DORA Compliance Guide 2026: Key Requirements for Financial Firms

The Digital Operational Resilience Act entered into application in January 2026, placing comprehensive ICT risk management and operational resilience obligations on financial entities across the European Union. For financial services firms that have been monitoring DORA's development, the compliance deadline has passed but the work of embedding durable compliance programmes continues. For those still building towards full compliance, the urgency is acute.

What Is DORA?

DORA (Regulation (EU) 2022/2554) is an EU regulation that applies directly in all member states without requiring transposition into national law. Its objective is to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. The regulation covers five interconnected pillars: ICT risk management, ICT incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.

DORA applies to a broad range of financial entities: banks, investment firms, insurance companies, payment institutions, crypto-asset service providers, crowdfunding platforms, central securities depositories, and more. It also extends obligations to critical ICT third-party service providers (CTPPs) that serve financial entities.

Who Is In Scope?

The regulation's scope is broad, covering most regulated financial entities in the EU. The key categories include:

· Credit institutions (banks)

· Payment institutions and e-money institutions

· Investment firms and fund managers

· Insurance and reinsurance undertakings

· Crypto-asset service providers (CASPs)

· Central counterparties, CSDs, and trading venues

· ICT third-party service providers designated as 'critical' by EU supervisory authorities

Proportionality applies for smaller financial entities - microenterprises are subject to a simplified ICT risk management framework. However, the proportionality provisions have defined boundaries, and organisations should not assume exemption without legal analysis of their specific circumstances.

The Five DORA Pillars

Pillar 1: ICT Risk Management

DORA requires financial entities to implement a comprehensive, documented ICT risk management framework that is approved at board level. Key requirements include:

· A sound ICT risk management strategy aligned with the entity's overall business strategy.

· Comprehensive ICT asset identification, classification, and maintenance of an information asset register.

· Protection and prevention controls proportionate to ICT risk.

· Detection capabilities enabling identification of anomalous activities.

· Response and recovery plans tested at least annually.

· A continuous learning and improvement process based on post-incident reviews and threat intelligence.

The ICT risk management framework must be reviewed at least annually and following major ICT incidents or significant technology changes. Management body members are expected to maintain sufficient knowledge and skills to understand and challenge ICT risk.

Pillar 2: ICT Incident Reporting

DORA introduces harmonised incident classification and reporting requirements that supersede the varying national frameworks previously applied in different member states. Financial entities must:

· Classify ICT-related incidents according to criteria specified in DORA's regulatory technical standards (RTS), including impact on services, data, availability, and clients.

· Report 'major ICT incidents' to their competent authority following a three-stage reporting process: Initial notification (within 4 hours of classification as major), Intermediate report (within 72 hours), and Final report (within 1 month).

· Notify clients affected by major incidents that have or may have an impact on their financial interests.

· Maintain a log of all ICT incidents and significant cyber threats.

Pillar 3: Digital Operational Resilience Testing

DORA mandates a comprehensive testing programme for all in-scope entities:

· Basic testing (all entities): Vulnerability assessments, network security assessments, physical security reviews, penetration testing, and scenario-based testing at minimum annually.

· Threat-Led Penetration Testing (TLPT): Significant financial entities must conduct TLPT at least every three years. TLPT is a form of red team exercise based on threat intelligence that tests live production systems with limited advance notice to operational staff.

TLPT requirements are demanding. They must be conducted by qualified external testers (with possible internal support for firms meeting specific criteria), follow the TIBER-EU framework methodology, and results must be shared with competent authorities. Coordinated TLPT across financial groups allows testing results to be recognised across multiple entities simultaneously.

Pillar 4: ICT Third-Party Risk Management

Third-party risk management is arguably the most operationally complex pillar of DORA. Financial entities must:

· Conduct thorough due diligence prior to entering into ICT service contracts with third-party providers.

· Ensure contracts with ICT third-party providers include mandatory clauses specified in DORA Articles 30 and 28, including audit rights, SLAs, data portability, exit clauses, and security standards.

· Maintain a register of all ICT third-party contractual arrangements, to be reported to competent authorities on request.

· Define and document concentration risk - where over-reliance on a single provider poses systemic risk - and implement mitigation strategies.

· Monitor ICT third-party risk continuously, not just at contract inception.

ICT third-party service providers designated as 'critical' by the ESAs (European Supervisory Authorities) are subject to a direct oversight framework managed at EU level. CTPPs include major cloud providers, core banking platform providers, and other systemically significant ICT suppliers.

Pillar 5: Information Sharing

DORA encourages financial entities to participate in voluntary information-sharing arrangements focused on cyber threats. Participation in recognised information sharing communities (such as FS-ISAC) is facilitated and, where safe harbours are provided under DORA, entities may share threat intelligence including indicators of compromise without breaching confidentiality obligations.

DORA Implementation Roadmap

20. Conduct a DORA gap assessment: Benchmark current ICT risk management, testing, incident management, and third-party risk processes against DORA requirements.

21. Establish governance: Ensure the management body has formally accepted responsibility for ICT risk management under DORA, with clear roles and reporting lines.

22. Build or update your ICT risk management framework: Document policies, procedures, and controls aligned to DORA's requirements. Engage internal audit in review.

23. Establish incident classification and reporting workflows: Map your current incident management process to DORA's reporting timelines and classification criteria. Test the end-to-end workflow.

24. Launch contract remediation: Identify all material ICT third-party contracts, prioritise by criticality, and begin the process of adding DORA-required clauses.

25. Build your testing programme: If not already in place, establish a programme of vulnerability assessments, penetration testing, and scenario-based testing. Plan for TLPT if your firm meets the significance threshold.

26. Engage your regulator: Proactive engagement with your competent authority on DORA implementation plans and any areas of interpretive uncertainty is advisable, particularly for novel or complex business models.

Common Compliance Challenges

· Third-party contract remediation at scale: Large institutions may have thousands of ICT contracts requiring updated clauses.

· TLPT readiness: The scoping, procurement, and execution of TLPT-compliant exercises requires significant advance planning and budget.

· ICT risk taxonomy alignment: Aligning DORA's incident classification criteria with existing internal risk taxonomies and reporting systems.

· Group-level coordination: Financial groups operating across multiple EU jurisdictions must coordinate DORA compliance across entities, which may be regulated by different competent authorities.

· Board-level ICT literacy: DORA's expectation that management body members maintain adequate ICT and digital resilience knowledge is creating demand for board training programmes.

Conclusion

DORA represents the most comprehensive operational resilience regulation the European financial sector has faced, and its requirements will continue to be interpreted and enforced by national competent authorities throughout 2026 and beyond. Financial firms that have invested in substantive compliance programmes, not just policy documentation - will be well-positioned for regulatory engagement and, critically, for the resilience that DORA is designed to build. The regulation's demands are demanding for a reason: the systemic risk posed by ICT failures in interconnected financial markets is real, material, and growing.
As financial institutions strengthen operational resilience under DORA, they must also prepare for the growing threat of AI-powered cyberattacks, making it essential to understand what banks must know before the next AI-driven cybersecurity wave.

Navigate DORA with confidence, WhiteKnight helps financial firms build true operational resilience.