DORAFree Resource

EU Digital Operational Resilience Act Scope and implementation hub

Use this hub to orient DORA work under Regulation (EU) 2022/2554. Start with Article 2 scope and exclusions, then route the entity to the right workstreams: ICT risk management, major ICT-related incident reporting, digital operational resilience testing, TLPT where identified by the competent authority, ICT third-party contracts, register-of-information maintenance, and critical provider oversight.

DORA applies from 17 January 2025 and is a financial-sector operational resilience regulation, not a general cybersecurity checklist. Obligations depend on the entity type, whether the simplified ICT risk management framework applies, the criticality of functions and ICT dependencies, national competent-authority expectations, and the applicable RTS and ITS.

Start with the DORA checklist
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 23, 2026
Updated
May 26, 2026
DORA questions this hub helps resolve
Who is in scope
Check whether the organization is a DORA financial entity, an excluded entity, or an ICT third-party service provider that may be relevant through contracts or critical-provider oversight.
Which workstream owns the issue
Separate governance and ICT risk management from incident reporting, resilience testing, TLPT, third-party risk, register-of-information reporting, and oversight of designated critical ICT providers.
What evidence should exist
Connect policies, asset and function inventories, incident records, testing results, TLPT attestations, contract clauses, exit plans, LEI/EUID provider identifiers, and register templates to the same operational resilience file.
By Sorena AIUpdated 2026-05Grounded in official sources
Quick scan
DORA
Scope and proportionality
DORA covers listed financial entities such as credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, central counterparties, trading venues, insurers, IORPs, credit rating agencies, crowdfunding providers, securitisation repositories, and ICT third-party service providers. Some entity types are excluded, and proportionality affects how Chapters II, III, IV, and V are applied.
Operational resilience duties
The core program is not one control. It combines management-body governance, a documented ICT risk management framework, identification of ICT-supported functions and assets, incident management and reporting, testing, communication, learning, and continuous improvement.
Third-party and register work
Financial entities must manage ICT third-party risk as part of ICT risk, maintain a register of information for ICT service contracts, distinguish critical or important functions, assess concentration and subcontracting risk, and keep exit strategies for ICT services supporting critical or important functions.
Use the topic guides to move from scope classification to concrete work: controls, incident templates, TLPT readiness, provider registers, contract clauses, oversight implications, and retained evidence.
2022/2554
Regulation
17 Jan 2025
Applies
Art. 28
Register
TLPT
Testing
ICT risk framework
Incident reporting
Register of information
DORA Timeline

Key dates for DORA implementation

Track DORA publication, entry into force, the 17 January 2025 application date, Level 2 technical standards, register-of-information templates, incident reporting forms, TLPT criteria, and critical ICT third-party provider oversight milestones.

Loading timeline...

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
Read Guide
2
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
Read Guide
3
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
Read Guide
4
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
Read Guide
5
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
Read Guide
6
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
Read Guide
7
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
Read Guide
8
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
Read Guide
9
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
Read Guide
10
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
Read Guide
11
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
Read Guide
12
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
Read Guide
13
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
Read Guide
14
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
Read Guide
15
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
Read Guide
16
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
Read Guide
17
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
Read Guide
18
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
Read Guide
19
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
Read Guide
20
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
Read Guide
21
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
Read Guide
22
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
Read Guide
23
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
Read Guide
24
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
Read Guide
25
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
Read Guide
26
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
Read Guide
27
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
Read Guide
28
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
Read Guide
29
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.
Read Guide
Next step

Turn DORA scope into owned operational resilience work

Use this hub as the shared entry point for legal, risk, technology, security, procurement, incident response, and resilience-testing teams. Confirm the entity and function boundary first, then assign each DORA workstream to the right owner and evidence record.

What this unlocks
  • Start with one legal entity, financial-service activity, critical or important function, ICT-supported process, incident pathway, or ICT service contract.
  • Use Assessment Autopilot to request the ICT risk framework, function and asset inventories, business continuity and response plans, incident classification records, testing evidence, TLPT documentation where applicable, third-party due diligence, contract clauses, exit plans, and register-of-information data.
  • Use Research Copilot for cited questions about Article 2 scope, simplified ICT risk management, major ICT-related incident reporting, TLPT identification, register templates, subcontracting, and critical ICT third-party provider oversight.
  • Keep interpretation questions separate from implementation tasks so teams do not treat an unconfirmed entity classification, incident threshold, provider status, or reporting route as a settled obligation.
Recommended route
Open Assessment Autopilot
Turn DORA scope, ICT risk, incident reporting, testing, TLPT, third-party, register, and oversight work into owned tasks and review checkpoints.
Supporting route
Open Research Copilot
Answer DORA scope, RTS, ITS, reporting, TLPT, register, subcontracting, and oversight questions with cited outputs from official sources.
Talk to Sorena
Talk through implementation
Review your entity scope, ICT risk framework, incident pathway, provider register, TLPT readiness, and evidence model.
Discuss your setup
EU DORA artifact preview
Share it internally
Download the timeline export to align legal, product, engineering, and commercial teams on milestones and deadlines.