Many financial entities treated DORA as a distant deadline, then woke up on 17 January 2025 to find it already in force. Some had a policy folder and a vendor list and considered themselves ready. Then a supervisor asked for their register of information, or an ICT incident triggered a reporting clock, and the gap became obvious.
The Digital Operational Resilience Act is an EU regulation that applies directly across all member states, without transposition. It covers a wide range of financial entities: banks, insurers and reinsurers, investment firms, payment and e-money institutions, crypto-asset service providers, fund managers and many others. Crucially, it also reaches their critical ICT third-party providers, so a cloud host or a software vendor with no banking licence can still be pulled into scope. Here is what DORA actually requires, and where the most common gaps hide.
The five pillars
DORA is built on five interlocking pillars, and they are meant to work together, not as separate checklists.
- ICT risk management framework. Governance sits at the centre: your management body owns and is accountable for the framework. It must cover the full cycle of identifying assets and dependencies, protecting them, detecting anomalies, and responding to and recovering from disruption, with business continuity and backup arrangements that are tested, not just documented.
- ICT-related incident management. You need a consistent process to detect, log, classify and manage ICT-related incidents. Major incidents must be reported to the competent authority using harmonized templates and timelines (an initial notification, an intermediate report, and a final report), and significant cyber threats may be reported on a voluntary basis.
- Digital operational resilience testing. A risk-based testing programme runs across the estate, from vulnerability scans and scenario testing to more advanced exercises. Significant entities must also undergo threat-led penetration testing (TLPT) at least every three years, based on real threat intelligence rather than a generic scan.
- ICT third-party risk management. You must maintain a register of information covering all ICT contracts, embed mandatory contractual clauses (audit rights, access, subcontracting, exit), analyse concentration risk, and plan credible exit strategies. On top of this sits an EU oversight framework: providers designated as critical ICT third-party providers are supervised directly by the European Supervisory Authorities.
- Information and intelligence sharing. DORA explicitly enables entities to share cyber threat information and intelligence within trusted communities, so the ecosystem learns faster than any single firm could alone.
Why non-financial providers get pulled in
A common misreading is that DORA is only a banking problem. It is not. Through the third-party rules, ICT providers face contractual obligations passed down by their financial clients, and the most critical among them face direct EU oversight. If you sell cloud, hosting, managed services or software to regulated entities, DORA is already shaping the contracts you are asked to sign.
Why the exposure is real
- Problem: DORA is often treated as a documentation refresh, when it rests on living processes, tested recovery, and evidence a supervisor can inspect.
- Impact: competent authorities can require corrective measures, impose administrative penalties and, for critical providers, apply periodic penalty payments. Add to that contractual and reputational fallout when a major incident is mishandled or reported late.
- Action: treat DORA as a continuous resilience programme, with an accountable management body, a complete register of information, and the ability to prove, on request, that your controls and recovery arrangements actually work.
The gaps most often underestimated
Three blind spots come up constantly. First, an incomplete register of information: many entities cannot produce a full, structured inventory of ICT contracts and dependencies in the format supervisors expect. Second, weak exit strategies and concentration risk: relying heavily on a single cloud provider with no credible way to exit is a resilience risk, not just a procurement detail. Third, testing that is not threat-led: running generic scans and calling it done, when significant entities are expected to test against realistic, intelligence-driven scenarios.
Take stock in a few minutes
Before investing in a full resilience programme, gauge your starting point. Our free DORA readiness self-assessment walks through the five pillars, computes a maturity score and highlights your priorities. No sign-up, no data sent: everything is calculated in your browser.
Once your gaps are identified, the FortaRisks Compliance module turns these requirements into a prioritized action plan, with continuous compliance evidence rather than a point-in-time audit.
DORA is not a form you tick once. It is a way to demonstrate, at any time, that your organization can withstand, respond to and recover from ICT disruption. This assessment does not replace legal or supervisory advice, but it tells you exactly where to start.