6 min read<\/p>\n
DORA has been directly applicable across the EU since January 2025, yet by the end of 2025, only about half of all financial institutions had fully implemented its requirements. The pressure mounts in 2026: the ICT third-party provider register is due, threat-led penetration tests are on the horizon, and critical cloud service providers will come under direct EU supervision.<\/strong><\/p>\n Key Takeaways<\/p>\n Related:<\/span>When the reporting clock really starts ticking<\/a> \/<\/span> KRITIS umbrella law: When resilience becomes a CISO obligation<\/a><\/p>\n What is DORA?<\/strong> DORA stands for the Digital Operational Resilience Act, an EU regulation ensuring digital operational resilience in the financial sector. It has been directly applicable since 17 January 2025, requiring banks, insurers, and their IT service providers to demonstrate risk management, report incidents on time, and conduct regular resilience tests.<\/p>\n The regulation is now binding law. Yet by the end of 2025, implementation remained incomplete in many places: industry surveys show only about half of European financial institutions had met all requirements, with a significant portion pushing compliance to 2026. For security teams, this means proof is now required in day-to-day operations.<\/p>\n The first pillar is documented ICT risk management. DORA demands substance over glossy concepts: a well-maintained asset inventory, clear responsibilities and controls that work in a crisis. If you haven\u2019t accurately inventoried your critical systems, you can\u2019t assess risks or pass an audit.<\/p>\n The most common mistake in practice is building the framework on paper while disconnecting it from operations. A risk register that no one touches after the audit is worthless. Supervisors look for lived processes-evident in logs, tickets, and tested contingency plans.<\/p>\n The second pillar is incident reporting. DORA requires severe ICT incidents to be classified and reported to regulators within set deadlines. While this sounds straightforward, it often fails due to lack of preparation. If you\u2019re scrambling to clarify who reports what, to whom, and by when during an actual crisis, you\u2019ve already lost critical hours.<\/p>\n This is where practiced routine pays off. A reporting process should be tested like a backup-run through once a quarter, with clear roles and escalation paths. Reporting deadlines vary by regulation, so the starting point of the clock must be precisely defined.<\/p>\n The third pillar is threat-led penetration testing, or TLPT. Beyond traditional pentests, DORA mandates realistic attack simulations for certain institutions, modeled on real-world threat actors and including the ICT supply chain. Which institutions must test-and how often-depends on their size and systemic importance. BaFin is expected to refine the detailed requirements soon.<\/p>\n These pillars can be broken down into concrete tasks for the security team.<\/p>\n The fourth pillar addresses third-party providers. Nineteen IT service providers are classified as critical third parties and fall directly under European supervision-including major hyperscalers. For financial institutions, this changes the landscape: responsibility for resilience remains with the institution, even if the service comes from the cloud.<\/p>\n In practice, this means tracking every critical service in a register, equipping contracts with audit and termination rights, and maintaining an exit plan for each key provider. An outage at your cloud provider doesn\u2019t absolve you of your reporting obligations.<\/p>\n Anyone treating DORA as a mere paperwork exercise will find out the hard way-when the first real incident hits. The regulation demands *lived* resilience.\n<\/p><\/blockquote>\n DORA has been directly applicable in all EU member states since January 17, 2025. It applies to banks, insurers, investment firms, payment and crypto service providers, as well as their critical IT service providers. As a regulation, it requires no national transposition-it\u2019s enforceable as is.<\/p>\n The register lists all contractual agreements for IT services and was due to be reported to BaFin by March 30, 2026. It must be kept up to date, as regulators expect a current overview-not just a one-time snapshot.<\/p>\n TLPT stands for Threat-Led Penetration Testing-realistic attack simulations based on actual threat actors, including the ICT supply chain. It\u2019s primarily required for systemically important institutions, with detailed guidelines to be finalized by regulators later this year.<\/p>\n The responsibility for operational resilience remains with the financial institution. Even if a critical third-party provider is directly supervised by EU authorities, the institution must report incidents, manage risks, and maintain an exit plan. Outsourcing does not shift this obligation.<\/p>\n Regulators can impose severe sanctions, including daily fines of up to one percent of global daily revenue for critical third-party providers-over an extended period. However, the reputational and trust damage following a reported incident often outweighs the financial penalty.<\/p>\n\n
DORA is in force, but implementation lags<\/h2>\n
Risk management must be demonstrable<\/h2>\n
Report Incidents Before the Clock Runs Out<\/h2>\n
Tests That Impact the Entire Supply Chain<\/h2>\n
\n\n
\n \nDORA Pillar<\/th>\n What the Security Team Must Deliver<\/th>\n<\/tr>\n<\/thead>\n \n ICT Risk Management<\/strong><\/td>\n Asset inventory, controls, and a living risk register<\/td>\n<\/tr>\n \n Incident Reporting<\/strong><\/td>\n Classify, report on time, and test the process<\/td>\n<\/tr>\n \n Resilience Testing (TLPT)<\/strong><\/td>\n Threat-led pentests covering the supply chain<\/td>\n<\/tr>\n \n Third-Party Providers<\/strong><\/td>\n Maintain a register, secure audit rights, and keep an exit plan<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n When Your Cloud Provider Is Under Supervision Too<\/h2>\n
\n
Frequently Asked Questions<\/h2>\n
When does DORA take effect, and who does it apply to?<\/h3>\n
What should be considered for the ICT third-party provider register?<\/h3>\n
What does TLPT entail in practice?<\/h3>\n
Who is liable if a cloud provider fails?<\/h3>\n
What are the consequences of violations?<\/h3>\n
Editor\u2019s Reading Recommendations<\/h3>\n