Cyber Horizon
Back to Blog
DORAFinancial ServicesEU RegulationCompliance

DORA Compliance Guide 2026: What Financial Firms Must Do Now

16 May 2026·10 min read·Cyber Horizon Team

DORA is in force as of 17 January 2025

The Digital Operational Resilience Act applies to over 22,000 financial entities across the EU. Non-compliance risks supervisory action, fines, and reputational damage. If you haven't started your DORA programme, you need to now.

The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — fundamentally changes how financial institutions manage ICT risk. Unlike previous guidance which was largely principles-based, DORA is prescriptive, binding, and enforced by national competent authorities (NCAs) across all EU member states.

This guide covers everything compliance, risk, and IT teams at banks, insurers, investment firms, payment institutions, and crypto-asset service providers need to understand and implement.

Who Does DORA Apply To?

DORA applies to a broad range of financial entities including:

  • Credit institutions (banks)
  • Payment institutions and e-money institutions
  • Investment firms and fund managers
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers (CASPs)
  • Central securities depositories and trading venues
  • Critical ICT third-party service providers (CTPPs)

Critically, DORA also applies to ICT third-party providers that are deemed "critical" by European Supervisory Authorities (ESAs) — even if those providers are based outside the EU.

The Five Pillars of DORA

01

ICT Risk Management

Chapter II of DORA requires financial entities to implement a comprehensive ICT risk management framework. This must include: a governance structure with clear accountability at board level; an ICT risk appetite statement; asset identification and classification; threat and vulnerability monitoring; and business continuity and disaster recovery plans aligned to the entity's criticality.

ICT asset register with criticality classification
Annual ICT risk assessment
Board-approved ICT risk tolerance and appetite
Detection and response capabilities
BCP/DR plans tested annually
02

ICT-Related Incident Reporting

Article 17-23 establishes mandatory reporting timelines for major ICT-related incidents. The tiered reporting structure requires an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. Incidents must be classified using criteria set by the ESAs including client impact, data loss, service duration, and financial exposure.

Incident classification framework aligned to DORA criteria
Reporting workflow to your NCA
4-hour initial notification capability
Post-incident root cause analysis process
Incident register maintained for 5 years
03

Digital Operational Resilience Testing

DORA introduces mandatory resilience testing including basic testing (vulnerability assessments, network scans, gap analyses) and — for significant entities — Threat-Led Penetration Testing (TLPT) every three years. TLPT must follow the TIBER-EU framework and be conducted by certified external testers.

Annual basic resilience testing programme
TLPT every 3 years (significant entities)
Testing scope covers critical systems and functions
Red team exercises using threat intelligence
Findings remediation tracked and evidenced
04

ICT Third-Party Risk Management

Chapter V is arguably the most complex pillar. Financial entities must maintain a register of all ICT third-party providers, conduct pre-contract due diligence, include mandatory contractual provisions (Articles 30-44), and monitor concentration risk. Contracts with ICT providers must include specific clauses covering audit rights, data security, business continuity, and exit strategies.

Complete ICT third-party register
Pre-contract due diligence assessments
DORA-compliant contract clauses
Ongoing third-party monitoring programme
Concentration risk analysis
Exit strategies for critical providers
05

Information Sharing

DORA encourages — and in some cases requires — participation in threat intelligence sharing arrangements. Financial entities should share cyber threat information and intelligence with sector peers through established arrangements, helping the broader financial ecosystem identify and respond to emerging threats.

Participation in ISAC or equivalent sharing group
Threat intelligence sharing policy
Anonymisation process for shared data

DORA Implementation Roadmap

For firms still building their DORA programme, prioritise in this order:

Phase 1 — Weeks 1-4

  • Gap assessment against DORA requirements
  • Board briefing and accountability assignment
  • ICT asset inventory and classification

Phase 2 — Weeks 5-12

  • ICT risk framework documentation
  • Incident classification and reporting procedures
  • Third-party register and contract review

Phase 3 — Months 3-6

  • Basic testing programme implementation
  • BCP/DR plan development and testing
  • NCA notification channel established

Phase 4 — Ongoing

  • Annual testing cycles
  • Continuous third-party monitoring
  • Threat intelligence sharing participation

How Cyber Horizon Supports DORA

Cyber Horizon maps all five DORA pillars directly into your GRC programme. Our platform provides ICT asset registers, incident management workflows with the correct reporting timelines, third-party risk assessments with DORA-specific contract checklists, BCP/DR planning tools, and evidence collection for testing activities — all aligned to the regulatory technical standards (RTS) published by the ESAs.

Ready to get DORA-compliant?

Cyber Horizon pre-maps DORA requirements to your controls, automates evidence collection, and provides the incident reporting workflows your team needs. Book a demo to see how.

Book a Demo