DORA is in force — since January 17, 2025

DORA Compliance for the Financial Sector

22,000+ financial entities in the EU must manage ICT risks, report incidents, and conduct resilience testing. Kopexa bundles DORA framework, measures catalog, and information register in one platform.

22,000+

entities affected

72h

ICT incident reporting deadline

5 Pillars

of digital resilience

Free ConsultationAm I affected?
Made in EuropeBaFin CompliantISO 27001 AlignedOSCAL-Based

Background

What is DORA and Who Does It Affect?

DORA stands for Digital Operational Resilience Act (EU Regulation 2022/2554) and regulates the digital operational resilience of the financial sector. The regulation has been directly applicable since January 17, 2025 and affects over 22,000 financial entities across the EU.

DORA replaces existing national IT supervisory requirements (in Germany: BAIT, VAIT, KAIT, ZAIT) with a unified European framework. This ensures that all financial entities — from large banks to crypto-asset service providers — meet the same ICT security standards.

The regulation encompasses 5 pillars: ICT risk management, ICT incident management and reporting, resilience testing (including TLPT), ICT third-party risk, and information sharing. Each pillar defines concrete requirements that financial entities must fulfill.

Particularly notable is the proportionality principle (Article 4): microenterprises in the financial sector (fewer than 10 employees, turnover below EUR 2 million) benefit from a simplified ICT risk management framework (Article 16) with reduced requirements.

ICT third-party risk (Articles 28–44) goes significantly beyond previous regulations: financial entities must maintain an information register of all ICT third-party providers, ensure minimum contractual requirements, and document exit strategies. Critical ICT third-party service providers (CTPPs) are directly supervised by the European Supervisory Authorities (ESAs).

The 5 Pillars of DORA

Core areas of EU Regulation 2022/2554

  • ICT Risk Management (Art. 5–16)
  • ICT Incident Management & Reporting (Art. 17–23)
  • Resilience Testing & TLPT (Art. 24–27)
  • ICT Third-Party Risk (Art. 28–44)
  • Information Sharing (Art. 45)

Who Does DORA Affect?

21 categories of financial entities

  • Credit institutions, investment firms, and trading venues
  • Insurance, reinsurance, and pension funds
  • Payment institutions and electronic money institutions
  • Crypto-asset service providers and management companies

Which companies fall under DORA?

All DORA Requirements in Detail

Currently regulated under BAIT/VAIT/KAIT/ZAIT?

The existing German IT supervisory requirements are being replaced by DORA by January 1, 2027. Learn what changes and how to plan the migration.

BAIT/VAIT Migration in Detail

Free DORA Readiness Check

Does DORA Apply to Your Company?

Find out in 3 minutes. Free and anonymous.

DORA Readiness Check

Does DORA apply to your company?

With the DORA Readiness Check by Kopexa, find out in just a few clicks whether and to what extent the EU Digital Operational Resilience Act (DORA) applies to you.

  • Based on official DORA criteria (EU 2022/2554).
  • Instant assessment: applicability, framework (full or simplified) and estimated implementation time.
  • Anonymous, secure, and for orientation purposes.

Start now and check your DORA readiness.

Note: This initial assessment is based on your responses and publicly available criteria (NIS2). It is not legally binding and does not replace an individual case review.

Timeline

The Path to DORA Compliance

Step 1

Gap Analysis

Assess current state against the 5 DORA pillars. Identify and prioritize gaps.

Step 2

ICT Risk Framework

Build governance structure, define ICT security strategy, establish control function.

Step 35 Steps

Information Register

Record all ICT third-party providers, review contracts, assess concentration risks.

Step 4

Resilience Testing

Establish testing program, conduct basic tests, check TLPT obligation.

Step 5

Audit Readiness

Collect evidence, document measures, establish readiness for supervisory review.

The sooner you start, the sooner you're compliant. Kopexa supports you at every step.

View Checklist

DORA Pillars

The 5 Pillars of Digital Operational Resilience

Each pillar addresses a core area of ICT security for financial entities.

ICT Risk Management

Art. 5–16

Comprehensive risk framework, governance structure, and ICT security strategy for all digital systems.

ICT Incident Management & Reporting

Art. 17–23

Classification of ICT incidents and reporting deadlines: 4h initial report, 72h intermediate, 30 days final.

Resilience Testing & TLPT

Art. 24–27

Regular basic tests and Threat-Led Penetration Testing (TLPT) for systemically important institutions.

ICT Third-Party Risk

Art. 28–44

Contractual requirements, information register, concentration risk, and exit strategies for ICT service providers.

Information Sharing

Art. 45

Voluntary exchange of threat intelligence between financial entities for collective resilience.

Free Initial Consultation

How Kopexa Helps

From Requirement to Implementation

Build ICT risk framework?

Framework preloaded, gap analysis at the click of a button

The complete DORA framework with all 5 pillars is preloaded in Kopexa. Answer requirements directly in the platform, identify gaps, and track your progress.

  • DORA framework out-of-the-box
  • Gap analysis at the click of a button
  • Cross-mapping to ISO 27001 and BAIT/VAIT

Create information register?

Manage ICT third parties centrally

The DORA information register (Art. 28(3)) requires complete documentation of all ICT third-party providers. Kopexa makes this simple: register providers, track contracts, generate reports.

  • ICT third-party register
  • Contract management
  • Annual reporting

Audit evidence?

Evidence collection & export

Manage policies, evidence, and reports centrally. During supervisory review, export everything with one click — audit-ready.

  • Centralized evidence management
  • Policy management
  • Export-ready audit reports

All Frameworks. One System.

Built by GRC Experts for European Mid-Market Companies

ISO 27001NIS2TISAXDORABSI GrundschutzDSGVOSOC 2KRITISPCI-DSSNIST CSF

Kopexa is built on OSCAL, the open NIST standard for machine-readable compliance frameworks. Every framework, every standard, every regulation: available instantly or custom-built with our Framework Builder.

Content Hub

Deep Dive into DORA

Requirements

All DORA requirements at a glance

ICT Risk Management

Risk framework, governance and strategy (Art. 5–16)

Incident Reporting

Reporting ICT incidents: deadlines and process (Art. 17–23)

Resilience Testing

Basic tests and TLPT (Art. 24–27)

Third-Party Risk

Managing ICT service providers (Art. 28–44)

Information Register

The DORA information register (Art. 28(3))

Checklist

10 steps to DORA compliance

Costs & Process

Timeline, budget, and resources

BAIT/VAIT Migration

From BAIT/VAIT/KAIT/ZAIT to DORA

Proportionality

Simplified framework for microenterprises (Art. 16)

ISO 27001 Mapping

Cross-mapping and dual compliance

Penalties

Sanctions and enforcement

Frequently Asked Questions about DORA

Let’s Assess Where You Stand

Free & non-binding. Response within 24h.

By submitting, you agree to our Privacy Policy .