DORA compliance, fully automated
The Digital Operational Resilience Act is now mandatory for EU financial entities. Matproof covers all five DORA pillars β from ICT risk management to the Art. 28 provider register.
Key Features
ICT Risk Management (Art. 5-16)
Automated risk registers with probability and impact scoring. Continuous monitoring and mitigation tracking aligned to DORA requirements.
Incident Reporting (Art. 17-23)
Log, classify, and report ICT incidents to BaFin in the required format. Auto-generate severity assessments and timeline reports.
Resilience Testing (Art. 24-27)
Track TLPT and resilience testing programs. Manage test schedules, findings, and remediation plans in one place.
Third-Party Risk (Art. 28-44)
Maintain the Art. 28 register of all ICT providers. AI-powered vendor assessments, contract tracking, and exit strategies.
Information Sharing (Art. 45)
Document threat intelligence sharing arrangements and comply with information exchange requirements between financial entities.
BaFin-Ready Reporting
Generate regulatory reports in the exact format BaFin expects. One click, no manual formatting.
Why Matproof
DORA compliance across Germany
Find city-specific compliance guidance for your financial institution.
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA), formally known as EU Regulation 2022/2554, is a comprehensive regulatory framework designed to strengthen the digital operational resilience of the European financial sector. Adopted by the European Parliament in November 2022 and mandatory since January 17, 2025, DORA establishes uniform requirements to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats.
DORA was introduced in response to the growing dependence of financial institutions on information and communication technology (ICT). As financial services become increasingly digitized, the potential impact of cyber incidents, system failures, and technology disruptions on financial stability has grown significantly. The regulation addresses the fragmented approach to ICT risk management that previously existed across EU member states by creating a single, harmonized framework.
Unlike many EU directives that require national transposition, DORA is a regulation that applies directly and uniformly across all EU member states. This means that financial entities in Germany, France, the Netherlands, and every other EU country must meet the exact same requirements. The regulation is complemented by a series of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (ESAs) β EBA, EIOPA, and ESMA.
DORA is structured around five core pillars that together create a comprehensive approach to digital operational resilience: ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, management of ICT third-party risk, and information and intelligence sharing. Each pillar contains specific obligations that financial entities must implement, with proportionality applied based on the entity's size, risk profile, and the complexity of its ICT services.
Who Needs DORA Compliance?
DORA applies to approximately 22,000 financial entities across the European Union. The scope is deliberately broad to ensure comprehensive coverage of the financial ecosystem and its ICT dependencies. The following types of entities fall within DORA's scope:
Financial Entities
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms and fund managers
- Insurance and reinsurance undertakings
- Crypto-asset service providers
- Central securities depositories
ICT Service Providers
- Cloud computing service providers
- Software-as-a-Service (SaaS) providers
- Data analytics and data center providers
- Critical ICT third-party providers (CTPPs)
- Managed security service providers
- IT infrastructure and network providers
In Germany, the Federal Financial Supervisory Authority (BaFin) is the primary national competent authority responsible for supervising DORA compliance. BaFin works within the broader European supervisory framework alongside the ECB/SSM for significant institutions and the ESAs for regulatory technical standards. German financial entities already subject to BaFin requirements such as BAIT, VAIT, and KAIT will find significant overlap with DORA, though the EU regulation introduces additional requirements β particularly around resilience testing and third-party risk oversight.
DORA Key Requirements: The 5 Pillars in Detail
1. ICT Risk Management Framework (Articles 5-16)
Financial entities must establish and maintain a comprehensive ICT risk management framework as part of their overall risk management system. This includes identification of all ICT-supported business functions, classification of information assets, continuous risk assessments, and implementation of protection, detection, and response measures. The management body bears ultimate responsibility and must approve and regularly review the ICT risk management framework, allocate adequate budget, and stay informed about ICT risks.
2. ICT-Related Incident Management and Reporting (Articles 17-23)
DORA introduces a standardized framework for classifying, managing, and reporting ICT-related incidents. Financial entities must implement processes to detect, manage, and log incidents using criteria such as the number of clients affected, the duration, geographic spread, and criticality of services impacted. Major incidents must be reported to the competent authority using prescribed templates β an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.
3. Digital Operational Resilience Testing (Articles 24-27)
All in-scope financial entities must conduct regular testing of their ICT systems and tools. Basic testing (vulnerability assessments, network security reviews, gap analyses) must be performed at least annually. Significant financial entities must also undergo advanced testing through Threat-Led Penetration Testing (TLPT) at least every three years, carried out by qualified external testers following the TIBER-EU framework. TLPT tests must cover critical functions and services, and results must be shared with the competent authority.
4. ICT Third-Party Risk Management (Articles 28-44)
DORA imposes extensive obligations for managing risks arising from ICT third-party service providers. Financial entities must maintain a register of all contractual arrangements with ICT providers (the Register of Information under Article 28(3)), conduct thorough due diligence before onboarding, and include specific contractual provisions covering security, audit rights, data location, and exit strategies. Critical ICT Third-Party Providers (CTPPs) will be directly supervised by the ESAs through a dedicated oversight framework.
5. Information and Intelligence Sharing (Article 45)
DORA encourages financial entities to voluntarily exchange cyber threat information and intelligence among themselves. This includes indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and cybersecurity alerts. Information sharing must comply with data protection regulations and be conducted through trusted communities. While voluntary, participation in information-sharing arrangements is considered a best practice and may be viewed favorably by supervisors.
6. ICT Business Continuity Management
Financial entities must develop and maintain a comprehensive ICT business continuity policy and related disaster recovery plans. These must be tested at least annually and cover all critical functions and supporting ICT systems. The plans must include Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and entities must ensure they can switch to backup systems and restore operations within defined timeframes. Regular scenario-based exercises are required.
7. Governance and Management Body Responsibilities
DORA places explicit responsibility on the management body (board of directors or equivalent) for ICT risk management. Members must possess adequate knowledge of ICT risks, actively engage in setting the ICT risk management framework, and undergo specific training. The management body must define, approve, and oversee the implementation of the ICT risk strategy, including risk tolerance levels. Failure to fulfill these obligations can result in personal liability.
Penalties for DORA Non-Compliance
DORA establishes a robust enforcement regime with significant financial and personal consequences for non-compliance. National competent authorities β such as BaFin in Germany β have broad supervisory and investigative powers, including the ability to conduct on-site inspections, request information, and issue binding orders.
or 5% of total annual turnover for financial entities (whichever is higher)
for individuals in management positions who fail to ensure compliance
CTPPs face daily penalties of up to 1% of average daily worldwide turnover until compliance is restored
Board members face individual accountability for compliance failures, including potential disqualification
Beyond financial penalties, non-compliance with DORA can lead to reputational damage, loss of operating licenses, increased supervisory scrutiny, and restrictions on business activities. Competent authorities can also publish findings of non-compliance, creating significant market consequences.
How to Get Started with DORA Compliance
Since DORA became mandatory on January 17, 2025, financial entities should be actively working toward full compliance. Below is a structured approach to achieving and maintaining DORA compliance:
- 1
Gap Analysis and Scoping
Assess your current ICT risk management practices against all DORA requirements. Identify gaps across the five pillars and prioritize remediation efforts based on risk and regulatory expectations. Map existing controls from BAIT, ISO 27001, or other frameworks to DORA requirements.
- 2
ICT Risk Management Framework
Establish or update your ICT risk management framework with documented policies, procedures, and controls. Define risk appetite, classification criteria, and assign clear roles and responsibilities. Ensure management body approval and oversight mechanisms are in place.
- 3
Third-Party Register and Vendor Management
Build and maintain the Register of Information (RoI) for all ICT third-party arrangements. Review and update contracts to include DORA-required provisions. Implement ongoing monitoring and due diligence processes for critical and important ICT providers.
- 4
Incident Management and Reporting Setup
Implement incident classification, escalation, and reporting procedures aligned with DORA's requirements. Establish communication channels with competent authorities and test reporting workflows. Ensure you can meet the 4-hour initial notification deadline for major incidents.
- 5
Resilience Testing Program
Design and implement a testing program that covers annual basic testing and β for significant entities β TLPT every three years. Select qualified testing providers and define testing scenarios covering critical functions. Document results and track remediation of identified vulnerabilities.
- 6
Continuous Monitoring and Improvement
Implement continuous monitoring of ICT risks, controls, and third-party providers. Regularly review and update your ICT risk management framework based on threat landscape changes, incident lessons learned, and regulatory guidance updates. Prepare for ongoing supervisory engagement and reporting obligations.
Frequently Asked Questions about DORA
What is the Digital Operational Resilience Act (DORA)?
DORA (EU Regulation 2022/2554) is a binding EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. It covers ICT risk management, incident reporting, digital operational resilience testing, third-party ICT risk management, and information sharing. DORA has been mandatory since January 17, 2025.
Who needs to comply with DORA?
DORA applies to approximately 22,000 financial entities across the EU, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party service providers. It also covers cloud service providers, data analytics firms, and software vendors that serve these financial entities.
What are the penalties for DORA non-compliance?
Financial entities face administrative fines of up to EUR 10 million or 5% of total annual turnover, whichever is higher. For individuals, fines can reach EUR 5 million. Critical ICT third-party providers can be fined up to EUR 5 million, or EUR 500,000 for individuals. Additionally, board members face personal liability for compliance failures.
What is the difference between DORA and NIS2?
While both DORA and NIS2 address cybersecurity, DORA is specific to the financial sector and provides more detailed requirements for ICT risk management, resilience testing, and third-party risk management. NIS2 is broader and covers 18 sectors. For financial entities, DORA takes precedence as the sector-specific regulation (lex specialis).
How long does it take to become DORA compliant?
The timeline varies depending on your organization's maturity level. With an existing ISMS and compliance framework, DORA readiness can be achieved in 3-6 months. For organizations starting from scratch, expect 6-12 months. Matproof's automation platform can reduce these timelines by 50-70% through automated control mapping, evidence collection, and gap analysis.
What are the 5 pillars of DORA?
DORA is built on five pillars: (1) ICT risk management β establishing a comprehensive framework for identifying and mitigating ICT risks; (2) ICT-related incident reporting β standardized classification and reporting to regulators; (3) Digital operational resilience testing β including threat-led penetration testing (TLPT); (4) ICT third-party risk management β oversight of all ICT service providers; and (5) Information sharing β voluntary cyber threat intelligence sharing between financial entities.