DORA ICT Compliance for Financial Entities: Complete 2025 Guide
By James Forrest, Head of RegTech Strategy at IgeraSolutions — Reviewed by Dr. Elena Voss, Senior Regulatory Counsel — Updated: July 2025 — Sources: Regulation (EU) 2022/2554, EBA/ESMA/EIOPA RTS/ITS Dec 2024
Direct answer: DORA (Regulation EU 2022/2554) has been fully applicable across all EU Member States since 17 January 2025 — no transposition, no grace period. Every in-scope financial entity must now maintain a documented ICT risk management framework, report major incidents within 4 hours, conduct annual resilience tests, and register all third-party ICT providers with compliant contracts. Non-compliance exposes entities to daily periodic penalties of up to 1% of average worldwide daily turnover.
What is DORA?
DORA (Digital Operational Resilience Act) — Regulation (EU) 2022/2554 — is a directly applicable EU regulation that entered into force on 16 January 2023 and became fully applicable on 17 January 2025. It establishes uniform requirements for ICT risk management, incident reporting, resilience testing, third-party risk oversight and intelligence sharing across the entire EU financial sector. The Level 2 technical standards (RTS and ITS) were finalised by EBA, ESMA and EIOPA and published in December 2024.
47
average DORA control gaps per financial entity
“IgeraRegTech mapped DORA ICT risk registers for 23 financial entities in Q1 2025. The average gap count was 47 controls per entity — the most common shortfalls: incomplete third-party registers, missing incident classification matrices, and management body approvals not formally recorded.”
Source: IgeraRegTech proprietary DORA gap analysis data, Q1 2025. n=23 EU financial entities.
Which entities must comply with DORA?
Article 2 of DORA defines one of the broadest regulatory scopes in EU financial law. Over 22,000 financial entities across the EU are in scope. The following table summarises the main entity categories:
| Pillar | Articles | Key requirement | Common gap | IgeraRegTech help |
|---|---|---|---|---|
| 1. ICT Risk Management | Art. 5–16 | Board-approved ICT risk framework; BCP & DRP; annual review | Management body not formally accountable; no risk tolerance documented | Auto-generate gap analysis vs. RTS requirements |
| 2. Incident Reporting | Art. 17–23 | 4h early warning / 72h intermediate / 1-month final report | No incident classification matrix; no pre-built notification templates | AI-drafted notification templates with exact RTS field mapping |
| 3. Resilience Testing | Art. 24–27 | Annual basic tests; TLPT every 3 years for significant entities | Testing not documented as formal programme; TLPT scope not defined | Testing programme template generation & TLPT scope mapper |
| 4. Third-Party Risk | Art. 28–44 | ICT provider register; mandatory Art. 30 contract clauses; audit rights | Incomplete provider registers; contracts missing exit strategy clauses | Contract clause checker vs. Art. 30 mandatory requirements list |
| 5. Information Sharing | Art. 45 | Voluntary cyber threat intelligence sharing arrangements | No participation in any sharing arrangement; no internal protocol | Threat intelligence summary reports for sharing submissions |
The 5 DORA pillars explained
Understanding each pillar in depth is essential before any gap analysis. Here is what each one demands operationally — not just on paper.
Pillar 1 — ICT Risk Management (Art. 5–16)
Entities must establish a comprehensive ICT risk management framework approved by the management body. This includes: identification of all ICT assets and dependencies, a business continuity policy, disaster recovery plans with defined RTOs, and annual testing. The RTS on ICT risk management tools (Commission Delegated Regulation EU 2024/1774) specifies the minimum content. Crucially, the management body bears direct legal accountability — not just the IT department.
Pillar 2 — ICT-Related Incident Management (Art. 17–23)
Entities must classify incidents using the criteria in the incident classification RTS (EU 2024/1772). Major incidents trigger a strict 3-stage reporting cascade: early warning within 4 hours of classification, an intermediate report within 72 hours, and a final root-cause report within 1 month. This requires pre-built notification templates and a trained SOC-to-compliance handoff protocol before any incident occurs.
Pillar 3 — Digital Operational Resilience Testing (Art. 24–27)
All in-scope entities must conduct annual basic resilience tests (vulnerability assessments, network security evaluations, BCP drills). Significant entities — those meeting the ESA thresholds on size, systemic importance or ICT risk exposure — must additionally conduct Threat-Led Penetration Testing (TLPT) aligned with TIBER-EU, at least every 3 years, coordinated in advance with the competent authority.
Pillar 4 — ICT Third-Party Risk Management (Art. 28–44)
Entities must maintain a complete register of all ICT third-party providers, classifying each as critical or non-critical. Contracts with ICT providers must include mandatory clauses under Article 30: full service description, data processing locations, measurable SLAs, audit rights, exit strategies and minimum 12-month transition periods. Critical ICT third-party providers (CTPPs) designated by the ESAs face direct EU-level supervision under Chapter V.
Pillar 5 — Information and Intelligence Sharing (Art. 45)
Voluntary participation in cyber threat intelligence sharing arrangements between financial entities and authorities. While voluntary, regulators increasingly expect entities to demonstrate awareness of the threat landscape. Participation must be documented under confidentiality agreements and consistent with GDPR data minimisation obligations.
Incident reporting timelines: the 4h / 72h / 1-month cascade
The incident notification obligation is the most operationally demanding aspect of DORA. Your team must have documented protocols — and tested them — before any incident occurs. There is no time to design response procedures during an active crisis.
| Stage | Deadline | Required content | Common failure |
|---|---|---|---|
| Early warning | 4 hours from classification | Incident identified; whether malicious/illegal cause; potential cross-border impact | Incident classification taking >3 hours; no 24/7 compliance contact |
| Intermediate report | 72 hours | Preliminary analysis, severity assessment, indicators of compromise (IoCs), preliminary root cause if known | Legal review bottleneck; IoC data not yet collected |
| Final report | 1 month | Root cause analysis, actual financial/operational impact, corrective and preventive measures taken and planned | Root cause still disputed; no formal post-incident review process |
In Spain: Banco de España (credit institutions), CNMV (investment firms), DGSFP (insurers). All ESAs expect standardised reporting formats aligned with the ITS on incident reporting published in December 2024.
Key RTS and ITS requirements finalised in December 2024
The Joint Committee of the ESAs published the final batch of DORA Level 2 technical standards in December 2024. These are not optional guidance — they are legally binding specifications that determine exactly how entities must implement each pillar. The most operationally critical RTS/ITS include:
- RTS on ICT risk management tools and methods (JC 2023/84) — Specifies the minimum content of the ICT risk management framework, required policies and governance standards.
- RTS on incident classification (JC 2023/83) — Defines the severity thresholds that trigger major incident classification and mandatory notification. Includes specific criteria on number of clients affected, transaction values disrupted, and data integrity impact.
- ITS on incident reporting templates (JC 2023/85) — Prescribes the exact fields, formats and data elements required in each of the three notification stages.
- RTS on TLPT (JC 2023/78) — Specifies the requirements for threat-led penetration testing, including tester certification standards, scope definition methodology and advanced notice requirements to competent authorities.
- RTS on third-party risk (JC 2023/86) — Details the mandatory contractual elements under Article 30 and the methodology for classifying providers as critical or non-critical.
- ITS on the register of information (JC 2023/87) — Specifies the standardised template for the ICT third-party provider register that entities must be ready to submit to supervisors on request.
Supervisors began requesting register submissions and requesting evidence of framework implementation from Q1 2025 onward. The first formal DORA inspection wave is expected to intensify throughout 2025.
DORA inspection timeline: what to expect in 2025
DORA entered application on 17 January 2025, and supervisors across the EU moved immediately to validate implementation. Based on published ESA and national competent authority communications, the inspection wave follows this pattern:
- Q1 2025: National competent authorities (NCAs) sent initial questionnaires to significant institutions requesting evidence of ICT risk framework approval by the management body and confirmation of ICT provider registers.
- Q2 2025: EBA published its 2025 supervisory convergence work programme identifying DORA implementation as a priority. ESAs began the process of designating Critical Third-Party Providers (CTPPs) subject to direct oversight.
- Q3–Q4 2025: On-site inspections and deep-dive thematic reviews of ICT resilience programmes expected at significant credit institutions and large investment firms. Focus areas: incident classification matrices, TLPT programme status, and contract clause compliance.
- 2026: Full-cycle TLPT results to be submitted by entities that commenced testing in 2025. Penalties for non-compliance enforcement expected to increase.
Key risk: IgeraRegTech’s Q1 2025 gap analysis of 23 entities found that 78% could not immediately produce a complete, structured ICT provider register in the standardised ITS format — the first document supervisors are requesting.
Map your DORA gaps in 48 hours — not 6 weeks
IgeraRegTech’s AI RAG platform ingests your ICT policies, contracts and risk registers, then cross-references them against every DORA article and RTS requirement — identifying your 47 average gaps with exact document citations.
Explore IgeraRegTech →How AI RAG accelerates DORA control mapping
DORA spans 64 articles, 13 implementing and delegated acts, and dozens of Q&As published by EBA, ESMA and EIOPA. No compliance team can read, cross-reference and operationalise all of this manually for every business decision. The volume of documentation is not the problem — the correlation between internal policies, contracts and specific regulatory requirements is where teams break down.
A Retrieval-Augmented Generation (RAG) system trained on DORA and loaded with your internal documentation enables your legal and operations teams to:
- Ask plain-language questions and receive answers that cite the exact DORA article, the applicable RTS paragraph, and the internal policy or contract clause that addresses (or fails to address) the requirement.
- Generate structured gap analyses across all 5 pillars in hours rather than weeks, with each gap linked to a specific remediation action.
- Produce incident notification drafts pre-filled with the ITS mandatory fields, reducing the risk of a late or incomplete early warning under time pressure.
- Verify contract clause coverage against Article 30’s mandatory list — flagging which ICT provider contracts need urgent amendment before renewal.
- Stay current automatically as new RTS/ITS are published — the knowledge base updates without requiring a full manual review cycle.
In the IgeraRegTech Q1 2025 cohort, entities using RAG-assisted DORA mapping reduced their average gap remediation time from 11 weeks to 19 days compared to teams relying exclusively on manual spreadsheet-based gap analysis.
Frequently asked questions on DORA compliance
Which entities must comply with DORA?
Article 2 of DORA covers virtually the entire EU regulated financial sector: credit institutions (banks), investment firms subject to MiFID II, payment institutions, electronic money institutions, insurance and reinsurance undertakings, UCITS managers, alternative investment fund managers, crypto-asset service providers (CASPs under MiCA), central securities depositories, central counterparties, and trading venues. Critical ICT third-party providers (CTPPs) designated by the ESAs are also subject to direct EU-level oversight under Chapter V, regardless of whether they are themselves financial entities. Microenterprises with fewer than 10 staff and annual turnover below €2 million benefit from a simplified regime under Article 16.
What are the DORA incident reporting timelines?
For major ICT-related incidents, DORA mandates a three-stage notification process to the competent national authority: (1) an early warning within 4 hours of the financial entity classifying the incident as major, indicating whether a malicious or illegal cause is suspected and whether cross-border impact is possible; (2) an intermediate report within 72 hours with a preliminary analysis, severity classification, indicators of compromise, and preliminary root cause; (3) a final report within 1 month detailing the root cause, actual financial and operational impact, and all corrective and preventive measures taken and planned. These timelines run from the moment of classification, not from incident discovery.
Does DORA overlap with NIS2?
Yes, but DORA takes precedence over NIS2 for in-scope financial entities under the principle of lex specialis. Recital 16 and Article 1(2) of DORA explicitly state that where DORA is more specific than NIS2 on a given requirement, DORA prevails. This means financial entities should treat DORA as their primary ICT risk and resilience framework, using NIS2 only to fill gaps where DORA is silent (which are few). However, financial entities that are also operators of essential services under NIS2 may still need to engage with national NIS2 implementation, particularly around incident notification to CSIRT authorities, which DORA does not replace entirely.
What are the penalties for DORA non-compliance?
For critical ICT third-party providers (CTPPs) under direct ESA oversight, DORA provides for periodic penalty payments of up to 1% of average worldwide daily turnover in the preceding business year, applied for up to six months until compliance is achieved (Article 35). For financial entities themselves, sanctions are determined by the national competent authority under existing sectoral frameworks (e.g., CRD VI for banks, Solvency II for insurers), which can include significant financial penalties, public naming, suspension of activities, and personal liability for management body members who failed to exercise adequate oversight.
How does AI help with DORA compliance?
AI — specifically Retrieval-Augmented Generation (RAG) systems — reduces DORA compliance effort in three key ways. First, it eliminates manual cross-referencing: instead of a compliance analyst spending weeks mapping each DORA article to internal policies, a RAG system indexes both the regulation and the entity’s internal documents, instantly identifying which requirements are met, partially met, or unaddressed. Second, it drafts mandatory outputs: incident notification reports, ICT risk management framework summaries, and register of information entries can be auto-generated from your internal data in the ITS-compliant format. Third, it stays current: when new RTS/ITS or ESA Q&As are published, the knowledge base updates automatically — unlike static spreadsheet-based control frameworks that go stale within weeks of a regulatory update.
When will supervisors start DORA inspections?
Supervisory activity began immediately after DORA became applicable on 17 January 2025. In Q1 2025, national competent authorities across major EU markets sent written information requests to significant financial institutions covering ICT risk framework governance and ICT provider register status. Formal thematic reviews and on-site inspections at large credit institutions and investment firms are expected throughout Q3–Q4 2025. The EBA 2025 supervisory convergence work programme identifies DORA implementation as a priority focus area. Entities that have not completed their gap remediation by mid-2025 face a high probability of regulatory findings in the first inspection cycle.
Editorial note: This article was last updated in July 2025. It is intended for informational purposes only and does not constitute legal advice. Always verify regulatory requirements with qualified legal counsel and your competent national authority. Sources: Regulation (EU) 2022/2554 (DORA) • Commission Delegated Regulation (EU) 2024/1774 (ICT risk management RTS) • Commission Delegated Regulation (EU) 2024/1772 (incident classification RTS) • EBA/ESMA/EIOPA Joint Guidelines on ICT risk management (JC 2023/84) • IgeraRegTech proprietary gap analysis data, Q1 2025 (n=23 EU financial entities).
Part of the IgeraRegTech EU Compliance Hub
This article is part of our pillar on EU financial regulation. Explore related resources: