Jun 8, 2026

DORA Regulation: Obligations, 5 Pillars and ICT Third-Party Risk Management

The DORA regulation imposes strict obligations on EU financial entities regarding the management of ICT risks and their technology providers. Discover the 5 pillars, your obligations and how CyberVadis supports your compliance.

Key takeaways

  • DORA (Digital Operational Resilience Act) has been in force since 17 January 2025 for all EU financial entities
  • The regulation rests on 5 pillars, including ICT third-party risk management, the most complex obligation to implement
  • The entities concerned must maintain a register of all their ICT providers and assess their cybersecurity
  • The fundamental difference with the GDPR: DORA addresses operational resilience, not personal data
  • CyberVadis offers an evidence-based assessment that directly meets the requirements of Chapter V of DORA

The DORA regulation (Digital Operational Resilience Act) is a European regulatory text that requires financial entities to demonstrate their ability to withstand, respond to and recover from any incident linked to information and communication technology (ICT). In force since 17 January 2025, DORA applies to banks, insurers, payment institutions, asset management companies and other financial sector players operating in the European Union. Its distinctive feature: it places the management of ICT third-party providers at the heart of compliance obligations. CyberVadis helps security and compliance teams meet the requirements of Chapter V of DORA through supplier assessments validated by expert analysts.

What is the DORA regulation?

DORA, an acronym for Digital Operational Resilience Act, is a European regulation adopted in December 2022 and applicable since 17 January 2025. It applies directly across the 27 Member States without requiring national transposition, an important distinction compared with directives such as NIS2.

Its objective is to ensure that financial entities can maintain their critical activities even in the event of serious ICT incidents: cyberattacks, system failures, breakdowns of technology providers. According to Recital 3 of the regulation, "the EU financial sector increasingly relies on digital technologies and third-party undertakings for the provision of critical ICT services".

This text is the first European regulation to address the operational digital resilience of the financial sector so comprehensively, covering both internal risk management and the management of ICT third-party risks.

Who is concerned by DORA?

The entities subject to DORA cover a broad spectrum of the financial sector:


  1. Credit institutions (banks)
  2. Payment and electronic money institutions
  3. Investment firms
  4. UCITS management companies and alternative investment fund managers
  5. Insurance and reinsurance undertakings
  6. Central counterparties and central securities depositories
  7. Crypto-asset service providers (CASPs)
  8. Credit rating agencies
  9. Crowdfunding service providers

The 5 pillars of DORA

The DORA regulation is built around 5 fundamental pillars, each framed by specific articles of the text.

  1. The first pillar is ICT risk management. Entities must have a robust ICT risk management framework: policies, procedures, mapping of critical systems, business continuity and recovery plans. This framework must be approved and overseen by the management body (Chapter II).
  2. The second pillar covers ICT incident management, classification and reporting. DORA requires a structured process for detecting, classifying and reporting ICT incidents to the competent authorities. Major incidents must be notified according to a strict timeline: initial notification (4 hours), intermediate report (72 hours), final report (1 month) (Chapter III).
  3. The third pillar is digital operational resilience testing. Entities must test their ICT systems regularly: basic annual testing for all, and TLPT (Threat-Led Penetration Testing) every 3 years for entities of significant importance (Chapter IV)
  4. The fourth pillar is ICT third-party risk management, the most structuring pillar for the majority of security teams. DORA requires maintaining a complete register of ICT providers, assessing their cybersecurity before contracting and on an ongoing basis, and including specific contractual clauses (Chapter V, see dedicated section below)
  5. The fifth pillar is information sharing. DORA encourages financial entities to share cyber threat intelligence with one another, through voluntary information-sharing arrangements (Chapter VI).

What are the obligations of financial entities ?

Beyond the 5 pillars, DORA generates concrete operational obligations that compliance and security teams must implement.

On governance, the management body is directly responsible for the digital resilience strategy. Senior managers can be held personally liable in the event of a breach; a provision that has considerably increased the attention paid to DORA at the highest level.

On systems, entities must map their entire ICT estate, identify critical assets and maintain up-to-date documentation. According to a European Commission estimate, a mid-sized bank relies on average on more than 5,000 ICT providers, so the scope of the obligations is considerable.

On incidents, the notification timeline is non-negotiable: any entity that misses the deadlines exposes itself to sanctions from its competent national authority (ACPR in France, BaFin in Germany, for example).

DORA and ICT third-party management: the central obligation

Chapter V of DORA is the one that generates the most operational work for security and procurement teams. It imposes four main obligations:

  1. The register of ICT providers: each entity must keep a complete and up-to-date register of all its ICT providers, with, for each one, a classification according to its criticality for the entity's essential functions. This register must be submitted to the supervisory authorities on request.
  2. Prior and ongoing assessment: before contracting with a new ICT provider, the entity must assess its cybersecurity risks. This assessment must then be maintained on an ongoing basis; not only at the time of contracting. According to the IBM Cost of a Data Breach 2024 report, the average cost of a data breach involving a third party reaches 4.88 million dollars, which fully justifies the ongoing assessment obligation imposed by DORA.
  3. Contractual obligations: DORA defines a list of mandatory clauses in contracts with ICT providers: right to audit, service levels (SLAs), exit plans, incident notification obligations. Existing contracts must be brought into compliance.
  4. Critical ICT providers (CTPPs): for providers deemed critical at European level (designated by the supervisory authorities), DORA provides for a specific oversight framework. According to ENISA, incidents involving critical ICT providers increased by 42% between 2022 and 2024 in the European financial sector.

It is precisely on this Chapter V that CyberVadis intervenes. Our platform makes it possible to assess the cybersecurity posture of each ICT provider with evidence verified by our analysts, rather than a simple automated score, to meet the documentary requirements expected by supervisors.

How to comply with DORA in 2026?

DORA compliance is organised around 6 concrete steps.

  1. The first step is to map ICT providers: build the exhaustive register of ICT providers (software publishers, hosting providers, cloud providers, maintenance providers) and classify each provider according to its criticality for the entity's essential functions.
  2. The second step is to assess each provider's cybersecurity: for each identified provider, conduct a cybersecurity assessment. This assessment must go beyond the questionnaire: it must rely on evidence (certifications, audit reports, penetration tests) to be acceptable to supervisors.
  3. The third step is to bring contracts into compliance: review all existing ICT contracts to incorporate the mandatory clauses defined in Article 30 of DORA (right to audit, SLAs, incident notification obligations, exit plans).
  4. The fourth step is to set up the incident notification process: define the internal escalation chain and the process for notifying the authorities, and train teams on the regulatory deadlines (4 hours / 72 hours / 1 month).
  5. The fifth step is to plan resilience testing: organise the annual testing programme and, for significant entities, prepare the triennial TLPTs.
  6. The sixth step is to maintain on an ongoing basis. DORA compliance is not a one-off project. The provider register must be kept up to date, assessments renewed regularly, incidents documented. It is a permanent operational process, and this is where our fully managed service brings the most value: by automating the continuous monitoring of your ICT providers' security posture.

Want to know more?

CyberVadis supports financial entities across steps 1, 2 and 6: building and updating the ICT provider register, evidence-based cybersecurity assessments validated by certified analysts, and continuous monitoring. Unlike automated security ratings platforms, CyberVadis produces documented and auditable assessments; exactly what financial supervisors expect under DORA.

Questions fréquentes

R : DORA vise à renforcer la résilience opérationnelle numérique du secteur financier européen. Il impose aux banques, assureurs et autres entités financières de démontrer qu'elles peuvent maintenir leurs activités critiques face à des incidents ICT graves, qu'ils soient d'origine interne ou liés à un prestataire technologique. DORA est en vigueur depuis le 17 janvier 2025.

A: Micro-enterprises (fewer than 10 employees and annual turnover below 2 million euros) benefit from a lighter regime. Certain entities such as sub-threshold alternative investment fund managers or small payment institutions may also benefit from partial exemptions. Entities outside the financial sector are not concerned by DORA.

A: DORA has been applicable since 17 January 2025 across all EU Member States. The entities concerned had to be compliant by that date. National supervisory authorities began their first compliance checks during 2025.

R : Oui, indirectement. Les prestataires ICT qui fournissent des services à des entités financières sont soumis aux clauses contractuelles imposées par DORA (Article 30) : droit d'audit, obligations de notification d'incident, SLA. Les prestataires ICT désignés "critiques" au niveau européen font l'objet d'un cadre de surveillance direct par les autorités de supervision.

R : Un établissement financier peut être concerné par les deux textes. DORA est lex specialis : en cas de conflit, DORA prévaut sur NIS2 pour les entités financières. En pratique, une conformité DORA bien construite couvre et dépasse les exigences NIS2 pour le secteur financier.