DORA — Digital Operational Resilience Act
22,000 EU financial entities. Five pillars. Already binding.
Regulation (EU) 2022/2554 has been fully applicable since 17 January 2025. ICT risk management, incident reporting, resilience testing, third-party risk, information sharing. Five pillars, no grace period left. We ship the evidence pack.
The five DORA pillars
Country-specific kits
Frequently asked
Who's in DORA scope?
Article 2 covers ~22,000 financial entities in the EU: credit institutions (banks), payment institutions, e-money institutions, investment firms, MiFID II investment-services firms, central counterparties (CCPs), trade repositories, central securities depositories (CSDs), trading venues, alternative investment fund managers (AIFMs), UCITS management companies, data reporting service providers, insurance + reinsurance undertakings, intermediaries, IORPs, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, account information service providers, plus crypto-asset service providers (CASPs) under MiCA. Critical ICT third-party service providers (CTPPs) are designated by the European Supervisory Authorities (ESAs) and are subject to a direct oversight framework.
What does DORA actually require?
Five pillars: (1) ICT risk management framework — governance, identification, protection, detection, response, recovery, learning + evolving (Articles 5-16). (2) ICT-related incident reporting — classification, major-incident notification within hours/days to competent authority (Articles 17-23). (3) Digital operational resilience testing — annual testing programme + threat-led penetration testing every 3 years for significant entities (Articles 24-27). (4) ICT third-party risk management — register, contractual safeguards, oversight of CTPPs (Articles 28-44). (5) Information sharing arrangements (Article 45).
What's threat-led penetration testing (TLPT)?
Article 26 + Article 27 + RTS on TLPT — every 3 years (or as required by competent authority) significant entities + critical undertakings must run a Threat-Led Penetration Test based on the TIBER-EU framework adapted for DORA. Real-world threat-actor TTPs, scoped against critical or important functions, executed by ESAs-approved testers, results shared with the entity's competent authority.
How does DORA stack with NIS2?
Lex specialis. Where DORA applies (financial entities), DORA prevails over NIS2. Financial entities subject to DORA are removed from NIS2 essential-entity scope for ICT requirements. BUT NIS2 still applies to non-financial functions (HR systems, marketing, etc.) where DORA-scope is narrower. Practical: financial entity = DORA primary, NIS2 carve-out, GDPR always.
What's the penalty?
DORA fines vary by member state transposition (DORA is a Regulation but enforcement is via national supervisors). Typical ceilings: up to 2% of total annual global turnover, or up to 1% daily of total annual worldwide turnover during the duration of the breach for repeat offences. CTPPs face their own penalty regime under Article 35 — up to 1% of daily worldwide turnover during non-compliance period.
How does MEOK help?
meok-dora-nis2-crosswalk-mcp (MIT) maps DORA controls to NIS2 + ISO 27001 + SOC 2 to prevent duplicate work. /transparency (£399/mo) covers Article 17 incident-classification logging. /audit-prep-bundle (£4,950) wraps DORA-NIS2 + EU AI Act + EU CRA in 14-day signed evidence pack. /consulting (£950/day) for TLPT scoping support.
Behind on DORA? 14-day catch-up
Free 30-min triage call: bring your DORA gap, we map remediation + signed evidence flow.
Source: Regulation (EU) 2022/2554 · MEOK AI Labs · CSOAI LTD · UK Companies House 16939677