--- title: "EU DORA Compliance Hub" canonical_url: "https://www.sorena.io/artifacts/eu-dora" source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act" author: "Sorena AI" description: "A practical EU DORA compliance hub for Regulation (EU) 2022/2554: confirm scope and proportionality, then implement ICT risk management controls." published_at: "2026-02-23" updated_at: "2026-02-23" keywords: - "EU DORA compliance" - "DORA compliance" - "Digital Operational Resilience Act" - "Regulation (EU) 2022/2554" - "DORA checklist" - "DORA requirements" - "ICT risk management DORA" - "major ICT incident reporting DORA" - "DORA incident reporting templates" - "TLPT DORA" - "threat-led penetration testing DORA" - "ICT third-party risk DORA" - "DORA contract clauses" - "DORA register of information" - "critical ICT third-party provider DORA" - "DORA" - "Operational resilience" - "Financial sector" - "Compliance" - "ICT risk" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DORA Compliance Hub A practical EU DORA compliance hub for Regulation (EU) 2022/2554: confirm scope and proportionality, then implement ICT risk management controls. ![EU DORA artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-dora-timeline-small.jpg?v=cheatsheets%2Fprod) *DORA* *Compliance Hub* ## EU Digital Operational Resilience Act Decision Flow + Timeline Use the decision flow to confirm DORA scope and proportionality, then turn requirements into an execution plan: ICT risk management controls, major incident reporting, resilience testing and TLPT, and third-party risk contracts plus register of information. This is a practical implementation hub, not legal advice. Your obligations depend on entity type, national supervision, how critical or important functions and ICT dependencies are assessed under DORA, and whether current RTS and ITS for reporting, register templates, TLPT identification, and subcontracting already apply. [Start with the DORA checklist](/artifacts/eu/dora/checklist.md) ## What you can decide faster - **Scope**: Check Article 2 coverage and exclusions. - **Track**: Choose the right path: financial entity, ICT provider, or CTPP. - **Workstreams**: Plan ICT risk, incident reporting, testing, and third party controls. By Sorena AI | Updated Mar 2026 | No signup required ### Quick scan *DORA* - **Applicability**: Confirm your scope and exclusions. - **Obligations**: Translate requirements into controls. - **Evidence**: Plan owners, artifacts, reporting templates, and review cadence. Use the decision flow for scope and track decisions, then use topic guides to ship controls and evidence. | Value | Metric | | --- | --- | | 2022 | Regulation | | EU | Market | | ICT | Focus | | Resilience | Outcome | **Key highlights:** Incident reporting | Register of information | TLPT readiness ## Topic Guides - [DORA Applicability Test | Is EU DORA Applicable to Your Entity?](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2. - [DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk](/artifacts/eu/digital-operational-resilience-act/faq.md): High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means. - [DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence. - [DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring. - [DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules. - [DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50). - [DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build an audit-ready DORA Register of Information (RoI): define scope and relational keys. - [DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956). - [DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation. - [DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations. - [DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture. - [EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)](/artifacts/eu/digital-operational-resilience-act/checklist.md): An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline. - [EU DORA Compliance Guide | DORA Implementation Playbook](/artifacts/eu/digital-operational-resilience-act/compliance.md): A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline. - [EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301. - [EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)](/artifacts/eu/digital-operational-resilience-act/requirements.md): A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II). - [EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks. ## Key dates for operational resilience planning *DORA Timeline* Track DORA milestones that affect application timing, Level 2 deliverables, and operational implementation across risk, security, testing and vendor management. ## How does DORA apply to your entity *DORA Decision Flow* Use the decision flow to map scope, proportionality and simplified frameworks, incident reporting expectations, testing/TLPT approach, and ICT third-party risk controls. *Next step* ## Turn EU Digital Operational Resilience Act Decision Flow + Timeline into an operational assessment workflow EU Digital Operational Resilience Act Decision Flow + Timeline should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from EU Digital Operational Resilience Act Decision Flow + Timeline and route the work by entity, product, team, or control owner. - Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints. - Use SSOT to keep documents, evidence, and control records in one governed system. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for EU Digital Operational Resilience Act Decision Flow + Timeline. - [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact. - **Download decision flow**: Share scope and track logic internally. - **Download timeline**: Coordinate milestones across teams. - [Talk through EU Digital Operational Resilience Act Decision Flow + Timeline](/contact.md): Review your current process, evidence model, and next steps for EU Digital Operational Resilience Act Decision Flow + Timeline. ## Decision Steps ### STEP 1: Are you one of the entity types listed in DORA Article 2(1)? *Reference: Art. 2(1)* - This is the core personal scope test for DORA. - If yes: check exclusions (Art. 2(3)) and any optional Member State exclusion (Art. 2(4)). - **NO** Out of Scope - **YES** Does an Article 2(3) exclusion apply to you? ### STEP 2: Does an Article 2(3) exclusion apply to you? *Reference: Art. 2(3)* - If yes, DORA does not apply to you. - If no, continue to check the Member State optional exclusion (Art. 2(4)) and whether you are a financial entity or an ICT third-party service provider. - **YES** Out of Scope - **NO** Has your Member State excluded your entity type under Article 2(4)? ### STEP 3: Has your Member State excluded your entity type under Article 2(4)? *Reference: Art. 2(4)* - Member States may exclude certain CRD-exempt entities located in their territory (Art. 2(4)). - If unsure: verify with your national competent authority (and any published Member State notification under Art. 2(4)). - If you are not an entity referred to in CRD Art. 2(5)(4)-(23), answer 'No' and continue. - **YES** Out of Scope (Member State Exclusion) - **NO** Which DORA track applies? ### STEP 4: Which DORA track applies? - Financial entity track (Art. 2(1)(a)-(t); defined in Art. 2(2)). - ICT third-party service provider track (Art. 2(1)(u)). - If you are both (e.g., a regulated financial entity that also provides ICT services), follow the financial entity track first and also review the ICT provider track. - -> Are you a 'financial entity' as defined in DORA? ### STEP 5: Are you a 'financial entity' as defined in DORA? *Reference: Art. 2(1)(a)-(t) & Art. 2(2)* - If yes: follow the financial entity compliance track (Chapters II-V). - If no: you may still be in scope as an ICT third-party service provider (Art. 2(1)(u)). - **YES** Financial entity is within DORA scope - **NO** Are you an ICT third-party service provider under Art. 2(1)(u)? ### ICT TRACK: Are you an ICT third-party service provider under Art. 2(1)(u)? *Reference: Art. 2(1)(u) & Art. 3(19)-(21)* - 'ICT third-party service provider' = an undertaking providing ICT services (Art. 3(19)). - 'ICT services' = digital and data services provided through ICT systems on an ongoing basis (includes hardware as a service / support via updates; excludes traditional analogue telephone services) (Art. 3(21)). - DORA also defines an 'ICT intra-group service provider' as an undertaking in a financial group providing predominantly ICT services within the group (Art. 3(20)). - **YES** Have you been designated as a critical ICT third-party service provider (CTPP)? - **NO** Out of Scope ### IN SCOPE: Financial entity is within DORA scope *Reference: Art. 2(1)-(2)* - Implement ICT risk management (Chapter II), incident management and reporting (Chapter III), resilience testing (Chapter IV), and ICT third-party risk management (Chapter V). - Apply proportionality across Chapters II-V as required by Art. 4. - -> Do you qualify for the simplified ICT risk management framework? ### STEP 6: Do you qualify for the simplified ICT risk management framework? *Reference: Art. 16(1)* - If yes: Articles 5 to 15 do not apply, but you must meet the Art. 16 minimum requirements. - Art. 16(1) covers (among others): small and non-interconnected investment firms; payment institutions exempted under PSD2; electronic money institutions exempted under EMD2; small IORPs; and certain CRD-exempt institutions depending on whether the Member State used Art. 2(4). - **YES** DORA Applies (Simplified ICT Risk Framework) - **NO** Are you a microenterprise (as defined in DORA)? ### STEP 7: Are you a microenterprise (as defined in DORA)? *Reference: Art. 3(60)* - Microenterprise = financial entity (excluding trading venues, CCPs, TRs, and CSDs) with fewer than 10 persons and <= EUR 2M annual turnover and/or balance sheet total. - Microenterprises are in scope, but several requirements apply only to financial entities other than microenterprises (e.g., crisis management function; some audit/testing formalities; TLPT). - **YES** DORA Applies (Microenterprise) - **NO** Are you required to perform threat-led penetration testing (TLPT)? ### STEP 8: Are you required to perform threat-led penetration testing (TLPT)? *Reference: Art. 26(1) & 26(8)* - TLPT applies to certain non-microenterprise financial entities that are not covered by Art. 16(1) and are identified by the competent authority. - The criteria used for identifying financial entities required to perform TLPT are further specified by TLPT RTS adopted as delegated acts (e.g., Delegated Reg. (EU) 2025/1190). - If yes: plan for TLPT at least every 3 years and align scope to critical or important functions (and live production systems). - **YES** DORA Applies (Full Framework + TLPT) - **NO** DORA Applies (Full ICT Risk Framework) ### ICT TRACK: Have you been designated as a critical ICT third-party service provider (CTPP)? *Reference: Art. 31* - Designation is under Art. 31 and criteria are further specified by delegated acts (e.g., Delegated Reg. (EU) 2024/1502). - CTPP designation does not apply to certain categories (Art. 31(8)), including: financial entities providing ICT services to other financial entities; ICT third-party service providers subject to oversight frameworks supporting tasks referred to in TFEU Art. 127(2); ICT intra-group service providers; and ICT providers serving only one Member State to financial entities only active in that Member State. - The ESAs establish, publish and update yearly the Union list of critical ICT third-party service providers (Art. 31(9)). - If yes: DORA oversight framework applies; oversight fees may apply (Chapter V, Section II; Delegated Reg. (EU) 2024/1505). - If no/unsure: DORA still affects you through contractual requirements imposed on financial entities (Art. 30) and you may be included in customers' TLPT scope (Arts. 26-27). - **YES** CTPP Oversight Applies - **NO** Not Designated as CTPP ## Reference Information ### Entities In Scope (Overview) - Financial entities (Art. 2(1)(a)-(t)) include: banks, investment firms, (e-)money/payment institutions and AISPs, insurers and intermediaries, fund managers/UCITS managers, market infrastructures (CCPs/CSDs/trading venues/TRs), data reporting service providers, CRAs, critical benchmark administrators, crowdfunding providers, securitisation repositories, crypto-asset service providers and issuers of asset-referenced tokens. - ICT third-party service providers are also in scope as a category (Art. 2(1)(u)). - 'Financial entities' is a defined umbrella term for Art. 2(1)(a)-(t) only (Art. 2(2)). ### Key Exclusions - Art. 2(3) exclusions include (among others): certain AIFMs under AIFMD Art. 3(2); small insurers under Solvency II Art. 4; IORPs with pension schemes totalling <= 15 members; persons exempt under MiFID II Arts. 2 and 3; insurance/reinsurance/ancillary intermediaries that are microenterprises or SMEs; post office giro institutions (CRD Art. 2(5)(3)). - Art. 2(4) optional exclusion: Member States may exclude certain entities listed in CRD Art. 2(5)(4)-(23) located in their territory (and must inform the Commission). ### Proportionality Principle - Implement Chapter II (ICT risk management) in accordance with proportionality (Art. 4(1)). - Apply proportionality to Chapters III-V, Section I (incident reporting, testing, third-party risk) as specifically provided (Art. 4(2)). - Competent authorities consider proportionality when reviewing framework reports (Art. 4(3)). ### Penalties & Publication - Member States must lay down rules establishing administrative penalties and remedial measures for breaches; competent authorities must have supervisory, investigatory and sanctioning powers (Art. 50). - Member States notify the laws, regulations and administrative provisions implementing the administrative penalties chapter (including any relevant criminal law provisions) to the Commission and the ESAs by 17 January 2025, and notify amendments without undue delay (Art. 53). - Competent authorities publish final administrative penalty decisions on their official websites, including breach details and responsible persons, subject to proportionality and other safeguards (Art. 54). - Publication may be deferred, anonymised, or withheld in specific cases (Art. 54(3)). ### Governance & Management Body - Have an internal governance and control framework for effective and prudent ICT risk management (Art. 5(1)). - Management body defines, approves, oversees, and is responsible for ICT risk framework implementation (Art. 5(2)). - Management body responsibilities include: risk ownership; data availability/authenticity/integrity/confidentiality policies; roles/responsibilities; approving resilience strategy and risk tolerance; approving business continuity and response/recovery; approving ICT audit plans; budgeting for resilience and training; and approving ICT third-party arrangements policy (Art. 5(2)). ### ICT Risk Management (Core Components) - Other than microenterprises: assign ICT risk management and oversight responsibility to a control function with an appropriate level of independence; ensure segregation between ICT risk management, control and internal audit functions (Art. 6(4)). - Document and maintain an ICT risk management framework (Art. 6), including a digital operational resilience strategy (Art. 6(8)). - Maintain updated ICT systems, protocols and tools (Art. 7). - Security, detection, response and recovery controls (Arts. 8-12) including business continuity and response/recovery plans (Art. 11). - Training and awareness programmes as part of staff training (Art. 13(6)). - Communication strategy and client communications when disclosure is required (Art. 14; see also Art. 19(3)). - Regular review and audit expectations for non-microenterprises (Art. 6(5)-(7)). - You may outsource verification of compliance with ICT risk management requirements to intra-group or external undertakings, but remain fully responsible (Art. 6(10)). ### Simplified ICT Risk Management Framework - If Art. 16 applies, Articles 5-15 do not apply (Art. 16(1)). - Minimum framework requirements include: sound documented ICT risk framework; continuous monitoring; resilient and updated ICT systems; prompt identification and handling of anomalies/incidents; identifying key ICT third-party dependencies (Art. 16(1)). - Maintain continuity of critical or important functions via business continuity and response/recovery measures (including back-up and restoration), and test plans and controls regularly; implement operational lessons and training as appropriate (Art. 16(1)). - Document and periodically review the Art. 16 framework; submit a review report to the competent authority upon request (Art. 16(2)). - TLPT does not apply to Art. 16(1) entities (Art. 26(1)). ### Incident Management & Reporting - Establish an ICT incident management process to detect, manage and notify ICT-related incidents; record all ICT incidents and significant cyber threats (Art. 17). - Classify ICT incidents and determine impact using Art. 18 criteria (clients/transactions/reputation; duration; geographic spread; data losses; criticality; economic impact). - Report major ICT-related incidents to the relevant competent authority, using RTS time limits and ITS templates; initial notification + intermediate + final report (Arts. 19-20). - RTS time limits (Delegated Reg. (EU) 2025/301) include: initial notification within 4 hours of classifying as major (and no later than 24 hours from awareness), intermediate report within 72 hours of the initial notification, and final report within 1 month of the (latest) intermediate report; if unable to meet a time limit, inform the competent authority and explain the delay; limited weekend/bank-holiday flexibility may apply (2025/301, Art. 5). - Major incident classification criteria, materiality thresholds, and report details are further specified by RTS (Delegated Reg. (EU) 2024/1772), while standard forms/templates and procedures are set by ITS (Implementing Reg. (EU) 2025/302). - If technical impossibility prevents submission using the template, notify the competent authority via alternative means (Art. 19(1)). - Reporting can be outsourced to a third-party service provider, but the financial entity remains fully responsible (Art. 19(5)). - Voluntary notification of significant cyber threats (Art. 19(2)). - Client notification duties for major incidents impacting clients' financial interests (Art. 19(3)). - Payment-related incidents: Chapter III also applies to operational or security payment-related incidents for credit institutions, payment institutions, AISPs and EMIs (Art. 23). - Member States may additionally require some or all financial entities to also provide the incident reports to CSIRTs under NIS2 (Art. 19(1)). ### Incident Reporting Routing (Who to Notify) - Report major ICT-related incidents to the relevant competent authority (Art. 19(1); see Art. 46). - If supervised by more than one national competent authority, the Member State designates a single relevant competent authority for Art. 19 reporting (Art. 19(1)). - Significant credit institutions report to the relevant national competent authority, which immediately transmits the report to the ECB (Art. 19(1)). - Member States may additionally require that reports are also provided to CSIRTs under NIS2 (Art. 19(1)). ### Supervisory Feedback & Sector Learning - Competent authorities acknowledge receipt of the notifications/reports and may provide timely, relevant and proportionate feedback or high-level guidance (Art. 22(1)). - Competent authorities may make available anonymised information and intelligence on similar threats and discuss remedies to minimise adverse impact across the financial sector (Art. 22(1)). - ESAs report yearly on major incidents on an anonymised and aggregated basis, and may issue warnings and produce high-level statistics (Art. 22(2)). ### Digital Operational Resilience Testing - Financial entities other than microenterprises must establish, maintain and review a comprehensive digital operational resilience testing programme (Art. 24(1)). - Testing methods include vulnerability assessments/scans, penetration testing, end-to-end testing and more (Art. 25(1)). - Microenterprises perform the tests using a risk-based approach and strategic planning (Art. 25(3)). - TLPT applies only to certain non-microenterprise financial entities that are not covered by Art. 16(1) and are identified by competent authorities; at least every 3 years (Art. 26(1) & 26(8)). - Use testers meeting DORA requirements and manage TLPT risks and results, including rules for internal testers (Art. 27). ### ICT Third-Party Risk & Contracts - Manage ICT third-party risk as part of ICT risk (Art. 28(1)) and remain fully responsible for compliance (Art. 28(1)(a)). - Adopt a strategy on ICT third-party risk (financial entities other than microenterprises and those in Art. 16(1); Art. 28(2)). - Maintain a register of information for all ICT contractual arrangements; distinguish those supporting critical or important functions; report at least yearly; and provide the register upon request (Art. 28(3)). - Pre-contract assessments include critical/important function determination, risk assessment (including concentration risk), due diligence, and conflicts of interest (Art. 28(4); see also Art. 29). - Baseline contract elements include: service description, subcontracting permissions/conditions, locations and data processing/storage, data protection safeguards, data access/recovery/return, and service levels (Art. 30(2)). - For ICT services supporting critical or important functions, contracts must also include: business contingency + security requirements, TLPT cooperation, ongoing monitoring and audit/access/inspection rights, and exit strategies with an adequate transition period (Art. 30(3)). - Microenterprise derogation: audit/access/inspection rights can be delegated to an independent third party appointed by the ICT provider, under conditions (Art. 30(3)). - When negotiating contractual arrangements, consider standard contractual clauses developed by public authorities for specific services (Art. 30(4)). - If using a third-country ICT provider designated as critical, financial entities may only use its services if it establishes an EU subsidiary within 12 months of designation (Art. 31(12)). - Practical note: intra-group ICT service provision is not automatically less risky than external provision; reflect group control in the overall risk assessment (Recital 31). ### ICT Provider Readiness (Practical) - Expect customers to require written ICT contracts with clear allocation of rights/obligations and service level agreements (Art. 30(1)-(2)). - Prepare for incident assistance obligations tied to the ICT service provided (Art. 30(2)(f)). - Prepare to cooperate with customers' competent authorities and resolution authorities (Art. 30(2)(g)). - For services supporting critical or important functions, expect audit/access/inspection rights, security and contingency requirements, TLPT cooperation, and exit/transition obligations (Art. 30(3)). - Subcontracting: expect customer assessments and controls; RTS further specify elements to assess when subcontracting ICT services supporting critical/important functions (Art. 30(5)). - Customers may consider using standard contractual clauses developed by public authorities for specific services (Art. 30(4)). ### Register of Information (Operational Focus) - Maintain and update the register of information for ICT contracts at entity and (where relevant) consolidated levels (Art. 28(3)). - Be ready to provide the full register or specified sections to the competent authority upon request (Art. 28(3)). - Inform the competent authority about planned ICT contracts supporting critical/important functions, and when a function becomes critical/important (Art. 28(3)). - Use standard templates established by ITS for the register of information (Implementing Regulation (EU) 2024/2956). ### CTPP Oversight (High-Level) - Critical ICT third-party service providers are designated under DORA (Art. 31) and are overseen by a Lead Overseer (Chapter V, Section II). - Designation criteria are further specified by delegated acts (e.g., Delegated Regulation (EU) 2024/1502); oversight fees are set by delegated acts (e.g., Delegated Regulation (EU) 2024/1505). - Oversight Forum supports the Joint Committee and Lead Overseer on ICT third-party risk (Art. 32). - Lead Overseer is the primary point of contact for oversight matters (Art. 33). - Joint Oversight Network coordinates Lead Overseers (Art. 34). - ESAs issue guidelines on cooperation and information exchange for the oversight framework (Art. 32(7)). - This oversight framework is without prejudice to NIS2 and other Union oversight rules applicable to providers of cloud computing services (Art. 32(8)). ### CTPP Oversight: Follow-Up & Enforcement - Lead Overseer powers include requesting information, conducting investigations/inspections, and issuing recommendations (Art. 35(1)). - CTPPs must respond to recommendations within 60 days (intend to follow, or explain why not); the Lead Overseer may publicly disclose certain non-compliance (Art. 42(1)-(2)). - Periodic penalty payments: after at least 30 days of non-compliance with required measures, the Lead Overseer can impose daily penalty payments (up to 1% average daily worldwide turnover) for up to 6 months; disclosed publicly in principle (Art. 35(6)-(10)). - As a last resort, competent authorities may require financial entities to suspend or terminate the use of a service provided by a CTPP until risks are addressed (Art. 42(6)). - Third-country CTPP: financial entities may only use a third-country ICT provider designated as critical if it has established an EU subsidiary within 12 months of designation (Art. 31(12)). ### Critical or Important Function - A 'critical or important function' is a function whose disruption would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities. - It also includes functions where discontinued, defective or failed performance would materially impair continuing compliance with authorisation conditions or other financial services law obligations (Art. 3(22)). ### Microenterprises (Practical Notes) - Definition: a financial entity (excluding trading venues, CCPs, TRs and CSDs) with <10 persons and <= EUR 2M turnover and/or balance sheet total (Art. 3(60)). - Some requirements apply only to financial entities other than microenterprises (e.g., crisis management function: Art. 11(7); continuous monitoring of technological developments: Art. 13(7)). - Redundant ICT capacities: non-microenterprises must maintain; microenterprises assess the need based on risk profile (Art. 12(4)). - Testing: microenterprises perform Art. 25 tests using a risk-based approach and strategic planning; TLPT does not apply (Art. 25(3); Art. 26(1)). - Contracts: for critical/important functions, microenterprises may agree to delegate audit/access/inspection rights to an independent third party appointed by the ICT provider (Art. 30(3) derogation). ### TLPT (Threat-Led Penetration Testing) - Applies to certain non-microenterprise financial entities not covered by Art. 16(1) that are identified by the competent authority; at least every 3 years (Art. 26(1) & 26(8)). - Scope: cover several or all critical or important functions and be performed on live production systems; include outsourced/contracted ICT services where relevant (Art. 26(2)). - If ICT providers are in scope, the financial entity must ensure their participation and remains fully responsible for compliance (Art. 26(3)). - Pooled testing is possible under written agreement in specific circumstances (Art. 26(4)). - Internal vs external testers: if a financial entity uses internal testers, it must contract external testers every three tests; significant credit institutions may only use external testers (Art. 26(8)). - Provide summary findings and remediation plans to the TLPT authority and obtain an attestation to support mutual recognition; notify the relevant competent authority (Art. 26(6)-(7)). - Member States may designate a single public authority for TLPT matters; otherwise a competent authority may delegate some or all TLPT-related tasks (Art. 26(9)-(10)). - Detailed TLPT RTS are developed with the ECB in accordance with the TIBER-EU framework (Art. 26(11)) and adopted as delegated acts (e.g., Delegated Reg. (EU) 2025/1190). ### Key Level 2 Acts to Implement - Incident classification & reporting: Delegated Reg. (EU) 2024/1772; Delegated Reg. (EU) 2025/301; Implementing Reg. (EU) 2025/302. - ICT risk management: Delegated Reg. (EU) 2024/1774. - ICT third-party contractual arrangements: Delegated Reg. (EU) 2024/1773. - Register of information templates: Implementing Reg. (EU) 2024/2956. - CTPP designation criteria and oversight fees: Delegated Reg. (EU) 2024/1502 and 2024/1505. - Subcontracting assessments: Delegated Reg. (EU) 2025/532. ### Voluntary Information Sharing - Financial entities may exchange cyber threat information and intelligence to enhance resilience, within trusted communities, under arrangements that protect sensitive information and respect confidentiality, GDPR and competition guidance (Art. 45(1)). - Information-sharing arrangements should define participation conditions and operational elements; they can involve public authorities and ICT third-party providers where appropriate (Art. 45(2)). - Notify the competent authority of participation or cessation once it takes effect (Art. 45(3)). ## Possible Outcomes ### [RESULT] DORA Applies (Simplified ICT Risk Framework) Art. 16 applies instead of Arts. 5-15 - Apply DORA Chapter II via Art. 16 minimum framework requirements (sound documented ICT risk framework; monitoring; continuity; testing; third-party dependencies). - Other DORA chapters still apply where relevant (incident reporting, testing, third-party risk) subject to proportionality (Art. 4). TLPT does not apply to Art. 16(1) entities (Art. 26(1)). ### [RESULT] DORA Applies (Microenterprise) Tailored obligations across DORA - DORA applies, but several requirements are scaled for microenterprises (see microenterprise-specific provisions across DORA). - Use proportionality (Art. 4) to implement incident reporting, testing, and third-party risk in a practical, evidence-ready way. ### [RESULT] DORA Applies (Full Framework + TLPT) Advanced testing required - Implement the full ICT risk management framework (Arts. 5-15) and related obligations across Chapters III-V as applicable. - Perform TLPT at least every 3 years on live production systems supporting critical or important functions, as validated by competent authorities (Art. 26). ### [RESULT] DORA Applies (Full ICT Risk Framework) Full framework; TLPT not required - Implement the full ICT risk management framework (Arts. 5-15) and related obligations across Chapters III-V as applicable. - Use proportionality to tailor implementation (Art. 4), and run the required testing programme (Arts. 24-25) even if TLPT is not required (Art. 26). ### [RESULT] CTPP Oversight Applies Critical ICT third-party provider under DORA - Expect oversight by a Lead Overseer and supervisory engagement (Chapter V, Section II). - Financial entities remain responsible for their own compliance, but oversight targets the critical provider's services supporting financial entities' critical or important functions. ### [RESULT] Not Designated as CTPP DORA primarily impacts you via customer contractual requirements - Expect contractual terms under Art. 30, including security, audit/access, data return/exit, and subcontracting controls where applicable. - Expect to support customers' resilience testing where relevant, including TLPT cooperation where required (Arts. 26-27 and Art. 30(3)). ### [RESULT] Out of Scope DORA does not directly apply - You are not an entity listed in Art. 2(1), or an Art. 2(3) exclusion applies. - Even if not directly in scope, you may be impacted via contractual demands from DORA-regulated customers. ### [RESULT] Out of Scope (Member State Exclusion) Excluded under Art. 2(4) option - Your Member State has excluded certain entities from DORA under the optional exclusion in Art. 2(4). - Confirm the national scope and any subsequent changes to the exclusion as published by your Member State. ## DORA Timeline | Date | Event | Reference | | --- | --- | --- | | 2022-12-14 | DORA adopted | Reg. (EU) 2022/2554 | | 2022-12-27 | DORA published in Official Journal (OJ L 333) | Reg. (EU) 2022/2554 | | 2023-01-16 | DORA enters into force (20 days after publication) | Reg. (EU) 2022/2554 | | 2024-05-30 | CTPP designation criteria and oversight fees acts published in OJ | Reg. (EU) 2024/1502 and 2024/1505 | | 2024-06-25 | RTS on incident classification, contracts, and ICT risk management published in OJ | Reg. (EU) 2024/1772, 2024/1773, 2024/1774 | | 2024-12-02 | Register of information ITS (templates) published in OJ | Reg. (EU) 2024/2956 | | 2025-01-17 | DORA applies | Reg. (EU) 2022/2554 | | 2025-02-20 | Incident reporting RTS and ITS published in OJ | Reg. (EU) 2025/301 and 2025/302 | | 2025-06-18 | TLPT RTS published in OJ | Reg. (EU) 2025/1190 | | 2025-07-02 | Subcontracting RTS published in OJ | Reg. (EU) 2025/532 | ## Compliance Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2022-12-14 | DORA adopted | Legislative History | Reg. (EU) 2022/2554 (of 14 December 2022) | | 2022-12-27 | DORA published in Official Journal | Official Publication | OJ L 333, 27.12.2022 | | 2022-12-27 | Alignment Directive (EU) 2022/2556 published | Official Publication | | | 2023-01-16 | DORA enters into force | Official Publication | Art. 64 | | 2023-06-19 | ESAs first batch public consultation opens | ESAs Mandates & Deliverables | | | 2023-07-17 | Commission PSD2 review report deadline (cyber resilience of payment systems) | Commission Mandates & Reviews | Art. 58(2) | | 2023-09-11 | ESAs first batch public consultation closes | ESAs Mandates & Deliverables | | | 2023-12-08 | ESAs second batch public consultation opens | ESAs Mandates & Deliverables | | | 2024-01-17 | Deadline: ESAs submit first wave draft RTS/ITS to the Commission | ESAs Mandates & Deliverables | Arts. 15, 16(3), 18(4), 28(9)-(10) | | 2024-03-04 | ESAs second batch public consultation closes | ESAs Mandates & Deliverables | | | 2024-05-30 | Delegated Regs. 2024/1502 and 2024/1505 published in OJ | Delegated & Implementing Acts (OJ) | OJ L, 2024/1502 and 2024/1505, 30.5.2024 | | 2024-06-25 | Delegated Regs. 2024/1772, 2024/1773, 2024/1774 published in OJ | Delegated & Implementing Acts (OJ) | OJ L, 2024/1772, 2024/1773, 2024/1774, 25.6.2024 | | 2024-07-17 | Deadline: ESAs submit draft RTS/ITS for incident reporting content and templates | ESAs Mandates & Deliverables | Art. 20 | | 2024-07-17 | Deadline: ESAs submit draft RTS for TLPT (TIBER-EU framework) | ESAs Mandates & Deliverables | Art. 26(11) | | 2024-07-17 | Deadline: ESAs develop guidelines on annual costs and losses from major incidents | ESAs Mandates & Deliverables | Art. 11(11) | | 2024-07-17 | Deadline: ESAs issue guidelines on oversight cooperation and information exchange | ESAs Mandates & Deliverables | Art. 32(7) | | 2024-07-17 | Deadline: ESAs submit draft RTS on subcontracting assessments | ESAs Mandates & Deliverables | Art. 30(5) | | 2024-07-17 | Deadline: ESAs submit draft RTS enabling the conduct of oversight activities | ESAs Mandates & Deliverables | Art. 41(2) | | 2024-07-17 | ESAs publish second batch of policy products (incl. TLPT RTS) | ESAs Mandates & Deliverables | | | 2024-07-17 | Deadline: Commission delegated act on further criteria for critical ICT third-party designation | Commission Mandates & Reviews | Art. 31(6) | | 2024-07-17 | Deadline: Commission delegated act on oversight fees | Commission Mandates & Reviews | Art. 43(2) | | 2024-11-29 | Oversight Forum mandate (JC_24_93) | CTPP Oversight | | | 2024-12-02 | Implementing Reg. 2024/2956 published in OJ (register templates) | Register of Information | Reg. (EU) 2024/2956 | | 2025-01-16 | Lead Overseer applies sub-criterion for CTPP designation (sub-criterion 1.4) | CTPP Oversight | Delegated Reg. (EU) 2024/1502 Art. 7 | | 2025-01-17 | DORA applies | Applicability | Art. 64 | | 2025-01-17 | EU Hub feasibility report due | ESAs Mandates & Deliverables | Art. 21(3) | | 2025-01-17 | ESAs publish feasibility report on EU Hub centralisation (JC 2024 108) | ESAs Mandates & Deliverables | | | 2025-01-17 | Member States notify penalty and criminal-law measures | National Obligations | Art. 53 | | 2025-01-17 | Application date - Guidelines on oversight cooperation and information exchange | Guidelines (Level 3) | | | 2025-02-20 | Delegated Reg. 2025/301 published in OJ (incident reporting RTS) | Delegated & Implementing Acts (OJ) | OJ L, 2025/301, 20.2.2025 | | 2025-02-20 | Implementing Regulation 2025/302 - incident reporting templates (ITS) | Delegated & Implementing Acts (OJ) | OJ L, 2025/302, 20.2.2025 | | 2025-03-06 | Corrigendum (01) to Delegated Reg. 2024/1774 | Corrigendum | | | 2025-05-15 | Corrigendum (02) to Delegated Reg. 2024/1774 | Corrigendum | | | 2025-05-19 | Application date - Guidelines on costs/losses estimation | Guidelines (Level 3) | | | 2025-06-18 | Delegated Reg. 2025/1190 published in OJ (TLPT RTS) | Delegated & Implementing Acts (OJ) | OJ L, 2025/1190, 18.6.2025 | | 2025-07-02 | Delegated Reg. 2025/532 published in OJ (subcontracting assessments) | Delegated & Implementing Acts (OJ) | Reg. (EU) 2025/532 | | 2025-09-11 | Corrigendum to Implementing Reg. 2025/302 (incident templates) | Corrigendum | | | 2025-09-12 | Corrigendum to Delegated Reg. 2025/301 (non-EN) | Corrigendum | | | 2025-09-19 | Corrigendum to Implementing Reg. 2024/2956 (register templates) | Corrigendum | | | 2025-11-18 | First list of designated CTPPs published | CTPP Oversight | | | 2026-01-17 | Commission review on auditors and audit firms due | Commission Mandates & Reviews | Art. 58(3) | | 2028-01-17 | Commission review of DORA due | Commission Mandates & Reviews | Art. 58(1) | **Event details:** - **2022-12-14 - DORA adopted**: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector is adopted by the European Parliament and the Council (date of the act: 14 December 2022). - **2022-12-27 - DORA published in Official Journal**: Regulation (EU) 2022/2554 is published in the Official Journal of the European Union (OJ L 333, 27.12.2022). - **2022-12-27 - Alignment Directive (EU) 2022/2556 published**: Directive (EU) 2022/2556 is published, aligning sectoral directives with DORA; Member States must transpose it by 17 January 2025. - **2023-01-16 - DORA enters into force**: DORA enters into force on the twentieth day following its publication in the Official Journal (27 December 2022 -> 16 January 2023). - **2023-06-19 - ESAs first batch public consultation opens**: First batch of DORA policy products consultation window opens. - **2023-07-17 - Commission PSD2 review report deadline (cyber resilience of payment systems)**: Within the PSD2 review context, the Commission must submit a report to the European Parliament and Council no later than 17 July 2023 assessing the need for increased cyber resilience of payment systems and payment-processing activities. - **2023-09-11 - ESAs first batch public consultation closes**: Closure of first batch consultation window. - **2023-12-08 - ESAs second batch public consultation opens**: Second batch of DORA policy mandates consultation opens. - **2024-01-17 - Deadline: ESAs submit first wave draft RTS/ITS to the Commission**: Deadline for ESAs (through the Joint Committee) to submit several draft RTS/ITS to the Commission, including RTS on ICT risk management, RTS on the simplified ICT risk management framework, RTS on incident classification (materiality thresholds), and draft ITS/RTS related to the register of information and ICT third-party risk policy. - **2024-03-04 - ESAs second batch public consultation closes**: Closure of second batch consultation window. - **2024-05-30 - Delegated Regs. 2024/1502 and 2024/1505 published in OJ**: Delegated Regulations (EU) 2024/1502 (designation criteria for critical ICT third-party service providers; adopted 22 February 2024) and 2024/1505 (oversight fees; adopted 22 February 2024) are published in the Official Journal. - **2024-06-25 - Delegated Regs. 2024/1772, 2024/1773, 2024/1774 published in OJ**: Delegated Regulations (EU) 2024/1772 (incident classification), 2024/1773 (policy content for ICT third-party contractual arrangements supporting critical/important functions) and 2024/1774 (ICT risk management tools/methods and simplified framework) are published in the Official Journal (all adopted 13 March 2024). - **2024-07-17 - Deadline: ESAs submit draft RTS/ITS for incident reporting content and templates**: Deadline for ESAs (through the Joint Committee, in consultation with ENISA and the ECB) to submit to the Commission draft RTS on incident-report content and time limits, and draft ITS on standard forms/templates/procedures for reporting major ICT-related incidents and notifying significant cyber threats. - **2024-07-17 - Deadline: ESAs submit draft RTS for TLPT (TIBER-EU framework)**: Deadline for ESAs (in agreement with the ECB) to submit to the Commission draft RTS specifying criteria and detailed requirements for threat-led penetration testing (TLPT), including methodology phases, internal testers, and cooperation/mutual recognition aspects. - **2024-07-17 - Deadline: ESAs develop guidelines on annual costs and losses from major incidents**: Deadline for ESAs (through the Joint Committee) to develop common guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. - **2024-07-17 - Deadline: ESAs issue guidelines on oversight cooperation and information exchange**: Deadline for ESAs to issue guidelines on cooperation between ESAs and competent authorities under the CTPP oversight framework, including task allocation/execution procedures and information-exchange details needed for follow-up of Lead Overseer recommendations. - **2024-07-17 - Deadline: ESAs submit draft RTS on subcontracting assessments**: Deadline for ESAs (through the Joint Committee) to submit to the Commission draft RTS specifying further which elements a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions. - **2024-07-17 - Deadline: ESAs submit draft RTS enabling the conduct of oversight activities**: Deadline for ESAs (through the Joint Committee) to submit to the Commission draft RTS specifying harmonised conditions enabling the conduct of oversight activities for critical ICT third-party service providers (including information requests, reporting, and Joint Examination Team arrangements). - **2024-07-17 - ESAs publish second batch of policy products (incl. TLPT RTS)**: ESAs publish the second batch of DORA policy products, including the TLPT RTS and the draft RTS/ITS for incident reporting. - **2024-07-17 - Deadline: Commission delegated act on further criteria for critical ICT third-party designation**: Deadline for the Commission to adopt a delegated act supplementing DORA by specifying further the criteria for the designation of ICT third-party service providers as critical for financial entities (implemented via Delegated Regulation (EU) 2024/1502 of 22 February 2024; OJ publication 30 May 2024). - **2024-07-17 - Deadline: Commission delegated act on oversight fees**: Deadline for the Commission to adopt a delegated act determining the amount of the oversight fees to be paid by critical ICT third-party service providers and the way those fees are to be paid (implemented via Delegated Regulation (EU) 2024/1505 of 22 February 2024; OJ publication 30 May 2024). - **2024-11-29 - Oversight Forum mandate (JC_24_93)**: Mandate of the Oversight Forum as a Joint Committee Sub-Committee of the European Supervisory Authorities (JC 2024 93, dated 29 November 2024). - **2024-12-02 - Implementing Reg. 2024/2956 published in OJ (register templates)**: Implementing Regulation (EU) 2024/2956 is published, laying down implementing technical standards establishing standard templates for the register of information. - **2025-01-16 - Lead Overseer applies sub-criterion for CTPP designation (sub-criterion 1.4)**: Under Delegated Regulation (EU) 2024/1502, the Lead Overseer applies sub-criterion 1.4 for the criticality assessment of ICT third-party service providers as of 16 January 2025. - **2025-01-17 - DORA applies**: DORA applies from 17 January 2025. - **2025-01-17 - EU Hub feasibility report due**: ESAs joint report assessing the feasibility of further centralisation of incident reporting through a single EU Hub is due to the European Parliament, Council and Commission by 17 January 2025. - **2025-01-17 - ESAs publish feasibility report on EU Hub centralisation (JC 2024 108)**: ESAs publish their joint report on the feasibility of further centralising reporting of major ICT-related incidents through a single EU Hub (DORA Art. 21). - **2025-01-17 - Member States notify penalty and criminal-law measures**: Member States must notify the Commission, ESMA, EBA and EIOPA of laws/regulations implementing the chapter on administrative penalties (and any relevant criminal law provisions) by 17 January 2025. - **2025-01-17 - Application date - Guidelines on oversight cooperation and information exchange**: Joint Guidelines application date for oversight cooperation and information exchange. - **2025-02-20 - Delegated Reg. 2025/301 published in OJ (incident reporting RTS)**: Delegated Regulation (EU) 2025/301 (adopted 23 October 2024) specifies the content and time limits for the initial notification, and intermediate and final reports on, major ICT-related incidents, and the content of voluntary notifications of significant cyber threats. - **2025-02-20 - Implementing Regulation 2025/302 - incident reporting templates (ITS)**: Implementing Regulation (EU) 2025/302 (adopted 23 October 2024) lays down implementing technical standards establishing the standard forms, templates and procedures for reporting major ICT-related incidents and notifying significant cyber threats, including use under transitional arrangements pending any EU Hub implementation (OJ publication 20 February 2025; earlier drafts sometimes used month-level dating). - **2025-03-06 - Corrigendum (01) to Delegated Reg. 2024/1774**: First corrigendum to Delegated Regulation (EU) 2024/1774 (ICT risk management) published. - **2025-05-15 - Corrigendum (02) to Delegated Reg. 2024/1774**: Second corrigendum to Delegated Regulation (EU) 2024/1774 (ICT risk management) published. - **2025-05-19 - Application date - Guidelines on costs/losses estimation**: Application date for the costs/losses Guidelines. - **2025-06-18 - Delegated Reg. 2025/1190 published in OJ (TLPT RTS)**: Delegated Regulation (EU) 2025/1190 (adopted 13 February 2025) specifies RTS on criteria and detailed requirements for threat-led penetration testing (TLPT). - **2025-07-02 - Delegated Reg. 2025/532 published in OJ (subcontracting assessments)**: Delegated Regulation (EU) 2025/532 is published, specifying elements to determine and assess when subcontracting ICT services supporting critical or important functions. - **2025-09-11 - Corrigendum to Implementing Reg. 2025/302 (incident templates)**: Corrigendum to Implementing Regulation (EU) 2025/302 published. - **2025-09-12 - Corrigendum to Delegated Reg. 2025/301 (non-EN)**: Corrigendum to Delegated Regulation (EU) 2025/301 published; OJ note indicates it does not concern the English version. - **2025-09-19 - Corrigendum to Implementing Reg. 2024/2956 (register templates)**: Corrigendum to Implementing Regulation (EU) 2024/2956 published. - **2025-11-18 - First list of designated CTPPs published**: The European Supervisory Authorities publish the first list of designated critical ICT third-party service providers (CTPPs). - **2026-01-17 - Commission review on auditors and audit firms due**: Commission must review and submit a report (and, where appropriate, a legislative proposal) on strengthened digital operational resilience requirements for statutory auditors and audit firms by 17 January 2026. - **2028-01-17 - Commission review of DORA due**: Commission must review DORA and submit a report (and, where appropriate, a legislative proposal) by 17 January 2028. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act