DORA — In Force Since January 2025
Would You Pass a DORA Supervisory Examination?
7 questions mapped to what competent authorities actually examine. Incident classification, 4-hour notifications, Register of Information, third-party risk. 2 minutes.
Question 1 of 70% complete
Could you classify an ICT incident as "major" within 30 minutes using documented decision criteria?
What does DORA require?
DORA (Digital Operational Resilience Act) applies to all EU-regulated financial entities — banks, insurers, investment firms, payment institutions, and their critical ICT service providers.
Article 17-19 require incident classification and reporting within 4 hours of classification (initial notification), 72 hours (intermediate report), and 1 month (final report). In the ESA's 2025 dry-run, 93.5% of firms failed the Register of Information quality checks.
Article 25-27 mandate scenario-based resilience testing, including threat-led penetration testing (TLPT) for significant entities. Only 50% of institutions achieved full compliance by end of 2025.
Built by Blend Training
Our DORA course puts you in the Head of Compliance's chair during a critical vendor outage on month-end. Incident classification under pressure, 4-hour notification deadlines, and vendor accountability — the exact scenarios supervisors will examine.
Frequently asked questions about DORA
Who has to comply with DORA?
DORA (Regulation 2022/2554) applies to twenty categories of EU financial entity: credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and account information service providers. Branches of non-EU financial entities operating in the EU are also in scope.
When did DORA take effect?
DORA has applied from 17 January 2025. There was no phased rollout: all five pillars (ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk, information sharing) entered into force on the same date. National competent authorities began supervisory examinations immediately.
What is the DORA 4-hour incident reporting deadline?
For major ICT-related incidents, Article 19 requires three reports: an initial notification within 4 hours of classification, an intermediate report within 72 hours of the initial notification, and a final report within one month. The 4-hour clock starts at classification (the moment the incident is identified as major under the Commission Delegated Regulation criteria), not at detection. Significant cyber threats also trigger reporting under Article 19(2) on a voluntary basis.
What is the Register of Information?
Article 28 requires every financial entity to maintain a Register of Information documenting all contractual arrangements for ICT services with third-party providers. The Register must include service descriptions, criticality assessments, location of data processing, exit strategies, and concentration risk indicators. The ESAs (EBA, EIOPA, ESMA) ran a 2025 dry-run in which an overwhelming majority of submitted Registers failed quality checks for completeness and consistency.
Who needs threat-led penetration testing (TLPT)?
TLPT under Articles 26-27 is required for 'significant' financial entities identified by competent authorities based on size, systemic importance, and ICT risk profile. Testing must be conducted at least every three years, follow the TIBER-EU framework or an equivalent, and use accredited testers. Scope is determined jointly by the entity and competent authority and must cover critical functions and underlying ICT systems.
What is a critical ICT third-party service provider (CTPP)?
CTPPs are ICT third-party providers designated by the ESAs as systemically important to the EU financial sector. Designation criteria in Article 31 include the systemic impact on financial stability if the provider failed, the number and combined size of financial entities relying on the provider, and substitutability. Designated CTPPs come under direct oversight by a Lead Overseer (one of the ESAs), with powers to request information, conduct on-site inspections, and impose penalty payments.
What are the DORA penalties?
For financial entities, sanctions are set by national competent authorities under each Member State transposition and follow the existing sectoral penalty regimes (CRD, MiFID, Solvency II, etc), so amounts vary by entity type and jurisdiction. For CTPPs, Article 35 empowers Lead Overseers to impose periodic penalty payments of up to 1% of the average daily worldwide turnover of the preceding business year, for up to six months, to compel compliance with information requests, inspection cooperation, or remediation orders.
What training does DORA require?
Article 13 requires financial entities to develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes, applicable to all employees and senior management. The depth must be proportionate to the role. For ICT third-party risk teams, training should cover Register of Information maintenance and contractual due diligence. For incident response teams, training should cover classification and the 4-hour, 72-hour, and 1-month reporting cycles. Management body members have a specific Article 5 obligation to maintain sufficient knowledge to understand and assess ICT risk.