DORA
Getting Started Guide

Digital Operational Resilience Act

Strict operational resilience and cybersecurity rules for the EU financial sector and its ICT providers.

Audit Effort6–12 months for compliance
Key FactRequires critical ICT third-party providers (CTPPs) to be directly overseen by EU regulators.

What Is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation that creates a binding, comprehensive framework on digital operational resilience for the European financial sector. While earlier regulations focused heavily on financial capital, DORA focuses entirely on IT security and operational continuity.

DORA applies to almost all financial entities in the EU (banks, investment firms, insurance companies, crypto-asset providers). More importantly, it applies directly to the ICT (Information and Communication Technology) third-party service providers that supply them.

For the first time, critical ICT third-party service providers (CTPPs)—such as major cloud providers (AWS, Azure) and critical financial SaaS platforms—will be subject to direct oversight by European financial regulators (the ESAs), giving regulators the power to inspect vendors and issue massive fines.

Does DORA Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

EU Financial Entities

Banks, insurers, and trading platforms must comply entirely with DORA's mandates regarding internal risk management and vendor oversight.

Mandatory

FinTech & SaaS Vendors

If you sell software to an EU bank, the bank is legally required to force DORA compliance onto you via strict contractual clauses.

Mandatory

Critical ICT Providers (CTPPs)

Designated critical vendors will face direct regulatory audits from EU financial regulators, bypassing the banks entirely.

Mandatory
You probably don't need DORA if:
  • Software vendors that do not sell to or interact with the European financial sector.
  • Micro-enterprises (fewer than 10 employees and <€2M turnover) have lighter, proportionate rules, though their banking clients may still push strict contracts down to them.

Why DORA Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

Compliance Deadline: Jan 2025

DORA entered into force in Jan 2023 and the implementation period ended on January 17, 2025. It is now actively enforced law.

Contract Repapering

EU banks are currently undertaking massive 'repapering' exercises, rewriting thousands of vendor contracts to insert DORA-mandated exit strategies and audit rights.

Direct Regulatory Fines

Regulators can fine Critical ICT Providers up to 1% of their average daily worldwide turnover for every day they remain non-compliant.

The Requirements

The core security controls and evidence parameters audited for DORA.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for DORA.

1
Weeks 1-4

Gap Analysis & Register Build

Assess current ISMS against DORA Regulatory Technical Standards (RTS). Begin compiling the mandatory Register of Information mapping all ICT vendors.

Key Deliverable:Gap Assessment, Draft Register of Information
2
Weeks 5-12

Contract Repapering

Negotiate and update contracts with all ICT vendors to include DORA's mandatory clauses (termination rights, audit access, sub-outsourcing limits).

Key Deliverable:DORA-compliant MSAs and SLAs
3
Weeks 13-20

Resilience Testing & IR Update

Update the incident response plan to meet regulatory reporting timelines. Schedule and conduct required penetration testing or TLPT.

Key Deliverable:Updated IR Plan, Penetration Test Results
With Existing Certifications

8-12 weeks: ISO 27001 covers the baseline risk management, but DORA's specific contractual requirements (exit strategies) and TLPT testing will require heavy legal and technical effort.

Starting from Scratch

6-12 months: Building a financial-grade risk management framework, vendor management system, and incident reporting pipeline from scratch is a massive undertaking.

The Mistakes That Delay Most DORA Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Ignoring the 'Exit Strategy' requirement

Why it happens:

DORA requires banks to have a documented, tested exit strategy for critical vendors—meaning they must prove they can rip your SaaS out and migrate to a competitor without crashing.

How to avoid it:

As a SaaS vendor, proactively build data export tools and 'transition assistance' SLAs to help your banking clients satisfy this requirement.

Refusing audit rights

Why it happens:

SaaS vendors typically refuse to let customers audit their physical or logical systems. Under DORA, EU banks are legally required to secure audit rights in their contracts.

How to avoid it:

Prepare a 'pooled audit' or 'third-party certification' strategy acceptable under DORA to prevent 50 different banks from demanding to scan your network.

Thinking SOC 2 is enough

Why it happens:

SOC 2 focuses on data security. DORA focuses on operational resilience. If your server goes down, SOC 2 doesn't care much as long as data wasn't breached. DORA cares deeply.

How to avoid it:

Focus on your SLA uptimes, Disaster Recovery RTO/RPO metrics, and High Availability architectures.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

DORA Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

DORA Checklist

Assess your baseline control posture against DORA criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about DORA compliance and certification processes.