DORA Requirements: All 5 Pillars

Overview: The Five DORA Pillars

The Digital Operational Resilience Act (EU Regulation 2022/2554) creates a unified framework for ICT risk management across the European financial sector. Unlike earlier directives, DORA is a regulation that applies directly in all EU member states without the need for national transposition. It entered into force on 16 January 2023 and has applied since 17 January 2025.

DORA is built on five core pillars that together ensure financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. Each pillar addresses a distinct dimension of digital operational resilience.

Below we explain each pillar, the associated articles, and what they mean in practice. Cross-references to our detailed sub-pages help you dive deeper into individual topics.

Pillar 1: ICT Risk Management (Art. 5-16)

The first and most comprehensive pillar requires financial entities to establish a robust ICT risk management framework. This is the foundation upon which all other pillars build. Art. 5 assigns overall responsibility for ICT risk management to the management body, which must define, approve, oversee, and be held accountable for the implementation of the framework.

The framework itself (Art. 6) must include strategies, policies, procedures, and ICT tools necessary to protect all information and ICT assets. It follows a structured lifecycle approach:

• Identification (Art. 8): Identify, classify, and document all ICT-supported business functions, roles, ICT assets, and their dependencies
• Protection (Art. 9): Implement policies for authentication, access controls, ICT change management, patching, encryption, and data security
• Detection (Art. 10): Deploy mechanisms to promptly detect anomalous activities, including network performance issues and ICT-related incidents
• Response and Recovery (Art. 11-14): Establish ICT business continuity policies, response and recovery plans, backup policies, and communication procedures

Art. 13 requires dedicated learning and evolving processes to incorporate lessons from incidents and testing. Art. 15 mandates internal communication policies, while Art. 16 introduces a simplified ICT risk management framework for entities that qualify under the proportionality principle.

For a deep dive into this pillar, see our ICT Risk Management under DORA page. Entities that may qualify for reduced requirements should also consult our Proportionality and Simplified Framework guide.

Pillar 2: ICT-Related Incident Reporting (Art. 17-23)

The second pillar establishes a harmonised incident reporting regime across the financial sector. Financial entities must implement an ICT incident management process to detect, manage, and report ICT-related incidents. All incidents must be classified according to criteria defined in Art. 18, including the number of clients affected, duration, geographical spread, data losses, criticality of services impacted, and economic impact.

Incidents classified as major trigger mandatory reporting obligations under Art. 19:

• Initial notification: Within 4 hours of classification (and no later than 24 hours after detection)
• Intermediate report: Within 72 hours of the initial notification
• Final report: Within one month of the intermediate report, containing root cause analysis and remediation measures

Art. 19(2) also allows voluntary notification of significant cyber threats. Art. 20-23 deal with harmonisation of reporting content, centralisation of reporting through ESA joint committees, supervisory feedback mechanisms, and the potential establishment of an EU hub for major incident reporting.

For full details on classification criteria and reporting channels, see our DORA Incident Reporting guide.

Pillar 3: Digital Operational Resilience Testing (Art. 24-27)

The third pillar requires financial entities to test their ICT systems and tools on a regular basis to assess their preparedness and identify weaknesses. Art. 24 establishes the general requirement for a risk-based digital operational resilience testing programme. This programme must include a range of assessments, tests, methodologies, and tools.

Art. 25 specifies the basic testing requirements that apply to all financial entities:

• Vulnerability assessments and scans
• Open-source analysis
• Network security assessments
• Gap analyses
• Physical security reviews
• Source code reviews (where practicable)
• Scenario-based testing
• Compatibility testing
• Performance testing
• End-to-end testing
• Penetration testing

Art. 26-27 introduce Threat-Led Penetration Testing (TLPT) for entities identified by competent authorities as significant. TLPT must be conducted at least every three years, cover critical ICT systems, and be performed by qualified external testers following the TIBER-EU framework.

More details on TLPT requirements and the TIBER-EU framework are available on our DORA Resilience Testing and TLPT page.

Pillar 4: ICT Third-Party Risk Management (Art. 28-44)

The fourth pillar addresses the risk arising from financial entities' dependence on ICT third-party service providers. This is by far the most extensive chapter of DORA and reflects the reality that financial institutions increasingly rely on external providers for core ICT services including cloud computing, data analytics, and software platforms.

Key requirements include:

• General principles (Art. 28): Entities remain fully responsible for compliance even when outsourcing. They must maintain a register of all ICT third-party contractual arrangements and report it annually to the competent authority.
• Pre-contractual assessment (Art. 28): Evaluate whether the arrangement covers critical or important functions and assess concentration risk.
• Contractual provisions (Art. 30): Contracts must include clauses on SLAs, data location, audit rights, cooperation with authorities, exit strategies, and sub-outsourcing.
• Critical Third-Party Providers (Art. 31-44): The ESAs designate critical ICT third-party providers (CTPPs) who are subject to a direct oversight framework including inspections and penalty mechanisms.

For a detailed look at contractual requirements and the CTPP oversight regime, visit our ICT Third-Party Risk page. For specifics on the information register, see our DORA Information Register guide.

Pillar 5: Information Sharing Arrangements (Art. 45)

The fifth and final pillar encourages financial entities to establish voluntary information-sharing arrangements among themselves. Art. 45 permits financial entities to exchange cyber threat intelligence, indicators of compromise, tactics, techniques, and procedures (TTPs), and security alerts within trusted communities.

Such arrangements must comply with data protection requirements, competition law, and the handling of confidential business information. Entities must notify competent authorities when they enter into information-sharing arrangements and must follow any conditions or restrictions imposed.

While this pillar is voluntary, regulators strongly encourage participation as collective intelligence significantly strengthens the resilience of the entire financial ecosystem. Existing initiatives like ISACs (Information Sharing and Analysis Centres) provide a natural platform for DORA-compliant information sharing.

DORA Pillars at a Glance

Who Must Comply with DORA?

DORA applies to virtually all regulated financial entities in the EU. Art. 2 defines 21 categories of entities, including:

• Credit institutions (banks)
• Payment institutions and electronic money institutions
• Investment firms and trading venues
• Insurance and reinsurance undertakings
• Institutions for occupational retirement provision (IORPs)
• Central counterparties (CCPs) and central securities depositories
• Crypto-asset service providers (CASPs)
• Management companies and AIFMs
• Credit rating agencies
• Crowdfunding service providers
• ICT third-party service providers (indirectly, via oversight)

The scope is deliberately broad. If your entity is supervised by BaFin, ECB, EIOPA, ESMA, or another EU financial supervisory authority, DORA almost certainly applies to you. The only notable exemptions are certain micro-enterprises below defined thresholds who benefit from the simplified framework under Art. 16.

Getting Started: Implementation Priorities

With DORA now in application, financial entities should focus on closing remaining gaps. A pragmatic approach prioritises the areas with the highest regulatory risk:

• Immediate: ICT risk framework governance (Art. 5), incident reporting processes (Art. 17-19), information register (Art. 28(3))
• Short-term: Contractual review of ICT third-party arrangements (Art. 30), basic resilience testing programme (Art. 25)
• Medium-term: TLPT readiness (Art. 26-27), concentration risk assessment, information sharing arrangements

For a step-by-step implementation guide, consult our DORA Checklist: 10 Steps to Compliance. For a breakdown of expected costs and timelines, see our DORA Costs and Timeline page.