DORA Compliance Software for Financial Services
The Digital Operational Resilience Act is live. Banks, fintechs, payment firms, and crypto providers must demonstrate ICT resilience — or face fines up to €10M. ComplyOne maps your obligations and tracks your readiness.
The 5 Pillars of DORA
DORA structures its requirements into five interlocking areas. You need to demonstrate readiness across all of them.
ICT Risk Management
A documented framework for identifying, classifying, and mitigating ICT risks across your entire technology stack.
Incident Reporting
Major ICT-related incidents must be reported to your regulator within strict deadlines. Initial report: 4 hours. Intermediate: 72 hours. Final: 1 month.
Digital Resilience Testing
Annual basic testing for all entities. Threat-led penetration testing (TLPT) every 3 years for significant institutions.
Third-Party ICT Risk
Register all ICT providers, classify critical ones, conduct due diligence, and maintain exit strategies. Cloud providers included.
Information Sharing
Participation in cyber threat intelligence sharing arrangements — voluntary but strongly encouraged by regulators.
How ComplyOne helps
We turn these 5 pillars into a structured task list with progress tracking, templates, and an audit-ready evidence locker.
Does DORA Apply to You?
DORA applies if you are a regulated financial entity in the EU, including:
- Banks and credit institutions
- Payment institutions and e-money institutions
- Investment firms and fund managers
- Insurance and reinsurance companies
- Crypto-asset service providers (CASPs under MiCA)
- Crowdfunding platforms
- Credit rating agencies
- ICT third-party service providers designated as critical
Microenterprises (fewer than 10 employees, under €2M turnover) have lighter requirements — but are not fully exempt.
Penalties
€10M
or 5% of global annual turnover
For regulated financial entities. Plus potential supervisory measures.
€100K/day
recurring penalty payments
For critical ICT third-party providers failing to remedy violations.
How to Approach DORA Compliance: First Steps
DORA can feel complex. Most financial entities can reach a solid compliance baseline in 10–14 weeks using a structured approach.
Confirm you are in scope
DORA applies to all regulated financial entities in the EU — banks, payment firms, investment firms, crypto providers, insurers, and more. Microenterprises (under 10 employees, under €2M turnover) have simplified obligations but are not exempt.
Build your ICT risk framework
Document your ICT governance structure: who owns technology risk, how risk is assessed, and which controls are in place. DORA requires a formal ICT risk management framework approved by the management body.
Create your ICT asset and third-party register
List every system, application, and cloud/SaaS provider that supports your critical or important functions. For each, document the risk, contract terms, and — for critical providers — your exit strategy.
Set up incident classification and reporting
Establish which events qualify as 'major ICT incidents' under DORA's classification criteria, and build the internal process for the 4-hour initial notification, 72-hour intermediate report, and 1-month final report.
Plan your digital resilience testing
All entities must conduct basic testing annually (vulnerability assessments, scenario-based tests). Significant institutions must conduct Threat-Led Penetration Testing (TLPT) every three years with accredited testers.
Know your DORA gap in 5 minutes
Free compliance check. No credit card. See your ICT risk posture before your regulator does.
Start Free DORA CheckDORA FAQ
Who does DORA apply to?
DORA applies to a wide range of financial entities regulated in the EU: banks, insurance companies, investment firms, payment institutions, e-money institutions, crypto-asset service providers (CASPs), crowdfunding platforms, and more. It also directly applies to ICT third-party providers that are critical to these entities.
When did DORA take effect?
DORA became fully applicable on January 17, 2025. There are no grace periods — financial entities were expected to be compliant from that date. Supervisory authorities are now actively assessing compliance.
What are the penalties for DORA non-compliance?
Financial entities can face fines up to €10 million or 5% of total annual worldwide turnover, whichever is higher. Critical ICT third-party providers face up to €5 million or 1% of average daily global turnover — and recurring penalty payments of up to €100,000 per day.
What's the difference between DORA and NIS2?
NIS2 is a general cybersecurity directive covering many sectors. DORA is sector-specific to financial services and goes much deeper on ICT operational resilience — including digital testing requirements (TLPT), detailed incident classification, and oversight of critical third-party ICT providers.
We use several cloud providers and SaaS tools. What does DORA require?
DORA requires you to maintain a register of all ICT third-party dependencies, conduct risk assessments of critical providers, ensure exit strategies exist, and — for critical providers — participate in the EU's direct oversight framework. ComplyOne structures all of this into an auditable register.
What does DORA require for third-party ICT provider contracts?
DORA mandates specific contractual provisions with ICT third-party providers — including audit rights, agreed service levels, incident notification obligations, termination rights, and sub-contracting controls. For critical or important functions, contracts must also include provisions for business continuity and exit strategies. Existing contracts signed before January 2025 must be remediated during renewal.
How does DORA's incident reporting interact with GDPR?
The timelines run in parallel: DORA requires initial notification of a major ICT incident to your financial regulator within 4 hours. GDPR requires notification of a personal data breach to your data protection authority within 72 hours. If an incident involves both ICT disruption and personal data exposure, both timelines apply simultaneously — often requiring different reports to different regulators on different deadlines. ComplyOne tracks both in a single incident workflow.
Related compliance areas