DORA Consulting

The Digital Operational Resilience Act (EU 2022/2554) has been binding for the entire EU financial sector since 17 January 2025. Affected entities include banks, insurance companies, investment firms, payment service providers, credit institutions, investment funds, rating agencies, and central counterparties. Critically, DORA also applies to critical ICT third-party providers – cloud providers, data centres, and managed service providers that serve the financial sector.

At its core, DORA requires financial entities to manage their operational resilience against ICT risks systematically. This builds on existing IT security obligations but goes further: DORA creates uniform, binding requirements at EU level that exceed what existing national regulations (e.g. MaRisk or BAIT in Germany) previously demanded. Existing compliance with national requirements is not a guarantee of DORA conformity.

The five pillars of DORA are: ICT risk management, incident reporting and classification, digital operational resilience testing, third-party risk management, and information sharing. Each pillar is underpinned by Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that specify detailed implementation requirements.

DORA requires a complete ICT risk management framework with clear accountability at board level. Senior management bears ultimate responsibility for ICT risks and must be actively involved in their governance – not merely through formal approvals, but through demonstrable understanding of material risks. Training and regular risk briefings for leadership are mandatory, not optional.

The risk management framework must cover all phases of the ICT lifecycle: identification of dependencies and critical systems, protection measures and hardening, detection of anomalies, incident response, and recovery. Crisis communication plans – both internal and external – are equally binding as the technical countermeasures.

A frequently underestimated element is the business impact analysis: DORA requires financial entities to classify their business processes by criticality and define specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical processes. These targets must be tested and updated regularly.

Threat-Led Penetration Testing (TLPT) is the most demanding DORA requirement. Significant financial institutions must conduct a TLPT at least every three years – a realistic attack simulation oriented towards current threat scenarios specifically tailored to the financial sector. DORA follows the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming) developed by the ECB.

A TLPT is not a standard penetration test. It begins with a threat intelligence phase: external providers analyse which attacker groups could realistically target the institution, and which tactics, techniques, and procedures (TTPs) these groups employ. Targeted attack scenarios are then developed from this intelligence and enacted by the Red Team. The output is not a standard vulnerability report but a deep understanding of the real attack surface.

We coordinate TLPT programmes end-to-end: from scope definition and coordination with the competent authority, through selection of qualified threat intelligence and Red Team providers, to post-test remediation support. For organisations conducting TLPT for the first time, this coordination capability is as important as the technical execution.

DORA places particular emphasis on ICT third-party risk management – and for good reason: most significant outages in the financial sector originate not in the organisation's own data centre but with external service providers. DORA requires financial entities to maintain a complete register of all ICT third-party providers, identify critical dependencies, and assess the risk level of each provider.

Contracts with critical ICT third-party providers must include DORA-specific clauses: exit strategies, audit rights, notification obligations for the provider's own security incidents, business continuity requirements, and governance of sub-outsourcing chains. Many existing IT contracts do not meet these requirements – careful contract review and, where necessary, renegotiation are needed.

For critical ICT third-party providers, DORA also creates direct supervision by European financial supervisory authorities (EBA, EIOPA, ESMA). Large cloud platforms that are systemically important for the European financial sector may be regulated directly. This changes the balance of power in negotiations and gives financial entities stronger leverage for contractual requirements.