Who needs to comply with DORA? All your questions answered

The Digital Operational Resilience Act (DORA) has been developed to protect the financial sector, which is particularly vulnerable to cyberattacks. According to the IMF’s 2024 Global Financial Stability Report, the number of cyberattacks has progressively increased since 2004, and nearly 20% of these attempts target financial institutions. DORA serves as a regulatory measure in the European Union (EU) to improve cybersecurity and operational resilience of organizations in the financial sector. 

‍

While DORA is mostly relevant to institutions offering financial services in the EU, many critical third-party organizations also fall within its scope. In this guide, we’ll discuss the far-reaching impact of this regulation and clarify its scope. Specifically, you’ll find answers to these key questions:

• Who needs to comply with DORA—and by when?
• What are the potential consequences of non-compliance?
• How do you achieve DORA compliance?

‍

DORA at a glance

DORA is an EU regulation designed to strengthen the financial sector—which includes financial entities and their critical third-party information and communications technology (ICT) service providers—and help them manage, respond to, and recover from cyber and operational risks. It offers a robust risk management framework drawing from popular frameworks like ISO 27001 and NIST CSF. You can expect to comply with well-defined, technical rules for:

• Incident management, reporting, and classification
• Operational resilience testing
• Data sharing arrangements
• Managing third-party risks

‍

DORA aims to establish uniform rules for ICT risk management and improve the resilience of the EU's financial ecosystem in the process. Before DORA, each EU jurisdiction had disparate and often generic regulations, which resulted in risk management gaps and conflicts. DORA eliminates these complexities by providing a harmonized set of all-inclusive best practices for financial entities to follow.

‍

{{cta_withimage22="/cta-modules"}}

‍

Who must comply with DORA?

DORA’s compliance scope is defined with the stability and resilience of the EU's supply chain in mind. Historically, malicious actors have been known to infiltrate an organization by exploiting cybersecurity vulnerabilities and other technological dependencies within its third-party network. DORA addresses this risk by making it mandatory for all in-scope entities, including critical third parties of financial entities, to abide by its comprehensive cybersecurity framework.

‍

As of January 2025, Article 2 of the DORA regulation specifies the following 21 categories of in-scope entities: 

1. Credit institutions
2. Payment institutions, including those exempted under the Directive (EU) 2015/2366
3. Account information service providers
4. All electronic money institutions
5. Investment firms
6. Crypto asset service providers
7. Central securities depositories
8. Central counterparties
9. Trading venues
10. Trade repositories
11. Alternative investment fund managers
12. Management companies
13. Data reporting service providers
14. Insurance and reinsurance undertakings
15. Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
16. Institutions for occupational retirement provision
17. Credit rating agencies
18. Administrators of critical benchmarks
19. Crowdfunding service providers
20. Securitization repositories
21. ICT third-party service providers

‍

To add more context to the above, DORA directly applies to all entities providing financial services in any capacity in the EU. This includes financial institutions, investment funds, financial vehicle corporations (FVCs), pension funds, insurance corporations, and payment statistics relevant institutions (PSRIs) as defined in the European Central Bank’s directory.

‍

As for the final entity category, ICT third-party service providers (ICT TPSPs), the regulation would apply only indirectly to the in-scope entities. ICT TPSPs would include software vendors, cloud service providers, data analytics firms, and managed service providers (MSPs). For example, a cybersecurity firm and a cloud service provider that works with a bank in the EU and has access to customer financial records would be considered ICT TPSPs within DORA’s scope. You can refer to Article 31 to understand the complete scope of these entities.

‍

ICT TPSPs comply with specific oversight requirements, such as:

• Cooperating with the financial entity for regular resilience testing
• Notifying the entity about ICT-related incidents, disruptions, etc.
• Maintaining business continuity plans
• Complying with other EU privacy and confidentiality requirements as necessary

‍

Who is exempt from DORA?

DORA excludes some financial entities from its scope due to their relatively small size and non-critical nature of operations, as well as their limited ICT risk exposure. Here’s a complete list of exempt entities, as detailed in Article 2 of the DORA regulation:

1. Managers of alternative investment funds referred to in Article 3(2) of Directive 2011/61/EU
2. Small insurance and reinsurance undertakings referred to in Article 4 of Directive 2009/138/EC
3. Institutions for occupational retirement provision operating pension schemes that have fewer than 15 members
4. Natural or legal persons according to Markets in Financial Instruments Directive (MiFID) 2, according to Articles 2 and 3 of Directive 2014/65/EU
5. Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries, which are microenterprises or small- or medium-sized enterprises
6. Post office giro institutions as mentioned in Article 2(5) of Directive 2013/36/EU

‍

Additionally, Member States may exclude certain entities from DORA’s scope, provided they notify the Commission and make the decision publicly known.

‍

Even if your organization is exempt from DORA, implementing the act’s standards can still benefit you if you’re looking to:

• Enhance your security posture
• Build an effective third-party risk management program
• Improve operational continuity
• Access new markets and deals through demonstrable security

‍

What's the deadline for DORA compliance?

DORA came into effect on January 16, 2023, but the deadline for compliance was set to January 17, 2025.

‍

The compliance deadline marks the commencement of oversight activities, which are carried out by the European Supervisory Authorities (ESAs) in close coordination with competent authorities defined under Article 46 of the act. 

‍

The oversight process first involves competent authorities designating TPSPs as critical or non-critical depending on the nature of technical support they provide to in-scope financial entities. Once the ESAs have a register of critical TPSPs (the deadline set for April 30, 2025), they’ll begin the subsequent supervision processes.

‍

Bonus read: Learn about the impact of DORA on UK entities.

‍

What are the consequences of non-compliance with DORA?

Being a mandatory regulation, non-compliance with DORA can have significant repercussions, both financial and reputational, for in-scope financial entities and TPSPs. The Member States have the authority to specify administrative penalties or remedial measures for breaches within their jurisdiction.

‍

Follow the table below to get an estimate of potential penalties:

In addition to penalties, non-compliant entities may face public reprimands from competent authorities as well as operational and business restrictions. DORA also authorizes competent authorities to take legal action against senior executives in non-compliant organizations. The outcomes of these lawsuits may vary depending on the jurisdiction.

‍

4 steps to DORA compliance

Here’s what you need to do to become DORA compliant: 

1. Understand the framework’s pillars
2. Perform a gap analysis
3. Implement the missing controls
4. Perform a self-attestation

‍

Step 1: Understand the framework’s pillars

The first step to achieving DORA compliance is going through its five foundational pillars, namely:

• ICT risk management
• ICT third-party risk management
• Digital operational resilience testing
• Management, reporting, and classification of ICT-related incidents
• Information sharing (optional but key to achieving full compliance)

‍

You should consult your IT and compliance teams and develop the protocols, policies, and systems you must implement to adhere to DORA. You’ll benefit from having a comprehensive compliance checklist here. 

‍

{{cta_withimage22="/cta-modules"}}

‍

Step 2: Perform a gap analysis

Next, review your organization’s existing ICT risk management practices by conducting security reviews, risk assessments, and IT infrastructure audits. The goal is to identify and document any gaps to inform the next steps.

‍

Step 3: Implement the missing controls

Your gap analysis may reveal missing or outdated controls or other tasks like updating policies or deploying new technology. Create a documented plan for implementing them, ideally defining:

• Task owners and responsibilities
• Implementation timeline
• Key performance indicators (KPIs) for tracking progress

‍

Additionally, you should establish regular progress reporting intervals for everyone involved.

‍

Step 4: Perform a self-attestation

There is yet to be an official third-party-supported certification process for DORA. To demonstrate compliance, you’ll need to create a self-attestation document and have it validated and signed by a senior executive or compliance officer.

‍

Your compliance efforts don’t end with self-attestation—you’ll have to plan for ongoing monitoring to maintain compliance and accommodate any new DORA updates.

‍

Get DORA-compliant faster with Vanta

With DORA compliance becoming mandatory, many organizations have to expedite their security and control review workflows and map the potential compliance tasks. The process comes with its fair share of complexities that can overwhelm compliance teams—and that’s where you could use a reliable trust and compliance management platform like Vanta. 

‍

Vanta offers a dedicated DORA product that is automatically mapped to the regulation’s requirements. It can automate the compliance workflows for your team considerably with features like:

• Seamless integrations across over 375+ platforms
• Automated tracking and continuous visibility into your compliance status
• Prebuilt templates and policies to automate evidence collection for DORA
• Guidance from in-house experts

‍

With Vanta, you can prepare for compliance faster (often within six to ten weeks, depending on your program maturity) and move toward self-attestation. The platform also offers compliance frameworks for 35+ other regulations and standards, which helps streamline your security workflows at any scale.

‍

You can schedule a demo to get a practical walkthrough of how Vanta can support your team.

‍

{{cta_simple27="/cta-modules"}} ‍

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.