions classified as small or non-interconnected also have proportionate requirements for some pillars. The simplified framework still requires an ICT risk management framework, incident reporting, and third-party risk policies — but testing and third-party obligations are lighter.
ISO 27001 and NIST CSF provide an excellent foundation and will map well to DORA's ICT risk management pillar. However, DORA adds requirements that neither standard mandates: the specific incident reporting timelines (particularly the 4-hour initial notification), the TLPT requirement, and the prescriptive ICT third-party contractual provisions. A gap assessment against DORA is needed even for ISO 27001-certified entities.
CryoVault runs DORA-aligned cyber resilience audits covering ICT risk management, backup and cold storage architecture, key management policy, and the evidence package your supervisor expects. Scoped to your entity type and examination timeline.
Request an Audit →See also: Cyber Resilience Audit · NIS2 Compliance Guide