Blog

DORA Audit: Digital Operational Resilience for Financial Entities

Understanding the EU Digital Operational Resilience Act and how financial sector organisations can prepare for DORA compliance.

← Back to Blog
Published 14 May 2026 · BCERT Editorial Team · 8 min read

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, became applicable on 17 January 2025. It is the EU's comprehensive framework for digital operational resilience in the financial sector, addressing a long-standing gap in EU financial services regulation: the inconsistent and fragmented approach to ICT risk management across different types of financial entity. DORA establishes uniform requirements for ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk — and applies directly across all EU member states without the need for national transposition.

Who Is In Scope?

DORA applies to a wide range of financial entities regulated in the EU, including:

  • Credit institutions (banks)
  • Payment institutions and e-money institutions
  • Investment firms and trading venues
  • Central securities depositories and central counterparties
  • Insurance and reinsurance undertakings
  • Insurance intermediaries
  • Crypto-asset service providers (CASPs) authorised under MiCA
  • Crowdfunding service providers
  • Management companies (UCITS, AIFMs)
  • Critical ICT third-party service providers (CTTPSs) — designated by the European Supervisory Authorities

Proportionality applies: microenterprises and small financial entities benefit from simplified requirements in certain areas, though core obligations remain.

ICT Risk Management Framework

DORA requires financial entities to maintain a comprehensive ICT risk management framework (Articles 5–16). Key requirements include:

  • Governance: Management body accountability for ICT risk, with clear roles and responsibilities defined. The management body must have sufficient knowledge to understand and challenge ICT risk reporting.
  • ICT risk identification: Maintaining a complete, classified inventory of ICT assets (hardware, software, data, third-party services) and mapping dependencies.
  • Protection and prevention: Implementing technical and organisational measures including network segmentation, patch management, data integrity controls, and encryption of data in transit and at rest.
  • Detection: Establishing anomaly detection mechanisms and monitoring capabilities to identify ICT-related incidents promptly.
  • Response and recovery: Documented BCM and ICT disaster recovery plans with defined RTOs and RPOs tested at least annually.
  • Learning and evolving: Post-incident reviews, threat intelligence gathering, and regular updates to the ICT risk framework.

Incident Reporting and TLPT

Incident reporting: DORA introduces harmonised ICT-related incident reporting to competent authorities. Major ICT-related incidents must be reported using standardised templates within defined timelines: initial notification (within 4 hours of classifying as major, no later than 24 hours after becoming aware), intermediate report (within 72 hours), and final report (within one month). Significant cyber threats — even those that do not materialise into incidents — must also be notified on a voluntary basis.

Digital Operational Resilience Testing (DORA Article 24–27): Financial entities must conduct a programme of ICT testing. All in-scope entities must conduct basic testing (vulnerability assessments, scenario-based testing, network security testing) at least annually. Significant financial entities — those identified as systemically important — must additionally conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT is a sophisticated red team exercise based on actual threat intelligence, conducted by accredited testers using the TIBER-EU framework.

Third-Party ICT Risk

One of DORA's most significant innovations is its treatment of ICT third-party risk (Articles 28–44). Financial entities must:

  • Maintain a complete register of all ICT third-party service providers
  • Assess and classify contractual arrangements by criticality
  • Include mandatory contractual provisions in agreements with ICT providers — covering audit rights, SLAs, data security, business continuity, and exit strategies
  • Conduct regular monitoring and risk assessment of critical ICT providers

The most critical cloud and technology providers to the financial sector are designated as Critical Third-Party Providers (CTTPSs) and subject to direct oversight by the European Supervisory Authorities (ESAs) — a significant expansion of regulatory reach into the technology supply chain.

A DORA audit examines the completeness and effectiveness of your ICT risk management framework, incident classification and reporting procedures, resilience testing programme, and third-party risk management arrangements — providing assurance to your board, regulators, and counterparties.

Ready to get certified?

Visit bcert.uk or contact us at info@bcert.uk to discuss DORA compliance.

Request an Audit →