The Digital Operational Resilience Act — known globally as DORA — is Regulation (EU) 2022/2554. It entered into application on 17 January 2025 and applies to more than 20 types of financial entities operating across the European Union, from banks and insurers to crypto-asset service providers and ICT third-party vendors. It is not advisory guidance. It is binding law, backed by administrative penalties, public disclosure of breaches, and — in some Member States — criminal liability.
If you work in financial services, run ICT infrastructure for a financial entity, or advise regulated firms anywhere in the EU, DORA is already your problem — whether or not your organisation has started its compliance programme.
This guide covers everything: the regulation's origins, its five pillars, who it applies to, how penalties work, how it compares with ISO 22301 and other standards, and why DORA-specific professional certification has surged in demand since 2024. I've drawn directly from the official EIOPA and ESA sources, the regulation text, and the PECB DORA Lead Manager training material that we license and deliver here at reconn.
Key Takeaways
- DORA (EU 2022/2554) has been in force since 17 January 2025 — this is not a future requirement, it is current law
- It covers 20+ categories of financial entity and their ICT third-party service providers across all EU Member States
- Five mandatory pillars: ICT risk management, incident management, resilience testing, third-party risk management, and information sharing
- Non-compliance penalties include cease-and-desist orders, monetary fines, and mandatory public disclosure of breaches
- Critical ICT third-party providers face periodic penalty payments of up to 1% of average daily worldwide turnover
- DORA and ISO 22301 are complementary — DORA is sector-specific regulation, ISO 22301 is the international standard for business continuity management
- Demand for DORA Lead Manager and Lead Implementer certifications has accelerated sharply since the January 2025 go-live date
- The Register of Information (RoI) submission deadline is 31 March 2026 — entities submitting to CSSF, MFSA, and other national supervisory authorities must act now
⚠ Key DORA Deadlines — Act Now
17 January 2025 — Full compliance mandatory. All financial entities and in-scope ICT third-party providers must be fully compliant with DORA's ICT risk management, incident reporting, and resilience testing requirements. This deadline has passed — if your programme is incomplete, you are already in breach.
11 February – 31 March 2026 — Register of Information (RoI) submission deadline. Financial entities must submit their Register of Information — the complete record of all contractual arrangements with ICT third-party service providers — to their national supervisory authority (e.g., CSSF in Luxembourg, MFSA in Malta). Submissions are made via regulatory portals such as CSSF eDesk or MFSA's LH Portal.
Ongoing: Incident reporting, resilience testing, and continuous monitoring of critical third-party dependencies remain live obligations with no single deadline.
Steps to take immediately if you haven't already:
- Finalise your Register of Information — map all ICT third-party providers, critical functions, and sub-contracting arrangements to the ITS template (JC 2023 85)
- Confirm your ICT risk management framework meets the 2025 standards — incident reporting protocols and threat testing procedures included
- Submit to your supervisory authority via the relevant regulatory portal before 31 March 2026
What Is DORA? Background and Context
The regulation (EU) 2022/2554 — the Digital Operational Resilience Act — was enacted by the European Parliament and the Council of the European Union on 14 December 2022. It entered into force in January 2023 with a two-year implementation period, meaning financial entities had until 17 January 2025 to become fully compliant.
DORA emerged from a clear and present problem: the financial sector had become deeply dependent on ICT systems and third-party technology providers, yet the regulatory rules governing how firms managed that dependency were fragmented, inconsistent across Member States, and inadequate for the volume and sophistication of modern cyber threats. A major ICT failure at a critical bank or payment processor can cascade across borders within minutes. The EU needed a single, coherent framework — and DORA is it.
The regulation consolidates ICT risk management requirements that were previously scattered across multiple Union legal acts, harmonises them, and adds new obligations — particularly around operational resilience testing and third-party oversight — that did not previously exist in binding form. According to the official EIOPA DORA page, the Act ensures that banks, insurance companies, investment firms, and other financial entities can withstand, respond to, and recover from ICT disruptions such as cyberattacks or system failures.
Official Definition (DORA, Article 3)
"Digital Operational Resilience" means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.
That definition is broader than many practitioners initially expect. It is not just about cybersecurity. It encompasses availability, continuity, data integrity, and the ability to recover — even when the disruption originates in a cloud provider, a payment network, or a software vendor you have no direct control over.
GET DORA-CERTIFIED: PECB DORA LEAD MANAGER
The PECB DORA Lead Manager certification is the leading professional credential for practitioners who implement, manage, and audit DORA compliance programmes.
Delivered online by PECB-certified trainers at reconn. The five-day programme covers all five DORA pillars, the technical standards, third-party oversight, and the continual improvement cycle. Exam included. Globally recognised by financial regulators and employers. See the full training, exam, and certification guide: PECB DORA Lead Manager: Complete Guide.
reconn | Dubai, UAE | Remote delivery worldwide | hello@reconn.io
Who DORA Applies To: The Full Scope
+
DORA's scope, defined in Article 2, is deliberately broad. The regulation applies to 20 distinct categories of "financial entities" and — critically — also to the ICT third-party service providers that serve them. That second group is what makes DORA structurally different from most financial regulation: it reaches beyond the regulated institution to its technology supply chain.
Financial Entities Covered by DORA
| Category | Examples |
|---|
| Credit institutions | Banks, mortgage lenders |
| Payment institutions | Including PSD2-exempt payment institutions |
| Account information service providers | Open banking data aggregators |
| Electronic money institutions | E-money issuers |
| Investment firms | Brokers, portfolio managers |
| Crypto-asset service providers | Exchanges, custodians under MiCA |
| Central securities depositories | CSDs |
| Central counterparties | CCPs |
| Trading venues | Exchanges, MTFs, OTFs |
| Trade repositories | EMIR-registered TRs |
| Managers of alternative investment funds | AIFMs under AIFMD |
| Management companies | UCITS managers |
| Data reporting service providers | ARMs, APAs, CTPs |
| Insurance and reinsurance undertakings | Insurers, reinsurers under Solvency II |
| Insurance intermediaries | Brokers, agents, ancillary intermediaries |
| Institutions for occupational retirement provision | IORPs / pension funds |
| Credit rating agencies | CRAs |
| Administrators of critical benchmarks | BMR-registered administrators |
| Crowdfunding service providers | ECSPR-authorised platforms |
| Securitisation repositories | |
| ICT third-party service providers | Cloud providers, data centres, software vendors — subject to the Oversight Framework |
The Proportionality Principle
DORA does not treat a community credit union the same as a global systemically important institution. Article 4 establishes the proportionality principle: financial entities must tailor their compliance approach based on size, risk profile, and operational complexity. Microenterprises — those with fewer than 10 employees and an annual turnover below €2 million — are exempt from certain requirements, including the digital operational resilience testing programme under Article 24.
What proportionality does not do is remove the obligation to comply. It adjusts the depth and formality of the approach, not the requirement to have one. Competent authorities explicitly assess proportionality when reviewing ICT risk management frameworks.
Practitioner Note
Many firms discovered during gap analysis that their existing ICT risk controls, while broadly sound, were neither documented nor structured in the way DORA requires. Gap analysis under DORA must compare your current state against each of the five pillars specifically — a generic IT audit does not substitute for a DORA gap assessment.
The Five Pillars of DORA Compliance
+
DORA's requirements are organised around five main areas. Every financial entity's compliance programme must address all five — though the depth and specific controls will vary under proportionality. Together they form an integrated framework: you cannot satisfy DORA by excelling in incident response while neglecting third-party risk, or vice versa.
Pillar 1 — ICT Risk Management (Articles 5–16)
Every financial entity must maintain a sound, comprehensive, and well-documented ICT risk management framework as part of its overall risk management system. Article 6 specifies that the framework must include strategies, policies, procedures, ICT protocols, and tools necessary to protect all information assets and ICT assets — including computer software, hardware, servers, data centres, and physical premises.
The framework must include a digital operational resilience strategy that explains how it supports business objectives, establishes risk tolerance levels, sets measurable security objectives (including KPIs and KRIs), and outlines a communication strategy for ICT-related incidents. The management body — not just the IT department — is directly accountable for approving this strategy and monitoring its execution.
Standard Reference — DORA Article 6
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.
Article 9 requires financial entities to identify all ICT assets and classify information. Article 10 mandates detection capabilities. Articles 11–13 cover business continuity and disaster recovery planning. Article 15 governs learning and evolving — the framework must be updated when incidents occur or when the risk environment changes. Outsourcing the verification of compliance is permitted, but the financial entity remains fully responsible.
Pillar 2 — ICT-Related Incident Management and Reporting (Articles 17–23)
Financial entities must define, establish, and implement an ICT-related incident management process capable of detecting, managing, and notifying incidents (Article 17). This requires a documented classification scheme that distinguishes minor incidents from major ones — a classification that determines whether regulatory reporting is triggered.
Major ICT-related incidents must be reported to the relevant competent authority under a structured three-phase timeline: an initial notification, an intermediate report, and a final report. DORA also introduced voluntary reporting for significant cyber threats — even where no incident has materialised — which is a forward-looking requirement that many firms underestimated during implementation.
The incident management process must be documented in a dedicated policy, tested periodically, and integrated with the business continuity arrangements under Pillar 1. Post-incident reviews must feed back into the ICT risk management framework — creating a closed loop between detection, response, and improvement.
Pillar 3 — Digital Operational Resilience Testing (Articles 24–27)
Article 24 requires all financial entities (except microenterprises) to establish, maintain, and periodically review a sound and comprehensive digital operational resilience testing programme. This programme must be integrated into the ICT risk management framework and must cover a range of assessment types — from basic vulnerability assessments and network security testing to advanced scenario-based testing.
For systemically significant entities, Article 26 introduces Threat-Led Penetration Testing (TLPT) — the most demanding testing requirement in DORA. TLPT simulates real-world attack scenarios using intelligence-led methodologies. It must be conducted by qualified external testers against live production systems. A dedicated control team lead must be appointed (per JC 2024 29, Article 4) to manage day-to-day TLPT execution.
Where ICT third-party providers are included in the TLPT scope, the financial entity remains fully responsible. Pooled TLPT — where multiple financial entities share a single test against a common critical provider — is expressly permitted and may be the practical approach for concentrated supply chains.
Pillar 4 — Management of ICT Third-Party Risk (Articles 28–44)
This is the pillar that changes the relationship between financial entities and their technology vendors most fundamentally. Under Article 28, financial entities must manage ICT third-party risk as an integral component of their overall ICT risk management framework — not as a separate procurement exercise. At all times, regardless of what a vendor contract says, the financial entity remains fully responsible for regulatory compliance.
Specific obligations include: maintaining a complete information register of contractual arrangements with ICT third-party providers (at individual, consolidated, and sub-consolidated levels); conducting preliminary assessments of ICT concentration risk; ensuring mandatory contractual provisions are in place for all critical or important function contracts; and establishing exit strategies for every critical third-party relationship.
The risk assessment must consider the type of services provided, the location of the provider and where services are actually delivered from, the nature of data shared, whether the provider is subject to EU regulatory oversight, and the potential impact of a disruption. Concentration risk — particularly where multiple financial entities depend on the same handful of cloud hyperscalers — is an explicit concern in the regulation.
The Oversight Framework and the Lead Overseer
DORA's Oversight Framework (Articles 31–44) introduces direct regulatory supervision of Critical ICT Third-Party Providers (CTPPs) — the hyperscalers, core banking vendors, and payment infrastructure providers on which the financial system most depends. A Lead Overseer, drawn from EBA, ESMA, or EIOPA depending on the CTPP's primary client base, holds direct powers of inspection, information request, and penalty imposition.
The Oversight Forum — a sub-committee of the Joint Committee of the ESAs — coordinates the programme across sectors. CTPPs designated as critical must cooperate fully with the Lead Overseer, including accepting on-site inspections. A CTPP from outside the EU that is designated as critical must establish an EU subsidiary within 12 months of designation.
Pillar 5 — Information and Intelligence Sharing (Article 45)
Article 45 enables — and encourages — financial entities to exchange cyber threat information and intelligence with one another. This includes indicators of compromise, tactics, techniques and procedures (TTPs), cybersecurity alerts, and configuration tools. Participation is voluntary, but the intention is to create a collective early-warning ecosystem across the EU financial sector.
Information-sharing arrangements must be designed with appropriate safeguards: data must be handled responsibly, confidentiality must be preserved, and the arrangements must be compatible with data protection law. Participating in an information-sharing arrangement does not transfer liability — each entity remains responsible for its own ICT risk management.
Technical Standards and Guidelines Under DORA
DORA itself establishes the principles and high-level requirements. The operational detail — how financial entities actually implement those requirements — is specified in Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) published by the Joint Committee of the European Supervisory Authorities (EBA, ESMA, and EIOPA together).
| Standard | What It Specifies |
|---|
| JC 2023 86 | Draft RTS on the ICT Risk Management Framework and on the simplified framework for smaller entities. Establishes detailed requirements for ICT risk identification, protection, detection, response, recovery, and learning. |
| JC 2023 84 | Draft RTS to specify the policy on ICT services supporting critical or important functions. Defines the risk factors to consider when assessing third-party ICT services, including provider location, data classification, and service transferability. |
| JC 2023 83 | Draft RTS on the classification of major ICT-related incidents and significant cyber threats. Defines the criteria and thresholds that trigger mandatory regulatory reporting. |
| JC 2023 85 | Draft ITS on the Register of Information. Defines standardised models for documenting contractual arrangements with ICT providers at individual, consolidated, and sub-consolidated entity levels. |
| JC 2024 29 | Second set of technical standards published July 2024. Covers TLPT requirements including the appointment of a control team lead, pooled testing arrangements, and reporting obligations post-TLPT. |
Compliance requires understanding both the regulation itself and these technical standards — they are not optional elaborations, they are binding law for the entities in scope. The PECB DORA Lead Manager curriculum covers all five sets of technical standards alongside the main regulation, which is one reason the certification is considered the benchmark credential for DORA practitioners.
Penalties and Enforcement
DORA's enforcement framework is serious and multi-layered. Article 50 requires Member States to establish administrative penalties and remedial measures that are "effective, proportionate and dissuasive." Competent authorities must have powers to impose at minimum the following:
| Penalty Type | Description |
|---|
| Cease and desist order | Requires the entity to stop conduct breaching DORA and prohibits repetition |
| Cessation of practices | Temporary or permanent discontinuation of any non-compliant practice |
| Monetary fines | Pecuniary measures to enforce continued compliance with legal requirements |
| Access to data traffic records | Where national law permits, access to telecom records in breach investigations |
| Public notices | Mandatory public disclosure identifying the entity and describing the nature of the breach |
| Criminal penalties | Member States may (and some will) also impose criminal penalties for serious breaches (Article 52) |
For ICT third-party service providers designated as critical, the Lead Overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover in the preceding business year (Article 35). The Lead Overseer must make every periodic penalty payment public, unless doing so would seriously harm financial markets.
Critical Gap
Article 54 requires competent authorities to publish penalty decisions publicly on their official websites — including the identity of the person or entity responsible and the nature of the breach — after any right of appeal has been exhausted. For financial services firms, the reputational damage from public disclosure typically exceeds the direct financial penalty. This is a powerful deterrent that many compliance teams are only beginning to communicate effectively to their boards.
Members of the management body can be held personally liable for breaches where national law provides for it. This individual accountability dimension — consistent with the broader Senior Managers & Certification Regime philosophy gaining traction across EU financial regulation — makes DORA a board-level concern, not just an IT compliance matter.
STUDY AT YOUR OWN PACE — DORA LEAD MANAGER ONLINE
Get exam-ready and board-ready. The PECB DORA Lead Manager course delivers practitioner-level mastery of all five pillars, the technical standards, and the Oversight Framework.
Fully online and self-paced. Includes all PECB official training materials, exam registration, and post-certification support. Designed for compliance officers, risk managers, IT professionals, and consultants advising financial entities. Questions? See our complete walkthrough: PECB DORA Lead Manager Certification Guide.
reconn | Dubai, UAE | Remote delivery worldwide | hello@reconn.io
DORA vs ISO 22301: How They Compare
+
One of the most common questions I encounter from financial services professionals is how DORA relates to ISO 22301 — the international standard for Business Continuity Management Systems. The short answer: they are complementary, not competing. The more nuanced answer requires understanding what each is, and what each is not.
Fundamental Nature
| Dimension | DORA (EU 2022/2554) | ISO 22301:2019 |
|---|
| Legal status | Binding EU regulation — mandatory | Voluntary international standard |
| Enforcement | Competent authorities, ESAs, Lead Overseer with penalty powers | Certification body / market expectation |
| Scope | EU financial sector only | Any organisation, any sector, globally |
| Focus | ICT risk and digital operational resilience specifically | Business continuity management broadly |
| Third-party reach | Directly covers ICT third-party providers via Oversight Framework | Covers supply chain through BCMS scope decisions |
| Testing requirement | Mandatory resilience testing + TLPT for significant entities | Requires exercises and tests — type and frequency risk-based |
| Penalty for non-compliance | Administrative penalties, criminal liability, public disclosure | Loss of certification / market access risk |
Where They Overlap
ISO 22301 and DORA share significant conceptual territory. Both require understanding business impact, identifying critical functions, maintaining plans for disruption, testing those plans, and continually improving. DORA's ICT risk management framework (Articles 5–16) mirrors the structure of a BCMS — assess risks, implement controls, test, review, improve.
The PECB DORA Lead Manager training explicitly references the concept of organisational resilience (from ISO 22316), business continuity planning, and disaster recovery — acknowledging that DORA's operational continuity requirements (Articles 11–13) are conceptually grounded in business continuity management practice.
For more on the ISO 22301 scope definition process — which determines which functions and organisational units fall inside your BCMS — see our guide: Organisational and physical boundaries, dependency rules, and justifying exclusions under ISO 22301 Clause 4.3.
Where They Diverge
ISO 22301 is sector-agnostic and technology-agnostic. It is a management system standard built around the Plan-Do-Check-Act cycle with high-level requirements that organisations implement in ways appropriate to their context. DORA is prescriptive: it specifies what must be in the ICT risk management framework, what the incident reporting timelines are, which contracts must contain which clauses, and how critical third-party providers will be supervised.
ISO 22301 covers all threats to business continuity — natural disasters, power failures, public health emergencies, supply chain disruptions — not just ICT. DORA is exclusively focused on ICT and digital risk. A financial entity certified to ISO 22301 has demonstrated strong business continuity practices, but that certification does not substitute for DORA compliance — nor does DORA compliance substitute for ISO 22301 certification where that is required by contract, insurer, or regulator.
The practical implication: firms pursuing both should run them as an integrated programme, not parallel silos. The DORA ICT risk management framework and the ISO 22301 BCMS share governance structures, risk assessment methodology, and testing requirements. Running them together reduces duplication and demonstrates a higher level of resilience maturity to both regulators and auditors.
DORA's Relationship With Other EU Regulations
+
DORA does not exist in isolation. It is part of a broader EU digital regulatory architecture, and financial entities must understand how it interacts — and does not conflict — with other overlapping frameworks.
DORA and NIS 2 Directive
Both DORA and the NIS 2 Directive aim to enhance digital resilience and reduce cyber incidents across the EU. The key distinction: DORA includes a lex specialis provision — where DORA applies, it takes precedence over NIS 2 for financial entities. This was a deliberate design choice to avoid regulatory duplication and ensure that the more specific and demanding DORA framework is the operative standard for the financial sector.
DORA and GDPR
DORA builds on GDPR requirements but does not override them — both frameworks continue to apply in parallel. DORA focuses on information system security from an operational resilience perspective; GDPR governs personal data protection. They intersect significantly: an ICT incident that compromises data availability or integrity may trigger both a DORA major incident report and a GDPR personal data breach notification. Compliance teams must manage both notification obligations simultaneously, with different authorities and different timelines.
DORA and the Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (CRA), which came into force in late 2024 with a 36-month implementation window, applies to manufacturers, dealers, and importers of products with digital elements — across all sectors. DORA applies to the financial sector. Where an ICT product used by a financial entity falls under the CRA, both frameworks may apply to different aspects of the same supply chain relationship. The CRA focuses on product cybersecurity by design; DORA focuses on how financial entities manage the operational risk of using those products.
Why Professional Certification Demand Has Surged
The demand for DORA-specific professional certification — particularly the PECB DORA Lead Manager credential — has grown sharply since 2024. It is not a trend driven by curiosity. It is driven by a compliance cliff-edge: financial entities and their ICT suppliers need practitioners who can actually implement DORA, not just describe it.
Several structural forces are behind the surge:
The Regulation Is Live
Since January 2025, DORA is enforceable law. Boards and senior management who treated it as a future project discovered — quickly — that regulators are not waiting. Competent authorities began issuing supervisory questions about ICT risk management frameworks almost immediately after the application date.
Gap Between Knowledge and Skill
Reading the regulation is one thing. Designing a compliant ICT risk management framework, running a TLPT programme, building a register of information for third-party contracts, and managing the Oversight Framework interaction — these require structured training and demonstrated competence.
Cross-Border Supply Chain Effect
DORA's third-party risk requirements pull ICT service providers outside the EU into compliance orbits. A cloud infrastructure vendor in the US or UAE serving EU financial entities now faces contractual, audit, and potentially direct oversight obligations. Their compliance and sales teams need DORA literacy — fast.
Career Differentiation
For individual compliance officers, risk managers, and cybersecurity professionals, DORA certification signals a specific, high-value competency. In a market where cyber and regulatory roles are increasingly blurred, DORA Lead Manager certification demonstrates you can operate at the intersection of financial regulation and ICT risk.
The PECB DORA Lead Manager certification is structured around five competency domains: fundamental ICT risk management concepts, preparing and planning for DORA implementation, ICT risk and incident management, digital operational resilience testing and third-party risk, and review and continual improvement. It is designed for financial institutions executives and decision-makers, compliance officers and risk managers, IT professionals, legal and regulatory affairs personnel, and consultants specialising in financial regulation and cybersecurity.
For a full breakdown of the exam domains, certification requirements, and what the credential covers in practice, read our dedicated guide: PECB DORA Lead Manager: Training, Exam and Certification Complete Guide.
Implementation Roadmap: Getting DORA-Ready
+
For financial entities that have not yet completed their DORA programme, the implementation priority should follow the regulation's own logic: governance first, then risk management, then testing and third-party controls, then monitoring and continual improvement. What follows is a practical sequence, not a legal interpretation.
Phase 1 — Context, Gap Analysis, and Governance
Before any controls are implemented, map your entity's context: which legal entities are in scope, what functions are critical, who your material ICT third-party providers are, and what your current state of ICT risk management looks like against each of the five DORA pillars. Gap analysis is the foundation — it identifies the delta between where you are and where the regulation requires you to be, and it quantifies the investment in time, money, and human resources required. At the same time, establish the governance structure: the management body must understand its DORA responsibilities and approve the ICT risk management framework.
Phase 2 — ICT Risk Management Framework
Build or upgrade the ICT risk management framework to meet Article 6 requirements. This means documented policies, a digital operational resilience strategy, asset identification and classification, detection capabilities, business continuity and disaster recovery arrangements, and a mechanism for post-incident learning. The framework must be demonstrably integrated into the overall risk management system — not a standalone IT document.
Phase 3 — Incident Management and Reporting
Establish the incident management process and classification scheme. Map every major incident classification criterion from JC 2023 83 against your existing incident response procedures. Identify the notification workflows — which authority, which timelines, which templates. Test the process before you need it.
Phase 4 — Third-Party Risk and Register of Information
Build the register of information (per JC 2023 85 ITS templates) for all contractual arrangements with ICT providers. Conduct preliminary ICT concentration risk assessments. Review all critical or important function contracts against the DORA mandatory contractual provisions list. Establish exit strategies for each critical provider. This phase often takes longer than expected — the data gathering from business units and procurement teams is invariably the bottleneck.
Phase 5 — Testing Programme
Design and execute the digital operational resilience testing programme. Start with the basic tests — vulnerability assessments, network security testing, gap analyses — before advancing to scenario-based and open-source intelligence testing. For entities in scope for TLPT, plan the timeline carefully: from scoping to execution to remediation to regulatory validation can take nine to twelve months.
Phase 6 — Monitoring, Audit, and Continual Improvement
Establish the performance measurement and compliance reporting cycle (drawing on ISO 37301 principles, which DORA training explicitly references). Run internal audits of the ICT risk management framework. Conduct management reviews. Document improvements in a continual improvement register that tracks each change: description, priority, initiation date, completion date, and responsible owner. The continual improvement cycle is not optional — it is what transforms a point-in-time compliance exercise into sustainable digital operational resilience.
Practitioner Note
At reconn, we have seen entities underestimate two things consistently: the volume of documented information DORA requires, and the effort involved in getting third-party contracts reviewed and renegotiated. Both deserve dedicated resources — not best-effort work alongside existing BAU responsibilities. A dedicated DORA programme manager with the right certification is the single most effective investment a mid-sized financial entity can make at this stage.
DORA Implementation Services
Need expert help building your DORA compliance programme?
DORA compliance is not a box-ticking exercise. Building a genuinely compliant ICT risk management framework — one that satisfies regulators, integrates with your business continuity programme, and holds up under TLPT — requires practitioners who have done it before. The technical standards alone run to hundreds of pages of prescriptive requirements.
At reconn, we deliver end-to-end DORA implementation support: gap analysis, framework design, incident management architecture, third-party risk programme build, testing programme design, and board-level reporting. We combine PECB-certified DORA practitioner expertise with 20+ years of financial sector cybersecurity experience. Speak to us about your current compliance position.
reconn | Dubai, UAE | Remote delivery worldwide | hello@reconn.io
DORA's Global Reach: Impact Beyond the EU
DORA is an EU regulation. Its formal jurisdiction is the EU financial sector. But its practical impact is global — and this is intentional by design.
Any ICT third-party provider — wherever in the world it is headquartered — that provides services to EU financial entities is subject to DORA's third-party risk requirements through the contractual obligations imposed on their financial entity clients. This means cloud hyperscalers, core banking software vendors, payment processors, data centre operators, and cybersecurity service providers globally face new contractual, audit access, and exit strategy obligations as a direct consequence of DORA.
For providers designated as Critical ICT Third-Party Providers, the extraterritorial reach goes further still. They face direct oversight by the EU Lead Overseer — and if they are headquartered outside the EU, they must establish a Union subsidiary within 12 months of designation.
Beyond direct supply chain effects, DORA is accelerating regulatory contagion: jurisdictions in the Middle East, Asia-Pacific, and North Africa are closely studying the DORA model as they develop their own digital operational resilience frameworks for their financial sectors. The Gulf Cooperation Council region, where reconn operates extensively, is actively developing supervisory expectations for ICT resilience that draw on the DORA architecture. Professionals who understand DORA today are well positioned for what comes next in their own regulatory environments.
Global Compliance Note
If your organisation provides ICT services to EU-regulated financial entities — even if you are based outside the EU — you should review your contractual obligations, audit access rights, data residency commitments, and exit strategy documentation against DORA's third-party requirements. The obligation rests primarily on your financial entity client, but they will be pushing those requirements downstream to you through contract reviews and supplier questionnaires.
Frequently Asked Questions
What is DORA and when did it become law?+
DORA — the Digital Operational Resilience Act, Regulation (EU) 2022/2554 — was enacted by the European Parliament and Council on 14 December 2022. It entered into force in January 2023 and became fully applicable to financial entities from 17 January 2025. It is binding EU law in all Member States and applies to 20+ categories of financial entity and their ICT third-party service providers.
Does DORA apply outside the European Union?+
DORA formally applies to entities operating in the EU. However, its practical impact is global. ICT third-party providers based anywhere in the world — including the US, UK, UAE, India, and beyond — are affected through the contractual obligations their EU financial entity clients must impose on them. Critical ICT Third-Party Providers designated under the Oversight Framework face direct EU regulatory oversight regardless of where they are headquartered, and those outside the EU must establish an EU subsidiary within 12 months of designation.
What are the five pillars of DORA?+
DORA's five key requirement areas are: (1) ICT risk management — maintaining a documented, board-approved ICT risk management framework; (2) ICT-related incident management and reporting — detecting, classifying, and notifying incidents to regulators; (3) Digital operational resilience testing — conducting regular testing including TLPT for significant entities; (4) Management of ICT third-party risk — managing vendor risk and maintaining a register of information; and (5) Information and intelligence sharing — voluntary exchange of cyber threat intelligence among financial entities.
What penalties can be imposed for DORA non-compliance?+
Competent authorities can issue cease and desist orders, require cessation of non-compliant practices, impose monetary fines, access data traffic records in investigations, and issue public notices naming the entity and describing the breach. For Critical ICT Third-Party Providers, the Lead Overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover. Member States may also legislate criminal penalties for serious DORA breaches. Public disclosure of penalty decisions is mandatory after appeal rights are exhausted.
Is DORA the same as ISO 22301?+
No — they are different in nature but complementary in practice. DORA is binding EU regulation applying specifically to the financial sector, focused on ICT and digital operational resilience, enforced by competent authorities with penalty powers. ISO 22301 is a voluntary international standard for business continuity management, applicable to any organisation in any sector globally. Both share conceptual territory around risk assessment, continuity planning, and testing. A financial entity can hold ISO 22301 certification and still need a dedicated DORA compliance programme. The two are best run as an integrated resilience programme rather than parallel silos.
What is Threat-Led Penetration Testing (TLPT) under DORA?+
TLPT — Threat-Led Penetration Testing — is the most advanced form of resilience testing required under DORA (Article 26). It applies to systemically significant financial entities and involves simulating real-world cyberattacks against live production systems using threat intelligence. TLPT must be conducted by qualified external testers, with a designated control team lead managing the process. A pooled TLPT model is available where multiple financial entities share a single test against a common critical ICT provider. The full process — from scoping to execution to regulatory validation — typically takes nine to twelve months.
Who should get DORA Lead Manager certified?+
The PECB DORA Lead Manager certification is designed for compliance officers and risk managers responsible for DORA programmes, IT and cybersecurity professionals working in financial entities, legal and regulatory affairs personnel, financial institution executives and board-level decision-makers, and consultants advising financial entities on DORA compliance. It is also increasingly valued by ICT third-party providers who want to demonstrate DORA competency to their financial sector clients.
How does DORA interact with NIS 2 and GDPR?+
DORA takes precedence over the NIS 2 Directive for financial entities through a lex specialis provision — where DORA applies, NIS 2 does not override it. DORA and GDPR operate in parallel: both continue to apply, with distinct requirements. An ICT incident that compromises personal data may simultaneously trigger a DORA major incident notification to the financial regulator and a GDPR personal data breach notification to the data protection authority — with different timelines and different authorities. Compliance teams must have processes for managing both notification streams.
About the Author
Shenoy Sandeep
Shenoy Sandeep is the Founder of reconn, an AI-first cybersecurity firm based in Dubai, UAE — assisting startups and enterprises scale across the Middle East and African region. With 20+ years across offensive security, threat intelligence, and enterprise risk, and over 10 years in Enterprise AI, AI governance, and Business Continuity, he brings a practical, execution-driven approach to AI governance and information security.
He is a PECB-certified trainer and one of the world's early PECB-certified AI professionals, specialising in ISO/IEC 27001, ISO/IEC 42001, ISO 22301, and ISO 9001.
