DORA

Key information

DORA stands for the Digital Operational Resilience Act, a crucial European Union (EU) regulation designed to bolster the cybersecurity and ICT (Information and Communication Technology) risk management of the financial sector. It provides a harmonized legal framework to ensure financial entities can effectively withstand, respond to, and recover from digital disruptions. 

• Purpose: DORA addresses the increasing reliance of the financial sector on complex digital systems and third-party ICT providers, aiming to minimize systemic risk across the EU financial system by creating a unified standard for digital resilience.
• Scope: The regulation applies to a wide range of financial entities operating within the EU, including banks, insurance companies, investment firms, payment institutions, and crypto-asset service providers. It also extends to critical ICT third-party service providers (e.g., cloud service providers, data analytics firms) that serve these financial entities, even if the providers are based outside the EU.
• Compliance Date: DORA entered into force on January 16, 2023, and became fully applicable and enforceable on January 17, 2025.
• Penalties: Non-compliance can result in significant fines, potentially reaching up to 2% of a financial entity’s total annual worldwide turnover or up to 1% of the average daily worldwide turnover for critical third-party providers. 

The Five Pillars of DORA

DORA establishes requirements across five key areas of digital operational resilience: 

• ICT Risk Management: Financial entities must implement a comprehensive framework for identifying, assessing, managing, and mitigating all ICT-related risks. This includes putting preventive and protective measures in place and ensuring oversight by the management body.
• ICT Incident Management & Reporting: The regulation mandates a standardized process for monitoring, classifying, and reporting major ICT-related incidents to relevant national authorities within specified time limits (e.g., an initial report often within four hours of classifying an incident as major).
• Digital Operational Resilience Testing: Firms must conduct regular testing of their ICT systems to assess their preparedness and identify vulnerabilities. This includes annual basic testing and, for significant entities, advanced threat-led penetration testing (TLPT) at least every three years, based on frameworks like TIBER-EU.
• ICT Third-Party Risk Management: DORA requires financial institutions to actively manage the risks associated with external ICT service providers. This involves maintaining a register of all providers, conducting thorough due diligence, including specific contractual clauses, and having exit strategies in place.
• Information & Intelligence Sharing: Entities are encouraged to participate in voluntary arrangements to share cyber threat information and intelligence with peers, helping the sector enhance its collective awareness and defense against emerging threats. 

DORA is a fundamental shift in how the EU financial sector approaches digital risk, making operational resilience a mandatory and continuously managed aspect of business operations. 

Who needs to report against DORA?

Approximately 

22,000 organizations operating in the European Union are required to report under DORA as of January 17, 2025. This encompasses nearly all financial institutions and the critical technology providers they rely on. 

1. Financial Entities (Direct Reporting)

A total of 20 types of financial entities must comply with mandatory incident and resilience reporting: 

• Banking & Credit: Credit institutions, payment institutions (including those exempted under PSD2), and electronic money institutions.
• Investment & Markets: Investment firms, asset managers (AIFMs and UCITS management companies), central securities depositories (CSDs), and central counterparties (CCPs).
• Insurance: Insurance and reinsurance undertakings, plus intermediaries (excluding micro and small enterprises).
• Emerging Finance: Crypto-asset service providers (authorized under MiCA), crowdfunding platforms, and administrators of critical benchmarks.
• Market Infrastructure: Trading venues, trade repositories, and data reporting service providers. 

2. Critical ICT Third-Party Service Providers (Oversight Reporting) 

DORA introduces a direct oversight regime for technology vendors designated as “critical” (CTPPs) by European Supervisory Authorities (ESAs). 

• In-Scope Examples: Cloud computing providers (e.g., AWS, Azure), data centers, software vendors, and data analytics firms.
• Reporting Obligation: These providers must report directly to their assigned “Lead Overseer” (EBA, ESMA, or EIOPA) regarding their management of ICT risks.
• Non-EU Entities: Critical providers based outside the EU (e.g., in the US or UK) must establish an EU subsidiary to continue serving EU financial clients under this regime. 

3. Exemptions & Proportionality

Some entities are either completely exempt or subject to a simplified ICT risk management framework (Article 16) based on their size and risk profile: 

• Full Exemptions: Very small pension schemes (fewer than 15 members), certain small insurance undertakings, and micro-enterprise insurance intermediaries.
• Simplified Requirements: Microenterprises (fewer than 10 employees and <€2M turnover) and small, non-interconnected investment firms. These entities are still required to report major ICT incidents but may have fewer documentation and testing burdens. 

Reporting Deadlines

• Annual Information Register: Financial entities must submit a register of their ICT third-party arrangements, typically by March 31 each year (though some local regulators set earlier dates like April 15).
• Major Incidents: Reporting of significant ICT disruptions is mandatory as of January 2025, often requiring initial notification within hours of detection. 

DORA reporting requirements

1. RoI Reporting

2. DORA Incident Reporting

3. Significant Cyber Threats

Who do you need to report DORA to?

The DORA legislation identifies national competent authorities (NCAs) who are required to collect DORA reports and enforce the rules set down by the European authorities. Because DORA covers a wide variety of financial entities, the legislation refers to pre-existing reporting obligations in order to match them up with their normal or natural regulator, this can be seen in the legislation here. This means that companies will generally submit DORA reports to their normal industry regulator.

What is the deadline for DORA?

From 2026 onwards the EU wide deadline is 31st March each year. Some national competent authorities will set a country-specific deadline slightly earlier to ensure they can pass on the reports by this date.

What is the required format?

Like many other regulatory reports required by European regulators, DORA is reported in a digital format called XBRL. More specifically, they should be reported in “XBRL-CSV” format. DORA is the first EU report to use this flavour of XBRL, although several others, especially those defined by the EBA, are planned to be moved to XBRL-CSV as well.

What do you need to create a DORA report?

To create a DORA report you need technology which cannot only meet the format requirements but also ensure the additional technical validation rules are passed. Without the correct technology, you run the risk of your DORA report not being accepted.

The giixi® Hub, offers a web-based application and provides a one-stop solution for DORA reporting. It lets users enter required data over our web portal and/or connect via database and/or upload Excel templates and/or a flat CSV file and convert it to XBRL-CSV.

Once converted, giixi® Hub runs validation checks to ensure that your submission(s) will be accepted by the National Competent Authority (NCA) collecting DORA reports in your country. The giixi® Hub connects to financial regulators across Europe. Via our Hub, you can be sure that your report is tested to the standard the regulators expect and avoid last minute surprises.