Who is concerned?
DORA is the EU's digital operational resilience framework for the financial sector.
- Banks, payment institutions, insurance, investment firms
- Crypto-asset service providers (under MiCA scope)
- Critical ICT third-party service providers designated by ESAs (typically large cloud/SaaS vendors serving the financial sector)
If you sell ICT to EU financial institutions — DORA touches you indirectly via third-party risk obligations cascaded from your customers.
What it requires (high-level)
- ICT risk management framework (Art. 6) — comprehensive policy, governance, board oversight.
- ICT third-party register (Art. 28) — exhaustive inventory of providers + risk classification + contract clauses.
- Threat-led penetration testing (TLPT, Art. 26) — advanced testing for systemically important entities, every 3 years.
- Simplified testing (Art. 25) — for smaller entities, baseline testing requirements.
- Incident reporting — major ICT-related incidents to competent authorities within strict deadlines.
- Information sharing — voluntary intelligence sharing in trusted communities.
Penalty exposure
- €10M or 2% of global annual turnover for financial entities.
- Critical ICT third-party providers : up to 1% of worldwide turnover per day for non-compliance with EU oversight.
How NexCyber helps with DORA
- Third-party register (Art. 28) — structured inventory + tier-1 risk scoring + contract clause checklist.
- TLPT readiness — gap analysis vs threat-led pentest requirements.
- Incident reporting workflow — pre-filled templates matching ECB / ESMA / EBA notification formats.
- NIS2 / DORA overlap — auto-detected and reconciled (no double effort on overlapping controls).
In force since 17 January 2025. If you haven't started DORA implementation, you are non-compliant.