What every EU financial institution needs to know about the Digital Operational Resilience Act — five pillars, ICT risk management, critical third-party oversight, threat-led penetration testing, and how DORA intersects with the EU AI Act and GDPR.
The Digital Operational Resilience Act (DORA), officially EU Regulation 2022/2554, became effective January 17, 2025, establishing the European Union's comprehensive framework for ensuring financial entities can withstand, respond to, and recover from information and communication technology (ICT) disruptions. DORA applies to banks, insurance companies, investment firms, payment institutions, cryptocurrency asset service providers, and critically to the third-party ICT service providers that support these financial institutions, including cloud providers and AI vendors. For BFSI entities operating in or serving the EU, DORA compliance is now mandatory and violations carry substantial penalties including fines up to 1 percent of average daily worldwide turnover for critical service providers. DORA fundamentally shifts the regulatory paradigm from managing technology risk internally to managing ICT risk as a systemic financial stability concern.
DORA reflects policymakers' recognition that financial institutions have become critically dependent on ICT systems supplied by external service providers. A significant cloud outage, a security breach at a major cloud vendor, or a failure of an AI platform could disrupt payments, trading, insurance settlement, and lending across multiple financial institutions. By establishing direct regulatory authority over ICT service providers, DORA closes the supervision gap that previously allowed third-party vendors to operate with limited regulatory oversight. For banks, this means vendor management responsibilities have become explicit regulatory obligations with enforcement consequences.
DORA is a horizontal regulation governing digital operational resilience across the EU financial sector. It applies to all financial entities regardless of size, though the regulatory burden scales based on entity classification. The regulation recognizes explicitly that digital operational resilience includes the security, reliability, and governance of artificial intelligence systems. Banks using AI for credit decisions, risk assessment, fraud detection, customer service, or back-office functions fall under DORA's ICT risk management requirements.
DORA represents a watershed moment for AI governance in banking. Unlike the EU AI Act, which is risk-based and focuses on the nature of the AI system being deployed, DORA focuses on ICT risk management regardless of whether a system involves AI. However, DORA mandates that banks assess ICT risks including risks from AI systems sourced from third parties. DORA mandates oversight of cloud AI providers directly. When a bank uses cloud-based machine learning services (such as natural language processing for document review or predictive analytics platforms), the cloud AI provider becomes subject to potential DORA lead overseer supervision.
The regulation is structured around five pillars, each establishing requirements for financial entities and, in specified cases, for ICT service providers.
The first pillar addresses ICT risk management. Financial entities must establish comprehensive ICT risk management frameworks that identify, monitor, and mitigate risks from their ICT systems. The framework must address technical risks (such as system availability, data integrity, cybersecurity threats), operational risks (such as human error in system administration), and third-party risks (such as dependency on external service providers). Risk management must be integrated with enterprise-wide risk management and must address concentration risk where multiple business functions depend on a single ICT system or service provider.
The second pillar addresses ICT-related incident management and reporting. Banks must establish procedures to identify material ICT incidents, investigate root causes, and report incidents to relevant regulators. Material incidents are those significantly disrupting financial services, affecting multiple customers, or causing material financial loss. Reporting must occur without undue delay, typically within 24 hours of incident detection. Banks must maintain detailed incident logs and conduct post-incident reviews identifying systemic improvements.
The third pillar addresses digital operational resilience testing. Banks must conduct regular testing of ICT systems to verify ability to withstand and recover from disruptions. Testing includes vulnerability scanning, penetration testing, and business continuity testing. For large or systemically important banks, more stringent testing requirements apply, including threat-led penetration testing (TLPT) conducted by independent external parties.
The fourth pillar addresses ICT third-party risk management. Banks must manage risks arising from dependence on external ICT service providers. This includes cloud providers, software vendors, data centers, and AI platforms. Banks must conduct due diligence on third-party providers, establish contractual terms specifying security and availability requirements, monitor ongoing performance, and maintain contingency plans for service disruptions.
The fifth pillar addresses information sharing regarding cyber threats and ICT incidents. DORA establishes mechanisms for financial entities to share threat intelligence, including information about vulnerabilities, attack methods, and incidents. This pillar facilitates coordinated defense and incident response across the financial sector.
DORA applies to all financial entities operating in the EU, defined broadly to include banks, insurance companies, investment firms, payment institutions, e-money institutions, crypto-asset service providers, central counterparties, trade repositories, and others. The scope is comprehensive: even small regional banks and investment firms must comply with DORA's framework, though the intensity of requirements scales based on entity classification.
Financial entities are categorized into tiers based on size and systemic importance. Tier 1 entities are the largest and most systemically important institutions, typically large banking groups with assets above EUR 30 billion. Tier 2 entities are smaller but still significant institutions. The regulatory intensity increases for higher tiers, particularly regarding testing requirements and incident reporting thresholds.
Critically, DORA applies to ICT third-party service providers. This category includes entities providing ICT services to financial entities: cloud computing providers, software vendors, data centers, AI platforms, cybersecurity firms, and others. DORA creates direct regulatory authority over these providers, distinguishing between "ordinary" ICT third-party service providers and "critical" ICT third-party service providers (CTPs). Ordinary service providers must comply with financial entities' contractual requirements and allow audits. Critical service providers face direct supervision from EU financial regulators.
A service provider is designated as critical if its failure or service disruption would significantly impact the financial stability or functioning of one or more financial entities. The European Supervisory Authorities (the European Banking Authority, European Securities and Markets Authority, and European Insurance and Occupational Pensions Authority, collectively the ESAs) designate critical service providers based on criteria including number of financial entities using the service, concentration of financial entities on that service provider, and systemic importance of the entities relying on the provider.
Major cloud providers and major AI platforms are likely to be designated as critical service providers under DORA. The designation triggers direct supervisory authority: the service provider must now comply with DORA requirements, allow regulatory audits, and respond to information requests from regulators.
For each designated critical service provider, the ESAs appoint a "lead overseer" responsible for supervision. The lead overseer is the ESA whose supervised entities collectively hold the largest share of total assets among all entities using that service provider. The lead overseer assesses whether the provider has sound ICT risk management, adequate security, data availability, and data integrity protections.
The lead overseer may impose binding requirements on the critical service provider. These requirements might specify security standards, audit frequency, transparency reporting, and incident notification procedures. Critical service providers must cooperate with the lead overseer and allow on-site inspections. A service provider failing to comply with lead overseer requirements may be subject to enforcement actions, including fines or mandated service changes.
DORA mandates that financial entities establish documented ICT risk management frameworks addressing the full spectrum of ICT risks. The framework must identify ICT risks to which the entity is exposed, including technical risks such as malware or cyberattacks, operational risks such as human error or misconfiguration, third-party risks arising from service provider dependencies, and concentration risks where multiple systems depend on a single underlying infrastructure.
The framework must include ongoing monitoring of ICT risks, with regular assessment of the effectiveness of risk mitigation measures. Financial entities must maintain detailed documentation of ICT risks, controls, and monitoring results. Risk assessment must be forward-looking, considering emerging threats and technology changes. The framework must address supply chain risks, including risks from vendors used by ICT service providers.
The ICT risk management framework must integrate with financial entity governance. The board of directors or equivalent governing body must oversee ICT risk management and approve the framework. Senior management must allocate resources for ICT risk management and ensure compliance. For large or systemically important entities, DORA requires appointment of an ICT risk manager at senior management level with clear authority and independence.
DORA mandates testing of ICT systems at least annually. Testing must verify that critical ICT systems can continue to function under stress conditions, can be restored after disruption, and can withstand cyberattacks. Testing methods include vulnerability scanning, penetration testing, and business continuity testing.
For large or systemically important entities, DORA mandates threat-led penetration testing (TLPT) at least once every three years. TLPT is a more intensive testing regime than routine penetration testing. In TLPT, a team of expert security professionals, using current threat intelligence about actual attack methods and attacker tactics, targets a financial entity's critical systems to identify vulnerabilities and test defenses. TLPT may last months and covers multiple critical systems and processes.
TLPT is realistic and stress-intensive. The testing team uses actual attack methods employed by sophisticated threat actors. A TLPT may simulate a ransomware attack, attempting to encrypt data and disrupt services to test incident response and recovery procedures. DORA specifies that at least one out of every three TLPT cycles must be conducted by an independent external testing party. This ensures external validation that testing is rigorous and that findings are credible to regulators.
DORA imposes explicit requirements on how financial entities manage risks from ICT third-party service providers. Banks must conduct due diligence before contracting with service providers, assessing their ICT risk management maturity, cybersecurity controls, and business continuity capabilities. Due diligence should evaluate the provider's financial stability, ownership and governance, and whether the provider itself uses sub-contractors.
Contractual terms with service providers must specify ICT security and availability requirements. Contracts must require that service providers implement security measures proportionate to the sensitivity of data and criticality of systems they support. Contracts must include audit rights, allowing the bank to audit the service provider's security practices and compliance with contractual terms. Contracts should include specific service level agreements specifying availability targets, response times for incidents, and remedies if service levels are breached.
Contracts must include incident notification requirements: service providers must notify the bank immediately if material incidents occur affecting the service. Financial entities must continuously monitor service provider performance against contractual requirements. Where monitoring reveals deficiencies, the bank must engage the service provider on remediation and may escalate to regulatory authorities if deficiencies are material.
DORA, the EU AI Act, and GDPR create overlapping frameworks that banks must navigate. DORA focuses on ICT operational resilience: ensuring systems are secure and available. The EU AI Act focuses on AI system risk: ensuring AI systems are safe, transparent, and non-discriminatory. GDPR focuses on personal data protection: ensuring data is processed lawfully and individual rights are respected.
A bank using AI for credit decisions must comply with all three frameworks. The AI Act requires that the credit decision system be classified by risk level, that training data be audited for bias, that the system be transparent and explainable, and that human review occur for decisions with significant impact on the individual. DORA requires that the AI system (likely sourced from a third-party cloud provider) be assessed for ICT risk, that the bank understand the provider's security practices, and that the bank can recover from service disruption. GDPR requires that the bank obtain lawful basis for processing customer financial data, provide transparency about how data is used in the model, and allow individuals to access data and contest decisions.
The European Commission, recognizing these overlaps, has published guidance on integrated compliance approaches. In November 2025, the Commission proposed the Digital Omnibus regulation, which aims to streamline requirements across DORA, AI Act, and GDPR, establishing unified incident reporting, standardized security assessment frameworks, and clearer delineation of responsibilities between financial entities and service providers.
DORA requires that financial entities report material ICT incidents to regulators without undue delay, typically within 24 hours of incident detection. Material incidents are those affecting critical or important functions, affecting multiple customers, causing material financial loss (typically EUR 10,000 or more), or affecting the entity's reputation. The report must include incident timeline, systems affected, root cause (if known), remediation status, and regulatory notifications. The report is the bank's responsibility, even if the incident occurred at a third-party service provider. If a bank's cloud provider experiences a breach, the bank must report to the regulator.
DORA also requires that banks notify affected customers of material personal data breaches. This obligation complements GDPR's breach notification requirements. Many banks now have unified breach notification procedures addressing both DORA and GDPR timelines.
DORA establishes enforcement mechanisms at the member state level, with penalties calibrated to the severity of violations and the entity's size. For financial institutions, penalties can reach 1 percent of average daily worldwide turnover if the institution materially violates DORA requirements. For a large bank with USD 100 billion in annual revenue, a 1 percent penalty translates to approximately USD 1 billion. Regulators may also impose periodic penalty payments of 0.5 percent of daily turnover, compounding financial pressure if violations are not remediated promptly.
For critical ICT third-party service providers, penalties are particularly stringent. A critical service provider failing to comply with lead overseer requirements may face fines up to 1 percent of average daily worldwide turnover or, if the provider is not a financial institution and its turnover cannot be calculated, a fixed fine up to EUR 10 million. Beyond financial penalties, regulators may impose administrative remedies: mandatory implementation of security improvements, business restrictions, or suspension of authorization to serve financial entities.
For banks and financial services firms, DORA compliance requires systematic, sustained effort. The first step is understanding applicability: determine your entity's DORA classification (Tier 1, Tier 2, or smaller entity), which affects regulatory intensity. Assess which systems and business functions are "critical" or "important" under DORA; these trigger more intensive requirements.
Conduct a comprehensive ICT risk assessment. Identify all ICT systems, external service providers, and data flows. For each critical system, assess risks: what could cause system failure? What would be the impact on customers and regulators? Document risk appetite and risk mitigation measures. Establish ongoing risk monitoring with quarterly or semi-annual reassessment.
Audit ICT service provider relationships. For each service provider, document the services provided, criticality to the bank, and contractual terms. Assess whether terms adequately address DORA requirements: does the contract require the service provider to maintain security? Allow audits? Notify of incidents? Does the contract include termination and data recovery provisions?
Develop incident response procedures aligned with DORA timelines. Establish procedures for detecting material incidents, assessing materiality, collecting forensic information, and notifying regulators within 24 hours. Test incident response procedures annually through simulations. Ensure incident response covers third-party service provider incidents.
Corvair's platform enables banks to operationalize DORA through centralized ICT risk management, service provider oversight, and incident response automation. By integrating with banking systems and third-party platforms, Corvair provides real-time visibility into ICT risks, automated monitoring of service provider performance against contractual terms, and audit trail documentation demonstrating compliance. For banks managing complex testing programs and incident response procedures, Corvair's testing orchestration and incident management tools ensure alignment with DORA timelines and provide auditable evidence of resilience to regulators and examiners.
Schedule a BriefingThe EU's General Data Protection Regulation intersects with DORA for all financial institutions processing personal data — compliance with both is mandatory for EU banks using AI.
Read guideThe EU AI Act's risk-based framework for AI systems applies in parallel with DORA's ICT risk management requirements for banks deploying AI.
Read guideHow DORA, GDPR, the EU AI Act, and international frameworks compare — a guide for financial institutions navigating multi-jurisdictional compliance.
Read guide