DORA Implementation Timeline
The Digital Operational Resilience Act (Regulation EU 2022/2554) entered full enforcement on January 17, 2025. Over 22,000 financial entities across the EU must now demonstrate compliance with five pillars of digital operational resilience.
The Five Pillars of DORA
DORA rests on five interconnected pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party ICT risk management, and information sharing. Each pillar has specific requirements and timelines.
| Pillar | Key Requirement | Timeline | Scope |
|---|---|---|---|
| ICT Risk Management | Comprehensive framework | Continuous | All entities |
| Incident Reporting | 4-hour initial notification | Per incident | Major ICT incidents |
| Resilience Testing | TLPT every 3 years | Periodic | Significant institutions |
| Third-Party Risk | Contract register + clauses | Ongoing | ICT vendors |
| Information Sharing | Threat intelligence | Voluntary | All entities |
DORA Five Pillars Overview
DORA applies to non-EU ICT companies providing critical services to EU financial institutions. EU regulators can directly oversee and fine Critical ICT Third-Party Providers regardless of headquarters location.
Incident Reporting Regime
DORA establishes a harmonized, time-bound incident reporting regime. Major ICT incidents require initial notification within 4 hours of classification, intermediate report within 72 hours, and final root-cause report within one month.
Threat-Led Penetration Testing (TLPT)
Significant financial institutions must conduct Threat-Led Penetration Testing at least every three years. TLPT uses certified testers on production systems, with 6-9 month lead times required to secure qualified testing providers.
- TLPT required for significant institutions every 3 years
- Testing must use certified providers on production systems
- 6-9 month lead time to secure qualified TLPT testers
- Results must be shared with competent authorities
- Remediation plans required for identified vulnerabilities
- Smaller institutions may use simplified testing approaches
Third-Party ICT Risk Management
Financial entities must maintain a complete register of ICT contracts. Critical vendor contracts must include audit rights, exit strategies, performance benchmarks, and regulator audit access provisions.
ICT Risk Management Framework
DORA requires a comprehensive, living ICT risk management framework with continuous asset identification, threat classification, and board-level accountability. ICT risk is elevated to a standalone discipline separate from general operational risk.
| Component | Requirement | Frequency |
|---|---|---|
| Asset Inventory | Complete ICT asset register | Continuous |
| Risk Assessment | Threat identification + classification | Annual |
| Security Policy | Board-approved framework | Annual review |
| Access Control | Privileged access management | Continuous |
| Monitoring | Centralized logging + anomaly detection | Real-time |
ICT Risk Management Framework Components
Technology vendors are now regulated entities with their own DORA obligations, not just contractors. Cloud providers, data analytics firms, and core banking software vendors face direct regulatory oversight.
Compliance Readiness Gap
Fewer than half of EU financial institutions considered themselves substantially compliant by the January 2025 enforcement deadline. The complexity of third-party mapping and TLPT scheduling are primary bottlenecks.
Smaller institutions face lighter obligations under DORA's simplified ICT risk management framework. Baseline requirements apply to all entities, but testing and documentation scale with institutional size and complexity.