← Back to all briefings
Compliance 5 min read Published Updated Credibility 89/100

Compliance Briefing — December 27, 2022

DORA’s Official Journal publication starts the countdown to January 2025, requiring EU financial entities to overhaul ICT risk management, testing, incident reporting, and third-party oversight for digital operational resilience.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 27 December 2022 the EU Digital Operational Resilience Act (DORA) was published in the Official Journal (Regulation (EU) 2022/2554), triggering a 24-month implementation period ahead of the 17 January 2025 application date. DORA establishes a harmonised ICT risk management framework for financial entities—including banks, insurers, investment firms, payment institutions, and critical ICT service providers—covering governance, incident reporting, testing, third-party risk, and threat intelligence. Firms must align operating models, control frameworks, and outcome testing to meet the regulation’s prescriptive requirements.

Scope and governance

DORA applies to a broad range of financial entities and designates critical ICT third-party service providers (CTPPs) subject to direct European Supervisory Authority (ESA) oversight. Key governance obligations include:

  • Board responsibility for ICT risk management, strategy approval, and oversight.
  • Establishing risk management frameworks covering identification, protection, detection, response, and recovery.
  • Adopting ICT security policies, business continuity, and disaster recovery plans with periodic testing.
  • Maintaining incident response processes aligned with ESA technical standards.

Boards must receive regular reporting on ICT risk, incidents, testing outcomes, and third-party performance.

ICT risk management requirements

Firms must implement controls across:

  • ICT risk identification: Asset inventories, risk assessments, dependency mapping, and risk appetite statements.
  • Protection and prevention: Security policies, access controls, encryption, vulnerability management, and secure development lifecycle.
  • Detection: Monitoring, logging, and anomaly detection with defined thresholds.
  • Response and recovery: Incident response plans, communication strategies, backup and recovery testing, and crisis management.
  • Learning and evolving: Post-incident reviews, lessons learned, and continuous improvement.

Outcome testing should evidence control effectiveness, such as reduced incident impact, faster recovery times, and improved detection rates.

Incident reporting and information sharing

DORA standardises incident classification and reporting through ESA technical standards. Financial entities must:

  • Classify incidents based on criteria (service downtime, client impact, data breaches) and notify competent authorities.
  • Submit initial, intermediate, and final reports within specified timelines.
  • Participate in threat intelligence sharing arrangements and consider voluntary sharing with peers.

Firms must ensure incident response teams, communication plans, and reporting tools meet DORA requirements.

Digital operational resilience testing

DORA requires regular testing, including:

  • Basic testing (vulnerability assessments, penetration testing, scenario-based tests) for all financial entities.
  • Advanced Threat-Led Penetration Testing (TLPT) at least every three years for significant entities, aligned with TIBER-EU.
  • Testing of business continuity and disaster recovery, including participation in industry-wide exercises.

Outcome testing must document findings, remediation actions, and retesting results. Entities should maintain testing registers and report outcomes to senior management and regulators.

Third-party risk management

Firms must maintain a comprehensive register of ICT third-party arrangements, perform due diligence, and ensure contracts include mandatory clauses (service levels, security requirements, audit rights, exit strategies). Critical ICT third-party providers will be overseen by ESAs, and financial entities must cooperate with regulators during inspections.

Outcome metrics should track supplier performance, incident rates, and compliance with contractual obligations.

Information sharing and threat intelligence

DORA encourages participation in threat intelligence communities, with safeguards for confidentiality. Firms should establish governance for sharing indicators of compromise, tactics, techniques, and procedures (TTPs), and integrate intelligence into detection and response workflows.

Implementation roadmap

  1. 2023: Conduct gap analyses, establish DORA program governance, and align with ESA rulemaking timelines.
  2. 2024: Implement control enhancements, update third-party contracts, and prepare for TLPT scoping.
  3. 2025: Finalise compliance documentation, execute required tests, and ensure readiness for supervisory assessments.

Sources

Zeph Tech guides financial institutions through DORA implementation, aligning governance, testing, and third-party oversight to demonstrate operational resilience by the 2025 go-live.

Supervisory engagement strategy

Firms should prepare for active supervision by ESAs and national competent authorities. This involves designating regulatory liaisons, maintaining evidence repositories, and conducting mock supervisory reviews. Documenting decision logs, board minutes, and remediation plans ensures responses to information requests are timely. Firms operating across multiple jurisdictions should coordinate messaging to avoid inconsistencies.

Outcome testing can include dry-run supervisory meetings, benchmarking readiness scores, and tracking closure of regulator feedback.

Integration with broader resilience initiatives

DORA aligns with existing frameworks such as the ECB Cyber Resilience Oversight Expectations (CROE) and the UK’s operational resilience regime for cross-border firms. Financial institutions should map DORA controls to existing programs, identifying synergies and gaps. Establishing a unified resilience taxonomy can streamline reporting, testing, and board oversight. Firms should also coordinate DORA implementation with CSRD sustainability disclosures and NIS2 obligations to ensure consistent risk narratives.

Change management and culture

Embedding DORA requires cultural change. Firms should develop communication campaigns explaining why digital resilience matters, establish communities of practice, and recognise teams that contribute to resilience improvements. Incorporating DORA objectives into performance evaluations and incentives reinforces accountability.

Data architecture readiness

Meeting DORA’s reporting and testing obligations depends on high-quality data. Firms should assess whether current data lakes, SIEM platforms, and configuration databases can produce the required metrics. Implementing data lineage tools helps trace how resilience metrics are derived, supporting auditability. Organisations may need to harmonise taxonomies across risk, security, and continuity functions to avoid inconsistent reporting.

Outcome testing should validate that dashboards pull from authoritative sources and that manual interventions are minimised. Regular data quality reviews—covering completeness, accuracy, and timeliness—should feed into governance forums.

Firms should align employee training with DORA roles, ensuring first-line operations teams, incident responders, and third-party managers understand new obligations. Training metrics and competency assessments should be recorded to demonstrate readiness during supervisory reviews.

Boards should request heat maps highlighting critical ICT dependencies and residual risks, enabling strategic oversight and investment prioritisation.

Internal audit should validate implementation milestones annually, providing assurance to the board and regulators.

Cross-functional steering committees should review resilience KPIs monthly to maintain progress.

External assurance over key resilience processes can provide additional comfort to supervisors.

Independent scenario exercises can validate cross-entity coordination under severe disruption conditions.

Organisations can benchmark maturity against industry utilities to gauge readiness.

Regular stakeholder forums with ICT providers can surface systemic risks early.

Continuous improvement logs should document all remediation actions.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU DORA implementation
  • ICT risk management
  • Operational resilience testing
  • Third-party oversight
Back to curated briefings