DORA is not just an ICT vendor rule. It is the European Union's financial-sector digital operational resilience regulation. It asks financial entities to show that they can manage ICT risk, report serious ICT incidents, test resilience, control ICT third-party dependencies, and keep enough records for supervisors to understand the dependency picture.
Official sources
- Regulation (EU) 2022/2554 on digital operational resilience for the financial sector
- EIOPA Digital Operational Resilience Act (DORA) page
EIOPA describes DORA as an EU regulation introduced to strengthen the digital resilience of financial entities. It entered into application on 17 January 2025 and is designed so banks, insurers, investment firms, and other financial entities can withstand, respond to, and recover from ICT disruptions such as cyberattacks or system failures.
What DORA is trying to do
DORA harmonizes digital operational resilience requirements across the EU financial sector. Before DORA, ICT risk expectations were spread across national rules, supervisory guidance, outsourcing guidelines, and sector-specific requirements. DORA creates a common structure for ICT risk management, incident reporting, resilience testing, ICT third-party risk, and oversight of critical ICT third-party providers.
The practical idea is simple but demanding: a financial entity should not discover its most important ICT dependencies during a disruption. It should already know which systems support which business processes, which ICT providers support them, which services are critical or important, which subcontractors and locations matter, what contractual protections exist, and what evidence shows the arrangements are monitored.
Who needs to care
DORA applies to financial entities within the scope of Regulation (EU) 2022/2554. That includes a wide financial-sector perimeter, but exact applicability should be checked against the regulation and any national competent authority materials. The teams most affected are technology risk, cyber security, resilience, third-party risk, procurement, legal, compliance, operations, and business service owners.
ICT third-party service providers also need to understand DORA because financial entities will ask for stronger contract terms, incident support, subcontractor transparency, resilience evidence, and information needed for the register of information. Providers designated as critical ICT third-party providers can also become subject to direct EU oversight.
What DORA requires in plain English
DORA is organized around several operating duties:
- ICT risk management: financial entities need a framework for identifying, protecting, detecting,
responding to, recovering from, and learning from ICT risk.
- ICT-related incident reporting: serious ICT incidents must be classified, escalated, recorded, and
reported where DORA's criteria and reporting rules apply.
- Digital operational resilience testing: entities must test ICT tools, systems, processes, and
controls; some entities are subject to advanced threat-led penetration testing.
- ICT third-party risk management: entities must govern ICT providers through due diligence,
contracts, monitoring, concentration analysis, exit strategies, and ongoing risk management.
- Register of information: entities must maintain information about contractual arrangements with
ICT third-party service providers.
- Oversight of critical ICT third-party providers: DORA creates a framework for EU-level oversight
of providers that are designated as critical to the financial sector.
What this means for implementation
The hardest part of DORA is not writing a policy. It is joining data that often lives in separate places. The business service map may live with resilience teams. Applications may live in a CMDB. Cloud services may be known to architecture. Contracts may be in procurement. Subprocessors may be tracked by privacy. Incidents may sit in security tooling. DORA pushes those records together.
An implementation program should answer these questions:
- Which ICT services support critical or important functions?
- Which legal entities and business services depend on each ICT arrangement?
- Which provider, subcontractor, country, data, system, and contract records support the register of
information?
- Which arrangements create concentration risk or hard-to-exit dependency?
- Which contracts contain the required rights and operational commitments?
- Which incidents, outages, vulnerabilities, provider changes, or subcontractor changes should
trigger reassessment?
- Which exit strategies are realistic enough to use during stress?
Evidence teams should maintain
- ICT risk management policy, control framework, and governance records.
- System, application, data, business service, and ICT provider inventories.
- Register of information records for ICT third-party arrangements.
- Critical or important function mapping and dependency analysis.
- ICT provider due diligence, contract review, and approval evidence.
- Contract terms covering service description, locations, security, access, audit, incident support,
subcontracting, termination, and exit.
- Incident classification, reporting analysis, regulatory communications, and post-incident review.
- Resilience testing, penetration testing where applicable, remediation, and management reporting.
- Concentration analysis and exit strategy evidence.
Common gaps
- The ICT register is treated as a spreadsheet exercise instead of being connected to real systems,
services, contracts, and providers.
- Critical or important functions are identified, but the supporting subcontractor chain is thin or
outdated.
- Contracts are reviewed once, while provider incidents, trust-center updates, outages, and
subcontractor changes are not brought back into the risk record.
- Exit strategies state that the firm can move providers but do not explain data migration,
replacement service, operational continuity, and timing.
- Incident teams can respond technically but cannot easily reconstruct the evidence needed for DORA
incident classification and reporting.
How Halbarad helps
Halbarad helps DORA teams connect the regulation's operating records. A DORA program needs more than a vendor list; it needs a living view of ICT providers, services, systems, data, business owners, critical or important functions, contracts, subcontractors, incidents, monitoring signals, issues, and exit posture.
Halbarad can help teams:
- build ICT third-party records aligned to DORA's register-of-information needs;
- map providers and downstream parties to services, systems, data, owners, and functions;
- use Spark Assessment to start provider review from public evidence, attestations, incident
history, and trust-center material;
- use Nth-Party Discovery to expose subcontractors, fourth parties, fifth parties, and concentration
exposure;
- use Continuous Monitoring to watch outages, advisories, trust-center changes, provider posture
changes, and material-change signals;
- route evidence requests, approvals, residual risk decisions, issues, remediation, and reporting
through Governance workflows.
Halbarad helps operationalize, document, monitor, and evidence the work. It does not replace official regulation, legal advice, or institution-specific compliance judgment.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.