← Back to all briefings
Compliance 5 min read Published Updated Credibility 88/100

Compliance Briefing — December 27, 2022

Regulation (EU) 2022/2554 (DORA) is now in force, giving financial entities until 17 January 2025 to operationalise ICT risk governance, incident reporting, resilience testing, and third-party oversight under a single EU rulebook.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) was published in the Official Journal on 27 December 2022. Financial entities now have two years to embed uniform ICT risk management, incident reporting, resilience testing, and third-party oversight standards before the regulation applies on 17 January 2025.

Scope and supervisory expectations

DORA covers credit institutions, payment and e-money institutions, investment firms, insurers, reinsurers, credit rating agencies, central securities depositories, CCPs, trading venues, crowdfunding platforms, and crypto-asset service providers, among others. ICT service providers designated as critical will be directly overseen by European Supervisory Authorities (ESAs) through a new Lead Overseer framework.

National competent authorities and the ESAs will issue implementing technical standards (ITS) and regulatory technical standards (RTS) throughout 2023–2024. Firms must track consultations from the EBA, ESMA, and EIOPA on risk management, incident classification, reporting templates, and threat-led penetration testing (TLPT) methodology to stay aligned.

ICT risk management framework

Articles 5–15 require institutions to adopt an ICT risk management framework that includes governance, risk identification, protection and prevention, detection, response, and recovery. Boards must approve the strategy, allocate roles, and review performance annually. Key expectations include:

  • Governance. Appoint accountable executives for ICT risk, define reporting lines, and integrate digital resilience into the overall risk management framework.
  • Asset management. Maintain inventories of information assets, business services, and supporting ICT components. Map dependencies to identify concentration risks and single points of failure.
  • Prevention. Implement layered security controls (identity and access management, network segmentation, secure development practices) and align them with sectoral guidance such as the EBA’s ICT and security risk management guidelines.
  • Response and recovery. Maintain documented procedures, communication plans, and backup strategies; run exercises to validate recovery time and recovery point objectives (RTO/RPO).

Firms should build integrated registers that tie business processes to ICT assets, responsible teams, risk assessments, and control testing frequencies. Evidence repositories must include configuration baselines, vulnerability management metrics, and change management records.

Incident reporting obligations

DORA harmonises major ICT incident reporting across the EU. Entities must establish processes to classify incidents using criteria to be set by the ESAs, notify regulators without undue delay (initial report), provide intermediate updates, and file a final report with root-cause analysis, impact assessment, and remediation steps. Significant cyber threats that have the potential to cause a major incident also require voluntary sharing.

To prepare, institutions should test incident escalation playbooks that align DORA timelines with existing obligations (such as PSD2, GDPR, NIS2, and local central bank rules). Deploy automated telemetry to capture event timestamps, affected services, customer impacts, and mitigation actions. Legal and compliance teams need matrices showing which authorities receive which report, by what channel, and within what timeframe.

Digital operational resilience testing

Articles 21–24 require a proportionate testing programme covering vulnerability assessments, open-source analysis, network security assessments, gap analyses, and scenario-based penetration tests. Larger entities deemed significant must perform advanced threat-led penetration testing (TLPT) at least every three years, drawing on frameworks such as TIBER-EU.

Firms should create a multi-year testing strategy that sequences control validation across critical business services. Testing should link to service-level tolerances and demonstrate that cyber, technology, and operations teams collaborate. Document scoping, rules of engagement, red-team techniques, remediation tickets, and retesting evidence. Where TLPT uses external providers, ensure contracts cover independence, data handling, and regulator access to results.

ICT third-party risk management

DORA introduces stringent oversight of ICT third-party service providers. Financial entities must maintain a register of contractual arrangements, assess concentration risk, and include minimum contractual clauses covering availability, integrity, data protection, audit rights, subcontracting conditions, and termination assistance.

Organisations should refresh procurement policies to align with Articles 28–41. Contract negotiation playbooks should include regulatory reporting rights, on-site inspection rights for supervisors, and requirements to cooperate during incident investigations. Implement continuous monitoring of supplier performance (uptime, incident response, penetration test results) and link metrics to risk appetite statements. For cloud providers, align DORA controls with EBA cloud outsourcing guidelines and national outsourcing rules.

Oversight of critical ICT providers

Critical ICT third parties will face direct supervision by the ESAs via Lead Overseers empowered to perform inspections, request information, and issue recommendations. Financial institutions should anticipate increased due diligence demands from cloud and SaaS providers as they respond to oversight actions. Maintain records of supplier attestations, regulatory correspondence, and remediation commitments.

Implementation roadmap for 2023–2024

  1. Programme mobilisation. Establish a DORA steering committee with board sponsorship, cross-functional membership (CIO, CISO, COO, CRO, procurement, legal), and a dedicated PMO. Approve budgets for tooling, testing, and training.
  2. Gap assessment. Map current frameworks against DORA requirements, referencing EBA/ESMA/EIOPA guidelines, ECB cyber resilience expectations, and national regulations. Prioritise remediations based on business criticality and interdependencies.
  3. Control enhancement. Update policies, technical standards, and procedures. Implement automated discovery of ICT assets, strengthen logging and monitoring, and integrate cyber exercises into business continuity programmes.
  4. Testing cadence. Build a calendar covering annual vulnerability assessments, semi-annual crisis simulations, and TLPT where required. Track findings to closure and report metrics to senior management.
  5. Third-party governance. Refresh outsourcing inventories, risk assessments, and contract templates. Engage key vendors to review clause updates, exit strategies, and joint incident drills.
  6. Training and culture. Deliver role-based training for executives, engineers, and operations staff; incorporate DORA requirements into onboarding and supplier briefings. Run tabletop exercises that test decision-making and regulatory communications.
  7. Regulatory liaison. Monitor ESA consultations and national competent authority guidance. Maintain a document repository with programme artefacts, policies, and test results ready for supervisory review.

Outcome metrics and assurance

Boards and risk committees should receive dashboards showing metrics such as mean time to detect/respond (MTTD/MTTR), percentage of critical services with defined impact tolerances, TLPT coverage, outstanding high-risk vulnerabilities, and third-party risk ratings. Internal audit and second-line functions must provide assurance over programme design and effectiveness. Evidence should include control testing results, remediation tracking, lessons learned from incidents, and validation that outsourcing registers are complete and accurate.

External auditors and regulators may request proof of data integrity, system availability, and incident management. Maintain immutable logs, tamper-evident audit trails, and change-control records. Leverage compliance automation platforms to map DORA controls to related frameworks (ISO/IEC 27001, NIST CSF, CPMI-IOSCO cyber guidance) to streamline reporting.

By executing this roadmap and embedding measurable controls, financial entities and ICT providers can demonstrate readiness for DORA’s 2025 application date and strengthen operational resilience in line with EU supervisory expectations.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Digital Operational Resilience Act
  • ICT risk management
  • Incident reporting
  • Third-party oversight
  • Threat-led penetration testing
Back to curated briefings