← All guides
EU Financial Services12 min read6 July 2026

DORA Technical Standards: What EU Financial Entities Must Implement After January 2025

Complete guide to the DORA Regulatory Technical Standards (RTS) that became effective January 17, 2025 — covering ICT risk management, major incident reporting timelines, third-party ICT risk, and the TLPT programme.

DORA is in force — what that means for your entity

The EU Digital Operational Resilience Act (Regulation (EU) 2022/2554, 'DORA') became applicable on 17 January 2025, along with its accompanying Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) published by the European Supervisory Authorities (ESAs). For the approximately 22,000 financial entities and ICT third-party service providers in scope across the EU, DORA is not aspirational — it is law, with penalties up to €10 million or 5% of total annual worldwide turnover for non-compliance.

This guide covers the five DORA pillars, the key RTS requirements under each, and what financial entities need to have in place right now.

Who DORA applies to

DORA applies to all EU financial entities under Article 2, including:

  • Credit institutions (banks)
  • Payment institutions and e-money institutions
  • Investment firms
  • Insurance and reinsurance undertakings
  • UCITS management companies and alternative investment fund managers
  • Central counterparties (CCPs) and central securities depositories (CSDs)
  • Trading venues and data reporting services providers
  • Crypto-asset service providers (CASPs) under MiCA
  • Crowdfunding service providers
  • ICT third-party service providers (ICT TPSPs) when designated as Critical

Microenterprises and small non-interconnected investment firms may qualify for the simplified ICT risk management regime under Art. 16, which has lighter requirements — but most financial entities with more than 10 employees or €2M annual balance sheet fall under the full regime.

The five DORA pillars and their RTS

Pillar 1: ICT Risk Management Framework (Art. 5–16)

The foundation of DORA is a documented, management body-approved ICT risk management framework covering six phases: identify, protect, detect, respond, recover, and learn. The framework RTS (Commission Delegated Regulation (EU) 2024/1774) specifies detailed requirements including:

  • Management body accountability — Art. 5(2): individual management body members are accountable for ICT risk. Board members must have sufficient skills to understand ICT risk implications. This is not a paper requirement — NCAs will interview board members and review their training records.
  • ICT asset inventory — all ICT assets (hardware, software, data, cloud services, ICT third-party services) must be catalogued, classified by criticality, and kept continuously current. The inventory is the foundation for risk assessment and is reviewed in every supervisory examination.
  • Access management — Art. 8 requires PAM (Privileged Access Management) controls for administrators and MFA for all systems processing critical or sensitive data. Least-privilege access reviews must be conducted at least annually.
  • Cryptography policy — Art. 9 requires a documented cryptography policy defining approved algorithms (TLS 1.2/1.3, AES-256, RSA-2048+), key management procedures, and a process for retiring deprecated algorithms. MD5, SHA-1, DES, and RC4 must be explicitly prohibited.
  • Network segmentation — Art. 9 requires segmentation of critical functions from non-critical ones, IDS/IPS implementation, and network traffic monitoring for anomalies.

Pillar 2: ICT-Related Incident Management and Reporting (Art. 11–23)

DORA's incident reporting regime is the most operationally demanding pillar for most entities. The key element is the major incident notification timeline, established under Art. 17 and detailed in Commission Delegated Regulation (EU) 2024/1772 (the classification RTS) and Commission Implementing Regulation (EU) 2024/2690 (the reporting ITS).

Major incident classification thresholds

An ICT-related incident is classified as 'major' if it meets the classification criteria — which vary by entity type but generally include:

  • Service outage exceeding thresholds (e.g. >2 hours for payment services, >4 hours for other financial services)
  • Number of clients affected exceeding thresholds (e.g. >5,000 retail clients or >10% of professional clients)
  • Economic impact exceeding thresholds (e.g. >€100,000 direct costs or >€500,000 total impact)
  • Reputational impact (media coverage, regulatory attention, client complaints above threshold)
  • Data losses affecting confidentiality or integrity of sensitive data
  • Geographic spread across multiple EU member states

Every ICT incident must be formally assessed against these criteria. A documented classification decision — even if the conclusion is 'not major' — provides evidence of a functioning classification process during NCA review.

The three-notification timeline

For major ICT incidents, entities must submit three notifications to their NCA:

  1. Initial notification — within 4 hours of classifying the incident as major (or within 4 hours after a 24-hour window if classification was initially unclear). Content: incident description, classification criteria met, immediate actions taken, systems affected, estimated client impact, and point of contact. The 4-hour clock runs from when the entity 'becomes aware' — internal escalation delays count.
  2. Intermediate report — within 72 hours of the initial notification. Content: updated impact assessment, root cause hypothesis, containment measures applied, services restored/still affected, updated client count, regulatory implications, and next steps.
  3. Final report — within 1 month of the intermediate report. Content: full root cause analysis, lessons learned, measures implemented to prevent recurrence, updated economic impact assessment, and timeline of events.

Entities must also submit an initial notification for significant cyber threats (Art. 19(2)) on a voluntary basis — an important provision for entities that detect an active threat before it causes a classifiable incident.

Pillar 3: Digital Operational Resilience Testing (Art. 24–27)

All DORA entities must establish a digital operational resilience testing programme. At minimum, this must include:

  • Annual vulnerability assessments and scans of critical ICT systems
  • Open-source analysis and network security assessments
  • Gap analyses and physical security assessments where relevant
  • Scenario-based tests
  • Source code reviews for critical applications (a more demanding requirement than most frameworks)
  • Threat-based penetration tests

For entities designated as Critical by the NCAs (typically large banks, major payment processors, and systemically important financial market infrastructures), DORA Art. 26 requires Threat-Led Penetration Testing (TLPT) every 3 years, following the TIBER-EU framework. TLPT is a multi-phase exercise (threat intelligence / red team / remediation) conducted by certified external testers and overseen by the NCA. Cost ranges from €200,000–€800,000 and the process takes 9–18 months. If you are approaching Critical designation, planning should begin immediately.

Pillar 4: Third-Party ICT Risk Management (Art. 28–44)

Third-party ICT risk is a primary DORA focus. Key requirements:

ICT third-party service register (Art. 28(4-5))

Every financial entity must maintain a comprehensive register of all ICT third-party service arrangements, distinguishing those that support critical or important functions (CIF). This register must be available for NCA reporting on request. Common fields: provider name, legal entity, service description, CIF designation (yes/no), contract status, key dates, oversight level, and concentration risk flag.

Contractual requirements (Art. 30)

DORA specifies minimum contractual provisions for ICT third-party arrangements. All contracts with ICT service providers — regardless of whether they support CIF — must include at minimum:

  1. Clear and complete service description
  2. Data processing locations and data residency provisions
  3. Information security requirements and standards
  4. Incident notification obligations (provider must notify entity promptly)
  5. Cooperation obligations for NCA supervisory access
  6. Termination rights and notice periods
  7. Exit strategy provisions
  8. Business continuity and recovery requirements

For CIF arrangements, additional requirements apply including audit rights, SLA provisions, and sub-processor management.

Contracts pre-dating DORA's application date that do not include these provisions must be remediated. NCAs will request contract evidence during supervisory reviews.

Concentration risk and exit strategies (Art. 28(6))

A major DORA concern is concentration risk — the overreliance on a small number of ICT providers (particularly the major cloud providers: AWS, Microsoft Azure, Google Cloud). Financial entities must assess concentration risk and have credible exit strategies for each CIF provider. An exit strategy that says 'we would rebuild on another cloud provider' without a realistic plan, budget, or timeline will not satisfy DORA.

Critical ICT Third-Party Provider (CTPP) oversight regime (Art. 28–44)

DORA introduces a new oversight regime for ICT providers designated as Critical (CTPPs) by the ESAs. CTPPs are subject to oversight by a Lead Overseer (EBA, ESMA, or EIOPA, depending on the financial sector they primarily serve), including information requests, on-site inspections, and oversight fees. For financial entities that rely on CTPPs, this adds an additional layer of assurance but also additional complexity in managing the oversight relationship.

Pillar 5: Information and Intelligence Sharing (Art. 45)

DORA encourages (but does not mandate) financial entities to participate in information and intelligence sharing arrangements on cyber threats. This is a relatively light pillar — entities should document their participation in existing threat intelligence sharing groups (e.g. FS-ISAC, national CERTs, sector-specific sharing groups) or explain their decision not to participate.

DORA penalty regime

Under Art. 50, NCAs can impose:

  • Corrective measures and remediation requirements
  • Public notices identifying the entity and nature of breach
  • Temporary prohibitions on the provision of services
  • Administrative penalties: up to €10 million or 5% of total annual worldwide turnover for legal persons; up to €5 million for natural persons

For CTPPs that breach oversight obligations, penalties can reach €10 million or 5% of worldwide turnover, plus €100,000 per day for continuing breach.

The most common DORA gaps in 2026

  1. Incomplete ICT third-party register — many entities have a vendor list but not a structured DORA-format register with CIF designations and contractual status for each provider.
  2. Missing 4-hour notification capability — the 4-hour initial notification requires a standing team, a pre-approved template, and NCA contact details. Entities that haven't rehearsed this process under incident conditions will fail the timeline.
  3. Non-compliant contracts — legacy contracts with ICT providers that don't include the Art. 30 mandatory provisions. Contract remediation is often the most time-consuming DORA compliance activity.
  4. No formal major incident classification process — incidents are assessed informally without a documented classification decision against the Commission Delegated Regulation (EU) 2024/1772 criteria.
  5. Management body ICT literacy gaps — Art. 5(2) accountability is not satisfied by a single annual board briefing. NCAs expect evidence of ongoing engagement.

10-step DORA compliance starting point

  1. Assess your DORA tier (full scope, simplified regime, or CTPP)
  2. Establish/update your ICT risk management framework document
  3. Build your complete ICT third-party service register with CIF designations
  4. Review all ICT contracts against Art. 30 requirements — create a remediation tracker
  5. Establish your major incident classification process against the Delegated Regulation thresholds
  6. Build and test your 4-hour initial notification process
  7. Implement your digital operational resilience testing programme
  8. Assess concentration risk and document exit strategies for CIF providers
  9. Conduct management body ICT risk training and document it
  10. Complete your first full DORA internal assessment and present to management body

ComplyKit's DORA Technical Standards Compliance Checklist generates a scored assessment covering all 7 major DORA areas — ICT risk management, protection and prevention, detection, incident management and reporting, resilience testing, third-party ICT risk, and business continuity — with NCA-ready remediation guidance and a phased roadmap. Free, no account required.

Also see: DORA ICT Risk Policy Generator for the policy document required under DORA Art. 7.