On January 17, 2025, the DORA regulation (Digital Operational Resilience Act) takes effect — and financial institutions in the EU have less than a year to prepare. DORA harmonizes requirements for ICT risk management, incident reporting, resilience testing, and third-party provider management across the entire financial sector for the first time. Ignoring it is not an option — sanctions of up to 1% of average daily global turnover are at stake.
What Is DORA and Who Does It Apply To¶
DORA (EU Regulation 2022/2554) is a directly applicable legal act — it does not require transposition into national law. It applies to virtually the entire financial sector: banks, insurers, investment firms, payment institutions, crypto-asset providers, and also critical ICT providers to these institutions (cloud providers, outsourcing partners, SaaS vendors).
This is the key difference from previous regulations: DORA introduces direct oversight of ICT third-party providers for the first time. If you supply IT services to banks, DORA applies to you too.
Five Pillars of DORA¶
The regulation rests on five key areas:
- ICT Risk Management: A mandatory comprehensive framework for managing ICT risks. Identification, protection, detection, response, recovery. Board-level accountability.
- ICT Incident Reporting: A standardized process for reporting major ICT incidents. Initial notification within 4 hours of classification, interim report within 72 hours, final report within 1 month.
- Digital Operational Resilience Testing: Regular testing — vulnerability assessments, penetration tests. For systemically important institutions, mandatory TLPT (Threat-Led Penetration Testing) every 3 years.
- ICT Third-Party Risk Management: Vendor due diligence, contractual requirements (exit strategies, audit rights, data location), a register of all ICT outsourcing agreements.
- Information Sharing: Voluntary sharing of threat intelligence among financial institutions. A framework for secure exchange of IoCs (Indicators of Compromise).
ICT Risk Management Framework¶
DORA requires financial institutions to have a documented ICT risk management framework approved by top management. This is not just a paper exercise — the framework must include:
- Asset management — an inventory of all ICT assets, dependencies, and data flows
- Protective measures — encryption, access control, patch management
- Detection mechanisms — monitoring, anomaly detection, SIEM
- Business continuity plans — RTO/RPO for critical functions, tested scenarios
- Communication plans — internal and external (regulator, customers, media)
The management board bears direct responsibility for approval and oversight. They must undergo training on ICT risks. No delegation to the IT department.
Incident Reporting — New Obligations¶
DORA introduces a unified classification system for ICT incidents. Criteria include the number of affected clients, duration, geographic impact, data losses, and impact on critical functions. A “major incident” must be reported to the regulator in three phases.
For Czech financial institutions, this means reporting to the Czech National Bank (CNB), which will serve as the contact point. Formats and templates are defined by Regulatory Technical Standards (RTS), finalized by the European Supervisory Authorities (ESAs) in January 2024.
TLPT — Threat-Led Penetration Testing¶
For systemically important financial institutions (SIFIs) and other entities designated by the regulator, DORA mandates TLPT at least once every 3 years. TLPT is conducted under the TIBER-EU framework — simulated cyber attacks led by a red team based on realistic threat intelligence scenarios.
Tests must cover critical functions and systems in a production environment. They may only be performed by qualified external testers (with exceptions for internal capabilities under specific conditions). Results are shared with the regulator.
Vendor Management — No More Black Boxes¶
DORA requires a complete register of ICT outsourcing agreements, including sub-outsourcing. Contracts must contain clear provisions on: SLAs and metrics, audit rights (including for the regulator), exit strategies with defined transition periods, data location and processing, and vendor incident notification obligations.
For “critical ICT providers” (typically large cloud providers such as AWS, Azure, Google Cloud), DORA introduces direct oversight by European supervisory authorities — including the right to inspections and sanctions.
How to Prepare — A Practical Roadmap¶
- Gap analysis — compare your current state with DORA requirements. Identify gaps in the ICT risk framework, incident reporting, testing, and vendor management.
- Asset inventory — map all ICT assets, dependencies, and data flows. Many institutions lack a complete overview.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us