DORA: Digital operational resilience for the financial sector
The DORA regulation requires financial entities and their ICT providers to ensure digital operational resilience. Conformitly structures your compliance around the 5 pillars.
What is DORA?
The DORA Regulation (EU 2022/2554) establishes a uniform regulatory framework for digital operational resilience in the European financial sector. It is built on 5 fundamental pillars: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, management of ICT third-party service provider risk, and information sharing. DORA applies directly in all member states without national transposition.
Who is concerned by DORA?
The 5 pillars of DORA
Pillar 1: ICT risk management
Establishment of a comprehensive and documented ICT risk management framework, including identification and classification of ICT assets, threat detection and protection, and business continuity and disaster recovery strategies.
Pillar 2: ICT incident management and reporting
ICT-related incident management processes with classification based on severity criteria, notification to competent authorities for major incidents, and maintenance of a register of all incidents and significant cyber threats.
Pillar 3: Digital operational resilience testing
Proportionate testing program including vulnerability assessments, penetration tests, and advanced threat-led penetration testing (TLPT) for significant entities, to be carried out at least every three years.
Pillar 4: ICT third-party risk management
Framework for managing risks related to ICT third-party service providers, with specific contractual requirements, a register of information on contractual arrangements, and a direct oversight mechanism by European authorities for critical providers.
Pillar 5: Information sharing
Possibility for financial entities to establish arrangements for sharing cyber threat information among themselves, in compliance with confidentiality and data protection rules.
DORA timeline
DORA regulation entered into force
Publication of regulatory technical standards (RTS) and implementing technical standards (ITS) by European supervisory authorities
DORA regulation application date — all concerned entities must be in compliance
DORA sanctions
Administrative sanctions are defined by each member state and may include significant fines, orders to cease non-compliant practices, and public statements identifying entities in breach. Critical ICT third-party providers are subject to direct oversight by European supervisory authorities, with the ability to impose periodic penalty payments of up to 1% of average daily worldwide turnover for a maximum of six months.
How Conformitly helps with DORA
63 pre-mapped requirements
Access 63 controls directly derived from DORA regulation articles and associated technical standards, with detailed descriptions and expected evidence for each requirement.
5-pillar tracking
Visualize your compliance progress organized around the 5 DORA pillars, with maturity scores per pillar and a consolidated dashboard for board-level reporting.
Third-party ICT risk assessment
Manage your register of information on ICT contractual arrangements, assess the criticality of your providers, and track associated risks with integrated security questionnaires.
Major incident classification
Automatically classify your ICT incidents according to DORA severity criteria (affected clients, duration, financial losses, geographic spread), and generate notification reports for competent authorities.