DORA — In force since 17 January 2025
DORA Compliance Answers in 90 Seconds
Article-precise guidance on DORA's five pillars — ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. Every answer cites the exact article and regulatory technical standard.
Covers DORA (EU 2022/2554), all RTS/ITS, ESMA/EBA/EIOPA guidelines, and 7 EU jurisdictions.
No credit card required. 5 free queries on signup.
Where DORA Gets Complicated
The three areas where compliance teams spend the most time searching for authoritative answers.
ICT Third-Party Register
DORA Article 28(3) requires a register of every ICT provider — but what fields are mandatory? Which providers qualify as supporting 'critical or important functions'? What happens when a provider subcontracts?
Incident Classification
Is this incident 'major' under DORA Article 18? The 4-hour initial notification clock starts at classification, not detection — but the criteria for a major incident span five thresholds across Articles 18–19 and the RTS on incident classification.
Resilience Testing
Does your entity need Threat-Led Penetration Testing (TLPT) under Article 26, or do basic digital resilience tests under Article 25 suffice? The NCA designation criteria — and the TIBER-EU scope — are not obvious from the regulation alone.
Real output, unedited
What You Get in 90 Seconds
Ask any DORA question. Get a cited answer structured for your compliance team.
Question
“What must our ICT third-party service provider register contain under DORA, and at what organisational level must it be maintained?”
Answer
Under DORA Art. 28(3) and the accompanying RTS (EU 2024/1773), all in-scope financial entities must maintain and regularly update a register of information at the entity, sub-consolidated, and consolidated level. The register must contain six categories of information for each contractual arrangement:
Provider identification: Full legal name, LEI, registered address, and home country of each ICT third-party provider.
Services and functions: Description of ICT services provided, including whether the function is classified as critical or important under Art. 29(4).
Contractual terms: Start date, scheduled renewal date, and earliest possible contract exit date.
Subcontractors: Where the ICT provider subcontracts critical or important functions, the register must extend to material subcontractors.
Concentration risk: Whether the provider is designated a Critical ICTPP subject to direct Lead Overseer supervision under Art. 31.
Key obligation
The register must be reported to the competent authority upon request at any time, and annually as part of the ICT risk reporting obligations. Entities in a group must consolidate their registers and ensure consistency across legal entities.
Sources (5)
High confidenceDORA (EU 2022/2554)
Art. 28(3)
97%
RTS on ICT Third-Party Risk (EU 2024/1773)
Art. 5–8
93%
EBA Guidelines on ICT and security risk
Guideline 8.3
88%
DORA (EU 2022/2554)
Art. 29(4)
85%
JC 2023/86 — Joint DORA Guidelines
Section 3.2
79%
Every statement links back to its source article
5 free queries on signup. No credit card required.
Full Coverage Across All Five DORA Pillars
From the primary regulation text to every RTS, ITS, and ESA guideline — searched simultaneously in under 90 seconds.
ICT Risk Management
Governance framework, risk identification, protection, detection, response, recovery, and lessons-learned requirements for all in-scope entities.
ICT Incident Reporting
Major vs. non-major incident classification, the three-stage reporting timeline (4h / 72h / 1 month), and the RTS on classification thresholds.
Resilience Testing
Basic digital resilience tests for all entities, and advanced Threat-Led Penetration Testing (TLPT) every 3 years for NCA-designated entities.
ICT Third-Party Risk
Contractual requirements, the register of ICT providers, critical ICTPP oversight, concentration risk management, and exit strategy obligations.
Information Sharing
Voluntary cyber threat intelligence sharing arrangements between financial entities — the conditions, safeguards, and regulatory notifications.
Regulatory Technical Standards
DORA RTS on ICT risk management, incident classification, third-party risk, TLPT, and the DORA ITS on registers — all indexed and cited alongside the primary regulation.
Get your DORA question answered now
ICT register fields, incident classification thresholds, TLPT scope, contractual requirements — ask anything about DORA and get a board-ready answer in under 90 seconds.
Professional plan: 100 queries/month at €399/seat. No contract.
Common DORA Questions
Who must comply with DORA?
DORA (Regulation (EU) 2022/2554) applies to virtually all EU-regulated financial entities: credit institutions, investment firms, payment institutions, e-money institutions, AIFMs, UCITS management companies, insurance undertakings, CASPs authorised under MiCAR, central counterparties, trade repositories, central securities depositories, and critical ICT third-party service providers. The regulation has applied since 17 January 2025.
What are the DORA incident reporting timelines?
Under DORA Article 19, once an ICT-related incident is classified as major, three reports must be submitted: (1) an initial notification within 4 hours of classification (and no later than 24 hours after detection); (2) an intermediate report within 72 hours of the initial notification; and (3) a final report within 1 month of the intermediate report. Timelines are triggered by classification, not detection — so the classification decision itself is time-sensitive.
What must the ICT third-party service provider register contain?
Under DORA Article 28(3) and the accompanying RTS (EU 2024/1773), the register must include: legal name, LEI, and address of each provider; description of ICT services and functions supported; contract start date, renewal date, and earliest exit date; criticality classification (critical or important function vs. non-critical); material subcontractors supporting critical functions; and concentration risk indicators where the provider is subject to direct oversight under Article 31. The register must be maintained at entity, sub-consolidated, and consolidated level.
Does DORA require penetration testing?
DORA Article 25 requires all in-scope financial entities to perform basic digital operational resilience tests annually. Additionally, certain entities designated by their NCA must carry out advanced Threat-Led Penetration Testing (TLPT) at least every 3 years under Article 26, in accordance with the TIBER-EU framework. TLPT must be conducted by external testers — with internal resources able to participate only under strict conditions defined in the TLPT RTS.
Does DORA apply to ICT third-party service providers themselves?
Critical ICT Third-Party Service Providers (CITPPs) are subject to direct oversight by the Lead Overseer (EBA, ESMA, or EIOPA, depending on the financial sector). Designation as a CITPP is done by the ESA Joint Committee under the criteria in Article 31. Non-critical ICT third-party providers are not directly supervised under DORA, but must comply with the contractual requirements imposed by their financial entity clients under Articles 28–30.
Get EU regulatory insights in your inbox
Weekly updates on MiCAR, DORA, SFDR and more. Unsubscribe anytime.
Need Detailed DORA Guidance?
financialregulations.eu covers the full text of DORA, all RTS/ITS, and ESA guidelines. Ask specific questions about your ICT risk management obligations and get cited answers from the regulatory text.