FAQEU

EU DORA FAQ

Fast answers to the real questions compliance, security, and product teams ask about DORA.

Grounded in the Regulation and the key RTS/ITS for reporting, contracting, and RoI templates.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Questions
6

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

This FAQ is designed to be operational: each answer points to what to implement next and what evidence to keep. For formal interpretation and edge cases, validate against the primary legal texts and your competent authority guidance.

Question 1

When does DORA apply?

DORA applies from 17 January 2025 (Article 64). It entered into force 20 days after its publication in the Official Journal (OJ L 333, 27.12.2022).

Most readiness work (RoI, reporting pipeline, third-party clauses, testing program) should be built as a program - not a last-minute checklist.

  • Practical timeline: 90-180 days to build core workflows + exports, then quarterly drills and continuous improvement.
  • If you can't export the RoI reliably, start there - it unlocks third-party supervision readiness.
Question 2

Who is in scope (and what does "critical or important functions" mean)?

DORA covers a defined set of financial entities and sets stricter expectations for ICT services supporting critical or important functions.

Operationally, treat "critical or important" as a service classification tag applied in your service catalog and architecture. It drives stricter contracting, monitoring, subcontracting governance, and exit planning.

  • Build a function catalog + service mapping so you can explain which ICT services support which functions.
  • Use that mapping to prioritize: third-party clause remediation, subcontracting assessments, and exit readiness work.
Question 3

What is the Register of Information (RoI) and why do supervisors care?

The RoI is a DORA supervisory artifact: a register of contractual arrangements on ICT services from ICT third-party providers. Competent authorities can request the full register or specified sections.

The ITS (Implementing Regulation (EU) 2024/2956) defines standard templates and a relational structure for consistent reporting and group consolidation.

  • Treat the RoI as a data product: stable identifiers + relational joins + validation + export pipeline.
  • Use the ITS templates (B_01-B_07) as the schema contract and generate exports automatically.
Question 4

How does DORA major incident reporting work?

DORA incident reporting is a staged workflow: classification -> initial notification -> intermediate updates -> final report with root cause analysis and actual impact figures.

The RTS specify classification thresholds (Delegated Regulation (EU) 2024/1772) and the content/time limits for reporting stages (Delegated Regulation (EU) 2025/301).

  • Implement reporting as a pipeline: one incident data model feeding DORA reporting outputs.
  • Keep a classification decision log and submission receipts - that's often what's requested first.
Question 5

Do we need TLPT (threat-led penetration testing)?

Not every entity performs TLPT. The TLPT RTS (Delegated Regulation (EU) 2025/1190) specifies criteria for identifying entities required to perform TLPT.

Even if you aren't in the first wave, TLPT readiness practices improve resilience and reduce incident/reporting risk.

  • Build a purple-team / red-team operating model and evidence trail so you can scale to TLPT if required.
  • Use an external framework like ECB TIBER-EU for realistic planning and governance where applicable.
Question 6

What changed in DORA supervision after application started?

The main shift is that DORA is now operating through concrete supervisory artifacts and oversight tools, not just the core regulation text. The RoI ITS, the incident-reporting ITS, and the first critical ICT provider designations are now live reference points.

That means firms need export-ready data, template-ready reporting, and third-party governance that can answer current supervisory questions.

  • RoI templates: ITS 2024/2956.
  • Incident reporting forms and procedures: ITS 2025/302, on top of RTS 2024/1772 and 2025/301.
  • Critical ICT third-party provider designations: first list published by the ESAs on 18 November 2025.
  • Fastest practical move: tighten incident-reporting data quality and RoI exports before trying to optimize everything else.
Recommended next step

Use EU DORA FAQ as a cited research workflow

Research Copilot can take EU DORA FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU DORA FAQ

Start from EU DORA FAQ and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA FAQ.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.