Cumplimiento DORA para entidades financieras: guía completa ICT 2025

RegTech · DORA Compliance DORA ICT Compliance for Financial Entities: Complete Guide 2025 The Digital Operational Resilience Act (DORA) has been directly applicable across all EU Member States since 17 January 2025 . No transposition required, no grace period. If you are a bank, insurer, investment firm, payment institution or fintech — you must comply now.

Key dates: 17 January 2025 — DORA fully applicable No transitional period for in-scope entities RTS/ITS from EBA, ESMA and EIOPA published in January 2025

Which entities must comply with DORA? Article 2 of DORA defines an extensive scope covering virtually the entire EU financial sector:

Entity type Regime Credit institutions (banks) Full DORA Investment firms (MiFID II) Full DORA Payment institutions / e-money institutions Full DORA Insurance and reinsurance undertakings Full DORA UCITS and AIF managers Full DORA Crypto-asset service providers (CASPs) Full DORA Microenterprises ( Simplified regime (Art. 16) Critical ICT third-party providers (CTPPs) designated by the ESAs face direct EU-level oversight under Chapter V regardless of their own regulatory status.

The 5 pillars of DORA compliance

1. ICT Risk Management (Art. 5–16) Entities must establish a comprehensive ICT risk management framework with: a dedicated ICT risk management function, business continuity policy, disaster recovery plans, and annual testing. The framework must be approved by the management body and reviewed at least annually.

2. ICT-Related Incident Management (Art. 17–23) Entities must classify incidents using the criteria in the RTS (Commission Delegated Regulation EU 2024/1772). Major incidents trigger a 3-stage reporting process: early warning in 4 hours , intermediate report in 72 hours , final report within 1 month .

3. Digital Operational Resilience Testing (Art. 24–27) All in-scope entities must perform annual basic resilience testing. Significant entities must additionally conduct Threat-Led Penetration Testing (TLPT) — aligned with the TIBER-EU framework — at least every 3 years . TLPT requires advance coordination with the competent authority.

4. ICT Third-Party Risk Management (Art. 28–44) Entities must maintain a complete register of all ICT third-party providers. Contracts with critical ICT providers must include mandatory clauses covering: service levels, data locations, audit rights, exit strategies and minimum notice periods. Article 30 lists the mandatory contractual elements.

5. Information and Intelligence Sharing (Art. 45) Voluntary participation in threat intelligence sharing arrangements between financial entities and authorities. Entities may choose to share cyber threat information and tactics, subject to confidentiality requirements.

Incident reporting timelines: the 4h/72h/1-month rule One of the most operationally demanding aspects of DORA is the incident notification timeline. Your team must have protocols ready before an incident occurs — there is no time to design them during a crisis.

Stage Deadline Required content Early warning 4 hours from classification Whether malicious/illegal cause; potential cross-border impact Intermediate report 72 hours Preliminary analysis, severity, IoCs, root cause if available Final report 1 month Root cause, actual impact, corrective measures taken and planned In Spain, the supervisory authority depends on entity type: Banco de España (credit institutions), CNMV (investment firms), DGSFP (insurers). All use the AGORA reporting platform (in implementation).

Mandatory clauses in ICT third-party contracts (Art. 30) Every contract with an ICT provider — including cloud providers, SaaS vendors and outsourced IT support — must include these mandatory elements under DORA Article 30:

Full description of services — including all sub-contracting chains Data processing locations — exact countries where data is stored and processed Service levels — availability, integrity, security and quality standards with measurable KPIs Audit rights — the financial entity's right to inspect, audit and access information Business continuity plans — the provider's BCP and DRP capabilities Termination rights — including minimum transition periods (typically 12 months) Incident reporting obligations — the provider must notify the financial entity of material incidents Practical challenge: Major cloud providers (AWS, Azure, Google Cloud) have already updated their standard terms to include DORA-compatible clauses, but many smaller providers have not. Your legal team must review every ICT contract before the relevant renewal date.

How AI RAG reduces DORA compliance effort DORA spans 64 articles, 13 implementing acts and dozens of Q&A published by EBA, ESMA and EIOPA. No compliance team can read and cross-reference all of this manually for every operational decision.

A RAG system trained on DORA — like IgeraRegTech's DORA module — enables your legal and operations teams to:

Ask questions in plain language and get answers citing the exact article and paragraph Generate compliant incident notification templates pre-filled with the required fields Run a gap analysis across all 5 DORA pillars in hours rather than weeks Stay current as new RTS/ITS are published — the knowledge base updates automatically IgeraRegTech DORA Module Ask any DORA compliance question. Get the exact article, the applicable RTS and a concrete action in seconds — not days of legal research.

Explore DORA Module →

DORA compliance checklist for financial entities Priority actions for 2025:

☐ Confirm your entity is in scope and identify the simplified vs full regime ☐ Document and approve the ICT risk management framework (Art. 5) ☐ Create the ICT third-party register with all providers and service classifications ☐ Review and update all ICT contracts to include mandatory Art. 30 clauses ☐ Train incident response team on the 4h / 72h / 1-month reporting protocol ☐ Schedule annual basic resilience testing and (if significant entity) plan TLPT cycle ☐ Assign management body accountability for DORA oversight (Art. 5.2)

Key takeaways DORA has been fully applicable since 17 January 2025 — there is no grace period. The 5 pillars require genuine operational change, not just documentation. The 4-hour early warning timeline is the most demanding operational requirement — prepare your protocols now. Every ICT contract must be reviewed for Article 30 mandatory clauses before renewal. AI RAG tools can reduce compliance research time by 70–80% while eliminating hallucinated citations. Sources: Regulation (EU) 2022/2554 (DORA) · Commission Delegated Regulation (EU) 2024/1774 (ICT risk management RTS) · Commission Delegated Regulation (EU) 2024/1772 (incident classification RTS) · EBA/ESMA/EIOPA Joint Guidelines on ICT risk management.

Cumplimiento DORA para entidades financieras: guía completa ICT 2025

COMPARTIR

Productos relacionados

IgeraRegTech DORA

Artículos relacionados

RAG vs ChatGPT para Contratación Pública: La Diferencia Clave

EU AI Act 2026: qué deben hacer las empresas antes del plazo de agosto

CSRD y ESRS: guía completa para el informe de sostenibilidad 2026