Camelia Sfirlea

DORA Requirements

The six pillars of digital operational resilience

Q: What is DORA compliance?

DORA (Digital Operational Resilience Act) is EU regulation requiring financial entities to strengthen IT security and operational resilience. It covers ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. Enforcement begins January 2025.

Q: Who needs to comply with DORA?

DORA applies to banks, insurance companies, investment firms, payment providers, crypto-asset service providers, and critical ICT third-party service providers operating in the EU. Non-compliance can result in fines up to 2% of total annual worldwide turnover.

Q: How does BetterQA help with DORA compliance?

BetterQA provides threat-led penetration testing (TLPT), ICT risk assessments, resilience testing, and third-party vendor security reviews. We hold ISO 27001:2022 certification and help document testing evidence for regulatory audits.

DORA establishes uniform requirements for ICT security across all EU financial entities. Here's what you need to implement.

01

ICT Risk Management

Governance framework for identifying and managing ICT-related risks

REQUIREMENTS

Establish an ICT risk management framework approved by management body
Implement strategies, policies, and procedures for ICT security
Continuously identify and classify ICT assets and dependencies
Conduct regular risk assessments and document findings
Define detection, response, and recovery capabilities
Establish communication plans for ICT incidents

Key point: Management body members bear personal responsibility for ICT risk governance. This isn't just an IT issue.

02

Incident Reporting

Standardized classification and reporting of ICT-related incidents

REQUIREMENTS

Classify incidents using standardized criteria (clients affected, duration, geographic spread)
Submit initial notification within 4 hours of classification
Provide intermediate report within 72 hours
Submit final report within one month of incident resolution
Maintain incident management and response procedures
Document root cause analysis for all major incidents

Key point: Strict timelines apply. You need systems that can detect, classify, and report incidents automatically.

03

Resilience Testing

Regular testing to validate operational resilience capabilities

REQUIREMENTS

Establish a digital operational resilience testing program
Conduct vulnerability assessments at least annually
Perform penetration testing based on threat scenarios
Test ICT systems supporting critical functions
Address all findings through prioritized remediation
Significant entities must conduct TLPT (Threat-Led Penetration Testing) every 3 years

Key point: TLPT follows the TIBER-EU framework and requires qualified external testers. Not all entities need it, but many do.

04

Third-Party Risk

Due diligence and monitoring of ICT service providers

REQUIREMENTS

Maintain a register of all ICT third-party service providers
Conduct pre-contract due diligence on security capabilities
Include mandatory contractual provisions (audit rights, exit strategies, data location)
Monitor concentration risk across providers
Assess sub-outsourcing arrangements
Establish exit strategies for all critical providers

Key point: Critical ICT providers will be directly supervised by EU authorities. Your contracts need specific DORA clauses.

05

Information Sharing

Voluntary cyber threat intelligence arrangements

REQUIREMENTS

Establish arrangements for sharing cyber threat information
Participate in trusted information-sharing communities
Share indicators of compromise, tactics, and procedures
Protect sensitive information during sharing
Ensure sharing arrangements comply with competition law

Key point: While voluntary, participation demonstrates mature security practices and helps build sector-wide resilience.

06

Business Continuity

ICT continuity plans and disaster recovery procedures

REQUIREMENTS

Develop comprehensive ICT business continuity policy
Implement backup policies and recovery procedures
Establish redundancy for critical ICT systems
Test continuity plans at least annually
Define recovery time and point objectives (RTO/RPO)
Document crisis management and communication procedures

Key point: Plans must be tested, not just documented. Regulators will ask for evidence of exercises.

Scope

Who must comply?

DORA applies to 21 types of financial entities and their critical ICT providers.

Banking & Credit

Credit institutions
Payment institutions
E-money institutions
Account information providers

Investment

Investment firms
Fund managers (UCITS, AIFM)
Trading venues
Central securities depositories

Insurance & Pension

Insurance undertakings
Reinsurance undertakings
Insurance intermediaries
Pension funds (IORPs)

Crypto & Crowdfunding

Crypto-asset service providers
Issuers of asset-referenced tokens
Crowdfunding service providers

Market Infrastructure

Central counterparties (CCPs)
Trade repositories
Securitization repositories
Credit rating agencies

ICT Providers

Critical ICT third-party providers
Cloud service providers (if critical)
Data analytics providers (if critical)

Consequences

Non-compliance penalties

2%

of annual worldwide turnover

Maximum administrative penalty for financial entities failing to meet DORA requirements.

1%

daily penalty payments

For critical ICT providers, up to 1% of average daily worldwide turnover until compliance.

Assess your readiness

Understand where you stand against these requirements and get a roadmap to compliance.

Request Assessment → Our Services

Need help with software testing?

BetterQA provides independent QA services with 50+ engineers across manual testing, automation, security audits, and performance testing.

Explore our services Get in touch

Last updated: March 5, 2026 Originally published: December 9, 2024