FAQEU

EU DORA FAQ

Direct answers on DORA scope, proportionality, ICT risk management, ICT third-party contracts, register-of-information records, major ICT incident reporting, resilience testing, TLPT, and enforcement.

Use this page as a starting point for source-linked DORA triage; it avoids unofficial penalty caps, unsupported incident thresholds, and generic compliance checklists.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
FAQ modules
5

Structured answer sets in this page tree.

Primary sources
10

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA is the EU Digital Operational Resilience Act for the financial sector. It sets uniform requirements for ICT risk management, major ICT incident reporting, digital operational resilience testing, ICT third-party risk, and oversight of critical ICT third-party service providers. This FAQ answers the questions teams usually need before assigning DORA work or validating evidence.

Browse sub-FAQs

Choose the question set you need

These focused FAQ modules break this artifact into narrower answer sets so teams can move straight to the right source-backed guidance.

Browse all FAQ items23
Focused FAQ modules
5
Showing 5 of 5
FAQ module

DORA ICT Third-Party Contracts FAQ

What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.

4 items
FAQ module

DORA major ICT incident thresholds: what triggers reporting?

FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.

4 items
FAQ module

DORA Register of Information FAQ: ICT Third-Party Arrangements

FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.

6 items
FAQ module

DORA TLPT selection: who can be required to test?

FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.

5 items
FAQ module

How does proportionality work under EU DORA?

A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.

4 items
Question 1

DORA scope and proportionality

DORA applies to listed financial entities such as credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, fund managers, management companies, insurance and reinsurance undertakings, insurance intermediaries, occupational pension institutions, credit rating agencies, critical benchmark administrators, crowdfunding service providers, securitisation repositories, and ICT third-party service providers.

DORA also contains exclusions and proportionality rules. Some small or exempt entities are outside scope, and financial entities apply the ICT risk management, testing, incident, and third-party-risk rules in proportion to their size, risk profile, and the nature, scale, and complexity of their services.

Which organisations are in scope of EU DORA?

DORA mainly covers regulated EU financial-sector entities listed in Article 2, including banks, payment and e-money institutions, investment firms, trading venues, central counterparties, central securities depositories, insurers, relevant intermediaries, fund managers, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and crypto-asset service providers. ICT third-party service providers are also in scope for DORA's third-party oversight framework.

Does EU DORA apply the same way to every financial entity?

No. Article 4 requires proportionality. The entity should scale the DORA programme to its size, overall risk profile, and the nature, scale, and complexity of its services, activities, and operations. That affects ICT risk management, incident handling, resilience testing, and ICT third-party-risk controls.

What is a critical or important function under EU DORA?

A critical or important function is one where disruption would materially impair the entity's financial performance, service continuity, authorisation conditions, or other obligations under financial services law. This classification drives contract clauses, exit plans, subcontractor review, register data, and TLPT scoping.

Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports DORA scope, exclusions, definitions, proportionality, and the main obligation areas.
Question 2

ICT risk management, testing, and evidence records

DORA is not only an incident-reporting rule. Financial entities need a documented ICT risk management framework, governance and control arrangements, ICT asset and function inventories, business continuity and response-and-recovery plans, detection and incident-management processes, post-incident learning, and testing.

Evidence should be specific enough for a supervisor to trace a DORA requirement to an operational control: management-body approvals, ICT risk framework reviews, inventories, business impact analysis records, continuity test results, incident logs, classification worksheets, remediation plans, and audit follow-up for critical ICT findings.

What ICT risk management evidence does EU DORA expect?

Core evidence includes a documented ICT risk management framework, policies and procedures for protecting information and ICT assets, assigned ICT risk responsibilities, ICT-supported business function and asset inventories, risk assessments for major changes and legacy ICT systems, continuity and recovery plans, incident records, and audit remediation records.

What digital operational resilience testing is required under EU DORA?

Financial entities other than microenterprises need a risk-based testing programme that can include vulnerability assessments, scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, source-code reviews where feasible, scenario-based tests, compatibility and performance testing, end-to-end testing, and penetration testing. Appropriate tests must be conducted at least yearly on ICT systems and applications supporting critical or important functions.

Are microenterprises exempt from all EU DORA testing?

No. DORA gives microenterprises a lighter approach, but Article 25 still expects them to perform testing using a risk-based and strategically planned approach. The advanced TLPT requirement is not for microenterprises.

Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports ICT risk management framework, incident management, continuity, recovery, and resilience testing obligations.
Delegated Regulation (EU) 2024/1774 on ICT risk management
Supports detailed ICT risk-management tools, methods, processes, policies, and simplified-framework requirements.
Question 3

Major ICT incidents and reporting

DORA requires financial entities to classify ICT-related incidents, report major ICT-related incidents to the relevant competent authority, and notify significant cyber threats voluntarily when they consider the threat relevant to the financial system, service users, or clients.

The incident decision should be based on DORA classification criteria and the RTS thresholds, not on an informal severity label. Keep the incident timeline, affected service and function, client or financial-counterpart impact, downtime, geography, data-loss assessment, economic impact, root cause, and report submissions together.

When is an ICT incident major under EU DORA?

Under the incident-classification RTS, an incident is major when it affects critical services and either the specific malicious-unauthorised-access data-loss threshold in Article 9(5)(b) is met or at least two other materiality thresholds are met. Recurring non-major incidents can also be treated as one major incident when the RTS conditions are satisfied.

What EU DORA incident thresholds should teams check first?

Check affected clients, financial counterparts, and transactions; reputational impact; incident duration and service downtime; geographical spread; data losses; critical services affected; and economic impact. The RTS includes concrete examples such as more than 10% of affected-service clients, more than 100,000 affected clients, impact in two or more Member States, incident duration longer than 24 hours, and costs or losses exceeding or likely to exceed EUR 100,000.

What are the EU DORA major ICT incident reporting deadlines?

The reporting RTS requires an initial notification as early as possible and within four hours after classification as major, and no later than 24 hours after the entity became aware of the incident. The intermediate report is due within 72 hours after the initial notification. The final report is due no later than one month after the intermediate report or the latest updated intermediate report.

Can EU DORA incident reporting be outsourced?

Yes, Article 19 allows outsourcing of the reporting obligation in line with Union and national sectoral law, but the financial entity remains fully responsible for meeting the incident reporting requirements.

Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports the duty to classify ICT incidents, report major ICT incidents, and voluntarily notify significant cyber threats.
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Supports the materiality criteria and thresholds used to decide whether an ICT incident is major.
Delegated Regulation (EU) 2025/301 on incident reporting content and time limits
Supports the initial, intermediate, and final reporting deadlines and required report content.
Implementing Regulation (EU) 2025/302 on incident reporting templates
Supports the use of standard forms, templates, and procedures for reporting major ICT incidents and notifying significant cyber threats.
Question 4

ICT third-party contracts and register of information

DORA keeps responsibility with the financial entity even when ICT services are outsourced. Before contracting, entities should decide whether the service supports a critical or important function, assess concentration and subcontracting risk, run due diligence, and make sure required contract rights are written into one durable contract.

The register of information is a structured inventory of ICT third-party contractual arrangements. It distinguishes critical or important functions, links contracts, providers, functions, services, subcontractors, supply-chain ranks, identifiers, audit dates, exit plans, substitutability, and discontinuation impact.

What must EU DORA ICT third-party contracts include?

Article 30 requires written contracts with clear allocation of rights and obligations, service descriptions, data-location and processing-location information, data protection commitments, access and return of data, service levels, incident assistance, cooperation with authorities, termination rights, and security-awareness or training participation where relevant. Contracts supporting critical or important functions need additional provisions such as full service-level descriptions, material-impact notification, contingency testing, TLPT cooperation, audit and inspection rights, and exit strategies.

What should be assessed before using an ICT third-party provider under EU DORA?

Before contracting, the financial entity should assess whether the service supports a critical or important function, whether supervisory conditions for contracting are met, relevant ICT and concentration risks, provider suitability and due diligence, conflicts of interest, information-security standards, subcontracting, data and provider locations, auditability, business continuity, and exit options.

What is the EU DORA register of information?

It is the required record of all contractual arrangements for ICT services provided by ICT third-party service providers, maintained at entity level and, where relevant, sub-consolidated and consolidated levels. The implementing templates capture the financial entity, contracts, providers, ICT services, functions, criticality or importance, supply-chain data, subcontractors that underpin critical or important functions, audit dates, exit plans, substitutability, and impact of discontinuing the ICT service.

How should EU DORA subcontracting for critical or important functions be handled?

If subcontracting is permitted, the financial entity should have conditions in the contract, assess the subcontracting chain, location, data, concentration, transferability, continuity impact, and subcontractor suitability, and preserve the right to assess material changes before they take effect. Subcontracting does not transfer the financial entity's DORA responsibility.

Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports DORA third-party risk principles, Article 28 register duty, and Article 30 contract requirements.
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
Supports policy content for ICT services supporting critical or important functions, including risk assessment, due diligence, monitoring, audit, and exit planning.
Implementing Regulation (EU) 2024/2956 on register-of-information templates
Supports standard register templates, data-quality expectations, identifiers, supply-chain records, and critical-function assessment fields.
Delegated Regulation (EU) 2025/532 on ICT subcontracting
Supports subcontracting assessment for ICT services supporting critical or important functions or material parts of them.
Question 5

TLPT, critical providers, and enforcement

Threat-led penetration testing is the advanced DORA test for selected financial entities. It is not required for every entity; competent authorities identify entities based on impact, possible financial-stability concerns, ICT risk profile, ICT maturity, and technology features.

DORA enforcement is not expressed as one EU-wide administrative fine cap. Member States set administrative penalties and remedial measures, while competent authorities need supervisory, investigatory, and sanctioning powers such as document access, inspections, corrective measures, orders to stop breaches, measures including pecuniary measures, and public notices.

Who has to perform TLPT under EU DORA?

Only financial entities identified by competent authorities have to perform DORA TLPT. Article 26 points authorities to impact-related factors, possible financial-stability concerns, and the entity's ICT risk profile, ICT maturity, or technology features. The TLPT RTS further restricts TLPT to entities for which this advanced live-production testing is justified.

How often is EU DORA TLPT required?

Identified financial entities must carry out TLPT at least every three years, unless the competent authority changes the frequency based on the entity's risk profile and operational circumstances.

What does EU DORA TLPT have to cover?

Each TLPT must cover several or all critical or important functions and live production systems supporting those functions. The entity identifies the underlying ICT systems, processes, technologies, and ICT services, including outsourced or contracted services, and the competent authority validates the final scope.

How are critical ICT third-party service providers treated under EU DORA?

The ESAs designate critical ICT third-party service providers through the Joint Committee and appoint a Lead Overseer. Designation looks at systemic impact, the systemic importance of relying financial entities, reliance for critical or important functions, and substitutability. This is an oversight regime for providers; it does not remove the financial entity's responsibility for its own DORA compliance.

What penalties apply for EU DORA breaches?

DORA requires Member States to establish effective, proportionate, and dissuasive administrative penalties and remedial measures, but it does not set one universal EU fine cap for every DORA breach. Competent authorities must be able to require corrective measures, order conduct to stop, require temporary or permanent cessation of practices, adopt measures including pecuniary measures, and issue public notices.

Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports TLPT frequency, critical ICT third-party provider designation, and enforcement powers.
Delegated Regulation (EU) 2025/1190 on DORA TLPT
Supports TLPT selection, methodology, provider, scope, testing, closure, remediation, and attestation requirements.
Delegated Regulation (EU) 2024/1502 on critical ICT third-party provider designation
Supports the criteria used to designate ICT third-party service providers as critical under DORA.
Recommended next step

Use the FAQ to check your DORA workstream

Sorena can help convert DORA scope, incident, ICT contract, register, testing, TLPT, and enforcement questions into cited controls, record requests, and remediation tasks.

Research workflow
Open Research Copilot for DORA

Ask source-linked questions about DORA scope, ICT incidents, contracts, testing, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through DORA implementation

Review your DORA scope, incident reporting, ICT third-party, register, testing, and evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Supports TLPT frequency, critical ICT third-party provider designation, and enforcement powers.
"Administrative penalties and remedial measures"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.