Digital Operational Resilience Act
Strict operational resilience and cybersecurity rules for the EU financial sector and its ICT providers.
What Is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation that creates a binding, comprehensive framework on digital operational resilience for the European financial sector. While earlier regulations focused heavily on financial capital, DORA focuses entirely on IT security and operational continuity.
DORA applies to almost all financial entities in the EU (banks, investment firms, insurance companies, crypto-asset providers). More importantly, it applies directly to the ICT (Information and Communication Technology) third-party service providers that supply them.
For the first time, critical ICT third-party service providers (CTPPs)—such as major cloud providers (AWS, Azure) and critical financial SaaS platforms—will be subject to direct oversight by European financial regulators (the ESAs), giving regulators the power to inspect vendors and issue massive fines.
Does DORA Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
EU Financial Entities
Banks, insurers, and trading platforms must comply entirely with DORA's mandates regarding internal risk management and vendor oversight.
FinTech & SaaS Vendors
If you sell software to an EU bank, the bank is legally required to force DORA compliance onto you via strict contractual clauses.
Critical ICT Providers (CTPPs)
Designated critical vendors will face direct regulatory audits from EU financial regulators, bypassing the banks entirely.
- Software vendors that do not sell to or interact with the European financial sector.
- Micro-enterprises (fewer than 10 employees and <€2M turnover) have lighter, proportionate rules, though their banking clients may still push strict contracts down to them.
Why DORA Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
Compliance Deadline: Jan 2025
DORA entered into force in Jan 2023 and the implementation period ended on January 17, 2025. It is now actively enforced law.
Contract Repapering
EU banks are currently undertaking massive 'repapering' exercises, rewriting thousands of vendor contracts to insert DORA-mandated exit strategies and audit rights.
Direct Regulatory Fines
Regulators can fine Critical ICT Providers up to 1% of their average daily worldwide turnover for every day they remain non-compliant.
The Requirements
The core security controls and evidence parameters audited for DORA.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for DORA.
Gap Analysis & Register Build
Assess current ISMS against DORA Regulatory Technical Standards (RTS). Begin compiling the mandatory Register of Information mapping all ICT vendors.
Contract Repapering
Negotiate and update contracts with all ICT vendors to include DORA's mandatory clauses (termination rights, audit access, sub-outsourcing limits).
Resilience Testing & IR Update
Update the incident response plan to meet regulatory reporting timelines. Schedule and conduct required penetration testing or TLPT.
With Existing Certifications
8-12 weeks: ISO 27001 covers the baseline risk management, but DORA's specific contractual requirements (exit strategies) and TLPT testing will require heavy legal and technical effort.
Starting from Scratch
6-12 months: Building a financial-grade risk management framework, vendor management system, and incident reporting pipeline from scratch is a massive undertaking.
The Mistakes That Delay Most DORA Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Ignoring the 'Exit Strategy' requirement
DORA requires banks to have a documented, tested exit strategy for critical vendors—meaning they must prove they can rip your SaaS out and migrate to a competitor without crashing.
As a SaaS vendor, proactively build data export tools and 'transition assistance' SLAs to help your banking clients satisfy this requirement.
Refusing audit rights
SaaS vendors typically refuse to let customers audit their physical or logical systems. Under DORA, EU banks are legally required to secure audit rights in their contracts.
Prepare a 'pooled audit' or 'third-party certification' strategy acceptable under DORA to prevent 50 different banks from demanding to scan your network.
Thinking SOC 2 is enough
SOC 2 focuses on data security. DORA focuses on operational resilience. If your server goes down, SOC 2 doesn't care much as long as data wasn't breached. DORA cares deeply.
Focus on your SLA uptimes, Disaster Recovery RTO/RPO metrics, and High Availability architectures.
Rishabh's Take on DORA
Practitioner Voice“DORA fundamentally changes how software is sold to European financial institutions. In the past, if a vendor refused a security clause, the bank's risk team could sign a waiver and buy the software anyway. Under DORA, they cannot. The law dictates what must be in the contract. If you are a B2B FinTech selling into the EU, your sales team is going to hit a brick wall of 'DORA Addendums' this year. Don't fight the banks on the audit rights or exit strategies—build standardized, DORA-compliant responses and use them to close deals faster than your unprepared competitors.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
DORA Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
DORA Checklist
Assess your baseline control posture against DORA criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about DORA compliance and certification processes.