DORA Framework

The Five Pillars of DORA

The Digital Operational Resilience Act is structured around five interconnected pillars that together create a comprehensive framework for managing ICT risk in the financial sector. Each pillar addresses a critical dimension of operational resilience.

I

ICT Risk Management Framework

Art. 5-16

Establishes comprehensive requirements for financial entities to identify, protect against, detect, respond to, and recover from ICT-related disruptions. Mandates a robust governance framework with clear roles, policies, and continuous improvement processes for managing technology risk across the organization.

Governance and organizational structureICT risk identification and classificationProtection and prevention measuresDetection and response capabilitiesRecovery and restoration planning
12 articlesExplore pillar
II

ICT-Related Incident Management

Art. 17-23

Requires financial entities to establish and implement an incident management process for detecting, managing, and reporting ICT-related incidents. Introduces harmonized classification criteria, mandatory reporting timelines to competent authorities, and obligations for root cause analysis and remediation tracking.

Incident detection and classificationRegulatory reporting obligationsRoot cause analysisRemediation and lessons learned
7 articlesExplore pillar
III

Digital Operational Resilience Testing

Art. 24-27

Mandates that financial entities establish testing programmes proportionate to their size and risk profile to assess preparedness for ICT disruptions. Includes requirements for basic testing such as vulnerability assessments, as well as advanced threat-led penetration testing (TLPT) for systemically important institutions.

Testing programme designVulnerability assessments and scanningThreat-led penetration testing (TLPT)Tester qualification requirementsRemediation of findings
4 articlesExplore pillar
IV

ICT Third-Party Risk Management

Art. 28-44

Addresses the risks arising from reliance on ICT third-party service providers. Establishes principles for sound management of third-party risk including due diligence, contractual requirements, concentration risk monitoring, and an EU-level oversight framework for critical ICT third-party providers designated by the ESAs.

Third-party risk assessment and due diligenceContractual arrangements and key provisionsConcentration risk managementOversight framework for critical providersExit strategies and substitution planning
17 articlesExplore pillar
V

Information Sharing

Art. 45

A single-article chapter that encourages financial entities to voluntarily exchange cyber threat intelligence and information about ICT-related vulnerabilities, tactics, techniques, and procedures among themselves and with competent authorities. Establishes safeguards for such sharing arrangements including data protection, confidentiality, and competition law compliance.

Threat intelligence sharing arrangementsSafeguards and confidentialityCompetent authority notificationData protection compliance
1 articleExplore pillar

Assess your DORA readiness

Take our free self-assessment to evaluate your organization's compliance posture across all five pillars.

Test your readiness