Sandy Smajic Logo
Back to Insights
Regulation

DORA Compliance Explained

The Digital Operational Resilience Act reshapes how financial entities and their ICT providers manage risk. Here's what it covers and how to approach it.

By Sandy Smajic7 min read

DORA — the Digital Operational Resilience Act — applies to a broad range of financial entities and, crucially, their critical ICT service providers. It harmonizes operational resilience requirements that were previously scattered across different rules. If you operate in or supply the financial sector, here's the shape of it.

Five pillars

  • ICT risk management — a comprehensive framework owned by the management body.
  • ICT incident management — classification, handling, and reporting of major incidents.
  • Digital operational resilience testing — including threat-led penetration testing for significant entities.
  • ICT third-party risk — oversight of providers, with key contractual requirements.
  • Information sharing — voluntary exchange of threat intelligence among entities.

Third-party risk is the headline

DORA puts real weight on ICT third-party risk. Financial entities must maintain a register of information on their ICT arrangements, ensure contracts contain specific provisions, and assess concentration risk. Critical providers face direct EU oversight.

How it relates to what you already have

If you've implemented ISO 27001 or aligned with NIS2, you have a strong foundation — but DORA is more prescriptive in places, particularly around testing and third-party contracts. Treat it as an extension, not a parallel universe.

DORA's emphasis on resilience testing and supplier contracts catches many organizations that thought their existing program was enough.

Practical first steps

  • Confirm whether you are a financial entity or an ICT provider to one.
  • Build or update your register of ICT third-party arrangements.
  • Review supplier contracts against DORA's required provisions.
  • Establish an incident classification and reporting process aligned with the technical standards.
  • Plan your resilience testing program proportionate to your size and risk.

DORA is demanding but logical. Start by understanding your role in the chain, get your third-party house in order, and build resilience testing into your routine rather than treating it as a one-off.

Topics

DORAFinancial ServicesResilienceEU Regulation

Related resources

DORA CompliancevCISO Services

Turn this into a plan that passes the audit

Book a free 30-minute consultation and we'll map your fastest, lowest-risk path to compliance — no jargon, no sales pitch.

Book a free consultation

Frameworks I work with

Every article is grounded in the standards that regulators and auditors actually use.

ISO 27001Information security management
NIS2EU cybersecurity directive
TISAXAutomotive information security
DORAFinancial sector resilience
NISTCybersecurity framework
GDPRData protection regulation

Keep reading

NIS2 in 2026: What Companies Need to Do Now

National transposition of NIS2 is landing across the EU. Here is a practical, no-panic roadmap for getting your organization in scope, in control, and audit-ready.

ISO 27001 Implementation: Lessons Learned

After leading multiple ISO 27001 programs, the same patterns separate smooth certifications from painful ones. Here are the lessons that actually move the needle.

Why SMEs Fail Security Audits (and How to Avoid It)

Most failed audits don't come from missing technology. They come from a handful of avoidable, organizational mistakes. Here are the ones I see most often.