Skip to main content
The Digital Operational Resilience Act (DORA) is an EU regulation that requires financial entities to ensure they can withstand, respond to, and recover from ICT-related disruptions and threats. It has been fully enforceable since January 17, 2025.
DORA is mandatory for all EU financial entities and their critical ICT third-party service providers, including non-EU SaaS vendors serving EU financial clients. Non-compliance can result in fines up to 2% of global turnover or €5 million.

Who needs DORA compliance?

Financial entities

Banks, insurance companies, investment firms, payment institutions, and crypto-asset service providers operating in the EU.

ICT providers

Technology vendors and cloud service providers designated as critical third-party providers to the financial sector — including non-EU companies.

Five pillars of DORA

ICT Risk Management

Comprehensive framework for identifying, protecting, detecting, responding to, and recovering from ICT risks.

Incident Reporting

Major ICT incidents must be reported to authorities. Initial notification within 4 hours, interim report within 72 hours, final report within 1 month.

Resilience Testing

Regular testing of ICT systems including threat-led penetration testing (TLPT) for significant entities.

Third-Party Risk

Manage risks from ICT third-party providers, including contractual requirements, exit strategies, and concentration risk monitoring.

Information Sharing

Voluntary sharing of cyber threat intelligence between financial entities to improve sector-wide resilience.

How DSALTA helps

  • DORA-specific controls mapped to all five pillars
  • ICT risk management framework through the risk register
  • Incident response documentation and reporting templates
  • Third-party risk management with vendor scoring and monitoring
  • Cross-framework mapping — significant overlap with NIS 2, ISO 27001, and SOC 2

Frequently asked questions

Yes, if you are an ICT third-party service provider designated as critical to EU financial entities. EU financial clients will require DORA compliance evidence as part of their vendor management.
DORA is lex specialis (sector-specific) for financial entities, while NIS 2 is the broader EU cybersecurity directive. DORA takes precedence for in-scope financial entities, but NIS 2 requirements may still apply for broader governance.
Initial notification within 4 hours of classification, interim report within 72 hours, and final report within 1 month of the incident.