--- title: "EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence" canonical_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq" source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/items/page/2" author: "Sorena AI" description: "Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU DORA FAQ" - "Digital Operational Resilience Act" - "ICT incident reporting" - "ICT third-party contracts" - "TLPT" - "register of information" - "EU DORA" - "DORA FAQ" - "ICT risk management" - "major ICT incidents" - "ICT third-party risk" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence. *FAQ* *EU* ## EU DORA FAQ Direct answers on DORA scope, proportionality, ICT risk management, ICT third-party contracts, register-of-information records, major ICT incident reporting, resilience testing, TLPT, and enforcement. Use this page as a starting point for source-linked DORA triage; it avoids unofficial penalty caps, unsupported incident thresholds, and generic compliance checklists. DORA is the EU Digital Operational Resilience Act for the financial sector. It sets uniform requirements for ICT risk management, major ICT incident reporting, digital operational resilience testing, ICT third-party risk, and oversight of critical ICT third-party service providers. This FAQ answers the questions teams usually need before assigning DORA work or validating evidence. ## Browse sub-FAQ modules ### [DORA ICT Third-Party Contracts FAQ](/artifacts/eu/digital-operational-resilience-act/faq/ict-third-party-contracts.md) What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence. - 4 items ### [DORA major ICT incident thresholds: what triggers reporting?](/artifacts/eu/digital-operational-resilience-act/faq/major-incident-thresholds.md) FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts. - 4 items ### [DORA Register of Information FAQ: ICT Third-Party Arrangements](/artifacts/eu/digital-operational-resilience-act/faq/register-of-information.md) FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence. - 6 items ### [DORA TLPT selection: who can be required to test?](/artifacts/eu/digital-operational-resilience-act/faq/tlpt-selection.md) FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep. - 5 items ### [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md) A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived. - 4 items Browse all indexed questions: [/artifacts/eu/digital-operational-resilience-act/faq/items](/artifacts/eu/digital-operational-resilience-act/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 3 of 23 items.* ### [Who can use DORA's simplified ICT risk management framework?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md#who-can-use-doras-simplified-ict-risk-management-framework) *Module: [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md)* DORA Article 16 replaces Articles 5 to 15 with a simplified ICT risk management framework for specified categories: small and non-interconnected investment firms, exempted payment institutions, specified exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision. - Use Article 16 only when the entity fits one of the listed categories; do not apply it merely because the entity is small or resource-constrained. - Keep one clear evidence file showing the Article 16 basis, the simplified ICT framework, the information security policy required by Delegated Regulation (EU) 2024/1774, and the periodic review report content where requested. - For microenterprises, do not assume there is no testing duty: DORA Article 25 still requires ICT testing using a risk-based approach balanced against resources, urgency, type of risk, criticality of information assets, and services provided. - When the entity relies on ICT third-party services, keep the register and contract evidence proportionate to the criticality or importance of the service, dependency complexity, and potential impact on continuity and availability. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Article 16 lists the entities subject to the simplified ICT risk management framework and preserves core ICT risk, continuity, dependency, and testing obligations. - [Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Specifies proportionality factors and detailed simplified-framework requirements for governance, information security, ICT risk assessment, controls, continuity, testing, and review reporting. ### [What evidence supports a defensible DORA proportionality decision?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md#what-evidence-supports-a-defensible-dora-proportionality-decision) *Module: [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md)* A defensible proportionality decision connects the scaled measure to the risk facts DORA names. The evidence should show why the selected control, test, policy, supplier-monitoring depth, or remediation timetable is adequate for the entity's size, risk profile, services, activities, operations, and ICT dependencies. - Entity and scope evidence: legal entity, DORA Article 2 category, any exclusion considered, and any Article 16 simplified-framework basis. - Risk profile evidence: ICT-supported critical or important functions, information and ICT asset classification, business impact analysis, current and near-term ICT risks, threat landscape, incident history, and testing findings. - Scaling evidence: what was made lighter or heavier, why the change remains adequate, who approved it, and what supervisory instruction, audit finding, incident, test, or supplier change would trigger review. - Third-party evidence: register entries, critical or important function classification, contract clauses, service-level monitoring, exit or continuity evidence, and a record that outsourcing does not transfer the financial entity's DORA responsibility. - Testing evidence: the risk basis for test type, frequency, scope, independence, remediation priorities, and any TLPT authority determination or attestation where advanced testing applies. Sources for this answer: - [Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Article 1 and the review-report provisions identify the size, risk, complexity, dependency, threat, control-effectiveness, and security-posture evidence useful for proportionality records. - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Articles 6, 17, 19, 24, 25, 26, and 28 anchor evidence for ICT risk management, incidents, testing, TLPT, and ICT third-party risk. ### [What cannot be waived by calling it proportional under DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md#what-cannot-be-waived-by-calling-it-proportional-under-dora) *Module: [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md)* Proportionality does not erase DORA's core control points. It cannot be used to avoid having an ICT risk management framework, to ignore major ICT-related incidents, to skip required reporting, to transfer responsibility to a supplier, or to decline TLPT after the relevant authority identifies the entity as required to perform it. - In-scope financial entities remain responsible for DORA compliance even when ICT services are outsourced or a third party assists with incident reporting. - Major ICT-related incidents must be reported to the relevant competent authority through the required notification and report sequence; proportionality does not turn mandatory reporting into an optional escalation. - ICT third-party risk remains part of the financial entity's own ICT risk management framework, including the register of information and contract evidence for ICT services. - TLPT is not self-selected by preference: DORA requires competent authorities to identify entities required to perform TLPT, and the TLPT RTS adds criteria and process requirements for scope, providers, risk management, findings, remediation, and attestation. - Simplified-framework entities and microenterprises receive lighter or different obligations in defined places, but they still need evidence that the lighter approach matches their ICT risk profile and does not leave critical or important functions unmanaged. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Articles 17, 19, 26, and 28 show non-waivable incident, TLPT, and ICT third-party responsibility points despite proportional application. - [Delegated Regulation (EU) 2025/1190 on DORA TLPT](https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj/eng?ref=sorena.io) - Specifies TLPT identification, scope, testing methodology, provider requirements, remediation, attestation, and authority cooperation criteria. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/digital-operational-resilience-act/faq/items](/artifacts/eu/digital-operational-resilience-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/eu/digital-operational-resilience-act/faq/items.md) | [2](/artifacts/eu/digital-operational-resilience-act/faq/items/page/2.md) [Previous page](/artifacts/eu/digital-operational-resilience-act/faq/items.md) *Recommended next step* *Placement: before sources* ## Use the FAQ to check your DORA workstream Sorena can help convert DORA scope, incident, ICT contract, register, testing, TLPT, and enforcement questions into cited controls, record requests, and remediation tasks. - [Open Research Copilot for DORA](/solutions/research-copilot.md): Ask source-linked questions about DORA scope, ICT incidents, contracts, testing, and evidence using the cited sources on this page. - [Talk through DORA implementation](/contact.md): Review your DORA scope, incident reporting, ICT third-party, register, testing, and evidence gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/items/page/2