How-to guide: DORA requirements for financial entities and ICT third-party service providers (EU)

Updated as of: 28 April 2025

Introduction

This guide outlines the main compliance obligations under the Digital Operational Resilience Act, Regulation (EU) 2022/2554 (DORA). It sets out the key requirements for financial entities and information and communication technology (ICT) third-party service providers (who subject to their categorisation may be either directly or indirectly impacted). It is designed to assist legal and compliance teams, in-house counsel and private practitioners.

This guide covers:

  1. Essentials of DORA compliance
  2. The five pillars of DORA
  3. Oversight framework for critical ICT third-party service providers

This guide can be used in conjunction with the following Quick views: Understanding the application and scope of DORA and DORA compliance – regulatory requirements, technical standards and guidelines.

Section 1 – Essentials of DORA compliance

DORA aims to strengthen the IT security of EU financial entities by standardising and harmonising the rules on digital operational resilience. The new system ensures that firms implement robust risk management frameworks to remain resilient amid constantly emerging and evolving IT risks. DORA applies to a wide range of financial entities including banks, investment firms and crypto-asset service providers.

1.1 Responsibility for compliance

The overall responsibility for implementation, compliance with the requirements and arrangements related to the ICT risk management framework under DORA lies with the financial entity’s management board. Each pillar has comprehensive requirements, which are explored in more detail at section 2.1 below.

Section 2 – The five pillars of DORA

DORA breaks digital operational resilience down into five key components – these are commonly referred to as the five pillars of DORA:

  • an organisation must have an ICT risk management framework (see section 2.1);
  • an organisation must have an ICT-related incident response process (see section 2.2);
  • digital operational resilience testing must be done regularly and is mandatory (see section 2.3);
  • third-party risks, including contractual arrangements with ICT third-party service providers must be mapped out (see section 2.4); and
  • information sharing of threat intelligence is permitted (see section 2.5).

2.1 Development of an ICT governance and risk management framework

The ICT risk management requirements emphasise the importance of financial entities managing and mitigating risks, ensuring they can withstand, respond to and recover from ICT disruptions. This increased preparedness to maintain digital operational resilience should enhance their overall resilience and stability.

2.1.1 Governance and risk management

Key areasRequirements DORA reference
Governance 

Financial entities are required to have in place an internal governance and control framework that ensures an ‘effective and prudent’ management of ICT risk. This extends to the use of services offered by ICT third-party service providers.

Responsibility for defining, approving, overseeing and implementing all ICT risk management arrangements ultimately resides with the management body (often the board or senior management) of the financial entity (see article 5(2) DORA).

The management body must set and approve the digital operational resilience strategy including determining the risk tolerance level; set clear roles and responsibilities for all ICT-related functions and establish governance arrangements and reporting channels; approve, oversee and periodically review policies on business continuity, response and recovery plans and third-party ICT service arrangements; and approve and periodically review the financial entity’s ICT internal audit plans and ICT audits including material changes to them.

With an exception for microenterprises (as defined under article 3 DORA as a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million), the management body must establish a role to monitor arrangements concluded with ICT third-party service providers on the use of ICT services or delegate the role to a senior manager to allocate responsibility for related risk exposure and documentation.

DORA imposes specific training obligations to ensure senior managers are well equipped with sufficient knowledge and skills to manage ICT risks and stay updated on the latest threats and industry best practice. Training should be on a regular basis, commensurate with the ICT risk being managed.

Senior managers must approve sufficient budgets to support implementation and ongoing maintenance of the ICT risk management framework (as referred to in article 6(1)) , including relevant ICT security awareness programmes and digital operational resilience training (article 13(6)) and these should be reviewed periodically.

Chapter II, article 5.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

Risk management 

Firms will be expected to have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system.

This framework should include, at the least, strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information and ICT assets, including computer software, hardware, servers, as well as physical infrastructures such as premises, data centres and sensitive designated areas.

DORA sets out prescriptive obligations with respect to risk management activities: financial entities should use and maintain updated ICT systems, protocols and tools as well as identify and document all ICT-supported business functions, roles and responsibilities, and the information assets and ICT assets supporting those functions.

Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of this control function to avoid conflicts of interest.

Firms must identify and document all sources of ICT risks and dependencies (and identify those supporting critical or important functions), implement measures to protect ICT systems and assets from risks, and detect unusual activities (eg, ICT network performance or ICT-related incidents). Financial entities must maintain an inventory and update it periodically or in any time there is a major change as identified at article 8(3).

Establish plans to manage communications for internal and external stakeholders, including clients and counterparties and crisis communication plans.

Firms must continuously improve the framework based on lessons learned from external events and the entity’s own IT-related incidents and in most instances this must be reviewed at least annually.

Note regulators can request information and therefore record-keeping and documents should be carefully managed.

Chapter II, article 6 to 16.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

2.2 ICT-related incident management, classification and reporting

Under DORA, financial entities must establish processes for incident management, classification and reporting. They are required to inform supervising regulators about major incidents within prescribed reporting time frames. The aim is to achieve a streamlined and integrated approach to incident management, and breaches of reporting obligations will be high on the regulatory agenda.

2.2.1 Incident management

Key areaRequirementsDORA reference
Incident management

To define, establish and implement a specific ICT-related incident management process to detect, manage and notify ICT-related incidents for financial entities.

Specific requirements are outlined for reporting incidents related to payment services.

Financial entities should record all ICT-related incidents and significant cyber threats and establish appropriate processes to ensure root causes are identified and to prevent reoccurrence of the incident.

Includes provisions on ICT-related incident management processes such as setting up early warning indicators, procedures for identifying and classifying ICT-related incidents and assigning roles and responsibilities for different incident types and scenarios.

Ensure that, at the least, major ICT-related incidents are reported to senior management and that the management body is kept informed.

Establishes incident classification system for all ICT-related incidents based on their severity and impact according to criteria outlined in DORA and further specified by the European Supervisory Authorities (made up of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)) (commonly known as the ESAs).

Includes rules for reporting of major ICT-related incidents and voluntary notification of significant cyber threats.

Reports of major ICT-related incidents and significant cyber threats should be made on standardised templates.

Financial entities must inform clients about major ICT-related incidents that significantly affect their financial interests. Notifications should be timely and include all relevant information about the incident and its resolution.

Reporting time frames (see article 19 DORA):

  • initial notification: as soon as possible and no later than four hours after classifying IT incident as major but within 24 hours after detection of the incident;
  • intermediate report: due within 72 hours of the initial notification;
  • final report: due within one month from submission of the intermediate report.

Chapter III, articles 17 to 23.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

2.3 Digital operational resilience testing

All financial entities are required to establish a risk-based and proportionate operational resilience testing programme to assess their preparedness for dealing with ICT-related incidents.

2.3.1 Testing

Key areaRequirementsDORA reference
Testing

To establish, maintain and review a sound and comprehensive digital operational testing programme to assess preparedness, ensure appropriate measures are in place, consider requirements and identify weaknesses and gaps as part of the ICT risk management framework. It is important to consider strategy and budget to properly monitor the digital operational resilience testing programme. General requirements for the performance of digital operational resilience testing are outlined in article 24.

DORA sets out prescriptive requirements for:

  • regular resilience testing of ICT tools and systems that is proportionate and risk based (eg, vulnerability assessments, network security assessments and performance testing) must be conducted at least annually – see article 25. Tests must be undertaken by independent parties, whether internal or external (avoiding conflicts of interest where such testers are internal);
  • advanced testing of tools, systems and processes based on threat-led penetration testing (TLPT) for large financial entities (ie, systemic and ICT-mature) at least once every three years. Each test must cover testing resilience of critical or important functions (including those that have been outsourced or contracted to ICT third-party service providers) – see article 26.

To be authorised to carry out TLPT, testers must meet specific criteria: they must be reputable, possess the necessary qualifications and expertise, provide an independent assurance of risk management and be covered by professional indemnity insurance. Financial entities must use external testers to undertake TLPT at least once every three years. Specific criteria for using internal TLPT testers are set out at article 27(2).

Financial entities (and where applicable external testers) must report a summary of TLPT outcomes to their competent authorities (ie, national regulatory authority) along with corrective action plans and documentation evidencing TLPT undertaken.

Chapter IV, articles 24 to 27.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

2.4 Management of ICT third-party risk (including contractual arrangements with third-party ICT service providers)

DORA also addresses the risks involved when financial entities work with third-party ICT service providers. It requires these entities to manage third-party ICT risk as part of their overall ICT risk management framework. As a result, many in-scope financial entities have been working with their ICT providers to negotiate contractual changes to comply with DORA. Ultimately, it is the responsibility of the regulated financial entity to ensure compliance.

2.4.1 ICT third-party risk management

Key areaRequirementsDORA reference
ICT third-party risk management

Creates new obligations for financial entities including to:

  • adopt and review a strategy on ICT third-party risk to include a policy on the use of services supporting critical or important functions (ie, these include functions the disruption of which would materially impair the financial performance or the soundness or continuity of services and activities or impair the continued obligations of the financial entity) (see recital 70 DORA and toolkit prepared by the Financial Stability Board for enhancing third-party risk management and oversight, which provides guidance on how to identify services as critical);
  • evaluate and assess potential ICT concentration risk at entity level;
  • for new ICT service providers, conduct thorough due diligence pre-contract to assess risk profile and ability to meet necessary resilience standards;
  • assess benefits and risks of subcontracting. The European Commission adopted a draft delegated regulation on 24 March 2025 supplementing DORA regarding the regulatory technical standards when subcontracting ICT services. This specifies the elements that a financial entity must determine and assess when subcontracting ICT services supporting critical or important functions. See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines for more details;
  • DORA requires that the rights and obligations between financial entities and ICT third-party service providers must be set out in writing and made available to the parties on paper, or in a document with another downloadable, durable and accessible format – see article 30(1) DORA;
  • review existing contracts on a case-by-case basis to consider whether in-scope and contract amendments will be required to align the contract terms with the requirements of article 30 DORA;
  • clear and comprehensive contractual clauses applicable to all ICT services – nine in total are detailed at article 30(2) DORA;
  • requirements to set out a clear description of all functions and ICT services provided by third parties, conditions for subcontracting critical functions, provisions for data protection, service levels and termination rights;
  • specific (more onerous) contractual provisions apply at article 30(3) DORA where a financial entity enters into a contract with ICT third-party service providers supporting critical or important functions – for example, notice periods and reporting obligations, requirements for ICT third-party service providers to implement and test business contingency plans and to have ICT security measures in place, appropriate security standards, unrestricted access, inspection and audit rights, obligations to participate fully in TLPT, performance monitoring and exit strategies;
  • maintain register of information in standardised templates covering their contractual arrangements with third-party ICT service providers. See EBA page, which provides a set of resources to help financial entities to be ready for preparation and submission;
    • the register of information will play a crucial role in the ICT third-party risk management framework and will be used by competent authorities and ESAs in the supervision of compliance and to designate critical ICT third-party service providers (see section 3);
    • financial entities are required to submit registers of information to competent authorities, who will then forward them to the ESAs. The deadline for the initial submission mandates that competent authorities report to the ESAs by 30 April 2025 – see here;
    • financial entities are required to provide the register to the competent authority upon request;
  • implement continuous monitoring of ICT third-party service arrangements to ensure compliance and deal with issues as they arise.

Chapter V, articles 28 to 44.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

2.5 Information sharing and intelligence

DORA permits financial entities to share and exchange information and intelligence about cyber threats, including indicators of compromise, tactics, techniques, procedures, cybersecurity alerts and configuration tools in a safe, secure and trusted way.

2.5.1 Collaboration on information and intelligence

Key areaRequirementsDORA reference
Information and intelligence

Promotes and encourages collaboration and the exchange of cyber threat information and intelligence to raise awareness about cyber threats, stay informed, enhance detection and response capabilities and mitigate risks.

Types of information shared can include:

  • indicators of compromise such as unusual network traffic patterns;
  • tactics, techniques and procedures;
  • cybersecurity alerts; and
  • configuration tools used to configure systems securely.

Financial entities may voluntarily participate in an exchange of information concerning cyber threats and information within trusted communities to protect the integrity of data shared, and that confidentiality and data protection laws are adhered to so that the information is used appropriately.

Financial entities must notify competent authorities of their participation in information sharing arrangements or of the cessation of their cooperation.

Chapter VI, article 45.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

Section 3 – Oversight framework for critical ICT third-party service providers

3.1 Strengthening oversight under DORA

DORA introduces additional requirements and an EU-level oversight framework for ICT third-party service providers deemed ‘critical to financial entities’. This assessment is undertaken by the ESAs and is explored below. For more detail on the definition of an ICT third-party service provider see Quick view: Understanding the application and scope of DORA.

These critical ICT third-party service providers are typically large-scale technology companies that supply ICT solutions to the financial services sector. By directly regulating these major providers, DORA aims to mitigate systemic risks within the financial sector, as failures in their services can have far-reaching consequences.

Who are critical third-party service providers?DORA reference

DORA applies directly to third-party service providers designated as ‘critical’ by the ESAs. Although no designations have been made yet, DORA outlines a structured approach for categorising these providers.

This approach includes the assessment of several factors as outlined in article 31(2)(a)-(d) DORA including:

  • systemic impact and importance – impact of the service provider experiencing a failure or operational failure on the financial entity it is providing services to and the importance of the EU financial entities that rely on the relevant ICT third-party service provider, assessed according to the number of global systemically important institutions (G-SIIs) or other systematically important institutions (O-SIIs);
  • reliance – the extent of entity reliance on provision of those services for critical or important functions; and
  • degree of substitutability – the ease with which the services and workstreams can be replaced by alternative providers.

Criticality is assessed following a two-step approach. Further detail on the indicators and methods to be used and minimum relevance thresholds is set out here.

ICT service providers may opt in to the oversight regime. The ESAs are advancing in the implementation of this pan-oversight framework with the objective to designate and start the oversight engagement this year. To provide clarity to the market on preparatory activities, the designation process and on the ESA’s oversight approach, the ESA’s plan to organise an online workshop with ICT third-party service providers in the second quarter of 2025 – see roadmap.

Chapter V, section II, articles 31 to 44.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

FeesDORA reference
An annual oversight fee is charged to cover the costs of the Lead Overseer and EBA when performing oversight tasks. It should be proportionate to the turnover generated by the ICT service provider in the EU.

For details on the amount of oversight fees to be charged and the way in which those fees are paid

see Quick view: DORA compliance – regulatory requirements, technical standards and guidelines.

Oversight frameworkDORA reference

New direct oversight framework on a pan-European scale for ICT third-party service providers that are designated, which is a first for EU financial services regulation as these providers are not subject to financial regulatory supervision.

The oversight framework consists of the Oversight Forum (composed of various EU representatives including those from the ESAs, European Commission and member states).

A non-EU provider providing services to financial entities would become subject to DORA and direct financial regulatory supervision if designated as critical and must establish an EU subsidiary if not already established in the EU within 12 months of critical status designation and notify all financial entities it provides services to of the critical designation.

Once an ICT third-party service provider is designated as critical, one of the ESAs will be appointed as Lead Overseer and will be responsible for supervision and oversight of that provider. The ESA acts as Lead Overseer to ensure critical ICT third-party service providers have strategies in place to manage the potential ICT risk to financial entities. The ESA appointed will be the one with the largest share of users for the services, (eg, if banks are the main service users then the EBA will be appointed).

The Lead Overseer will have an oversight role and has extensive powers, including the ability to request information such as governance arrangements or ICT audits to assess compliance, conduct on-site and offsite investigations and inspections into operations and practices, issue recommendations and request reports that the actions or remedies have been undertaken by the critical ICT third-party providers in relation to the recommendations.

The Lead Overseer can impose penalty payments to require compliance (up to 1% of the average daily global turnover of the ICT service provider in the preceding business year) in the event of non-compliance. In extreme cases, where necessary, contracts may be terminated or services suspended.

See Quick view: DORA compliance – regulatory requirements, technical standards and guidelines for more details on the designation assessment.
New contractual arrangementsDORA reference
Contracts between financial entities and critical ICT third-party service providers must now include prescribed contractual provisions.See section 2.4 above.
Limited exemptionsDORA reference 

Certain ICT third-party service providers are exempt from being designated as critical including:

  • intra-group ICT service providers (ie, they offer services within their own business group); and
  • service providers operating in one single EU member state to financial entities that are only active in that member state.
See article 31(8) DORA.

Additional resources 

Related Lexology Pro content

Quick views:

Understanding the application and scope of DORA
DORA compliance – regulatory requirements, technical standards and guidelines

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Organisations