DORApp Blog
Digital Operational Resilience

Digital Operational Resilience Act 2022 (2026 Guide)

M
By Matevž Rostaher
digital-operational-resilience-act-2022-concept-image-of-eu-financial-office-des-1.jpg

The Digital Operational Resilience Act (DORA) was adopted in 2022 and later became fully applicable on 17 January 2025. For EU financial entities, the 2022 adoption mattered because it converted long-running supervisory expectations on ICT risk into a single, cross-sector regulation with explicit governance, testing, incident reporting, and ICT third-party oversight requirements. If you are still working from pre-2022 approaches (sector guidelines, national expectations, or internal policies), the practical challenge is not understanding DORA at a high level, but translating it into auditable, repeatable workflows across risk, compliance, security, procurement, and IT operations. This article explains what changed in 2022 and how to evaluate whether your implementation approach is likely to stand up to scrutiny, especially where what is digital resilience is treated as an outcome rather than a policy statement.

Contents

  • What changed with the Digital Operational Resilience Act in 2022
  • Key 2022 shifts that still drive implementation decisions
  • The 5 pillars of DORA, and what evidence supervisors typically expect
  • Who is in scope under Regulation (EU) 2022/2554, and why scope clarity changes your 2025 to 2026 work
  • What “changed” operationally: evidence, cadence, and accountability
  • Major ICT-related incident reporting: what a defensible workflow typically includes
  • Commercial evaluation: where a DORA-dedicated platform can help
  • Strengths and Challenges
  • How to evaluate your DORA implementation approach (criteria)
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion

    • What changed with the Digital Operational Resilience Act in 2022

    In 2022, the European Union moved from a fragmented set of sector and national expectations on ICT risk toward one harmonized regulation: the Digital Operational Resilience Act (DORA). While many financial entities already had cybersecurity and outsourcing controls, DORA’s 2022 adoption changed three implementation realities.

  • Consistency across sectors: DORA applies broadly across banks, investment firms, insurance undertakings, payment institutions, and other in-scope financial entities. That cross-sector design pressures groups to standardize governance and evidence, even when legacy frameworks differ by entity or country.
  • Defined pillars and deliverables: DORA formalized core building blocks: ICT risk management, incident reporting, digital operational resilience testing (including TLPT where applicable), ICT third-party risk management, and information sharing arrangements. These are not optional themes; they become operational programs with measurable outputs.
  • “Prove it” posture: Supervisory discussions tend to focus on whether you can demonstrate effective control operation, not just whether policies exist. That affects how you design workflows, approvals, audit trails, and recurring reporting to management bodies.

    • If you need a refresh on timing and sequencing, keep the digital operational resilience act timeline and the practical “go-live” question, digital operational resilience act when, close to your project plan. For scope and definitions, see what is dora and the explainer on digital operational resilience act.

    Key 2022 shifts that still drive implementation decisions

    DORA’s 2022 adoption did not “invent” operational resilience. It changed how financial entities are expected to structure, govern, and evidence it. The points below are the ones that most often determine whether an implementation becomes manageable or turns into an annual scramble.

    1) ICT risk management became a board-level operating discipline

    DORA requires the management body to hold accountability for the ICT risk management framework. In practice, that tends to force three changes:

  • Clear assignment of ownership for ICT risks, controls, and remediation actions, including escalation paths.
  • Repeatable review cycles (risk acceptance, remediation status, key risk indicators) that can be evidenced.
  • Management reporting that is consistent across entities and can be reproduced over time.

    • This is one reason many institutions revisit how they define digital operational resilience itself. If your internal definition is still mostly narrative, the article on what is digital operational resilience act can help frame it as a set of measurable obligations.

    2) ICT third-party risk moved from “outsourcing controls” to continuous oversight

    DORA’s 2022 adoption sharpened expectations around ICT third-party service providers (ICT TPPs), including dependencies and concentration risk. For many financial entities, this was a practical step-change from periodic vendor due diligence to ongoing monitoring and documented governance.

  • More detailed inventories of ICT services and contracts.
  • Stronger emphasis on mapping which services support critical or important functions.
  • More focus on supply chain visibility, not only direct vendors.

    • 3) Incident reporting became a regulated workflow, not an internal playbook

    DORA requires financial entities to classify and report major ICT-related incidents to competent authorities, based on criteria defined in applicable RTS and ITS. Even if your security team can respond effectively, DORA implementation typically fails when:

  • classification thresholds are not embedded into a structured decision process,
  • evidence is scattered across email, tickets, and spreadsheets, and
  • regulatory reporting outputs depend on heroics rather than a controlled workflow.

    • Supervisory expectations may evolve as the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) refine technical standards and guidance. Your implementation needs room to adapt without a redesign each cycle.

    4) Testing expectations became formalized, with TLPT as a distinct capability

    DORA’s 2022 adoption reinforced that resilience testing is not limited to vulnerability scanning or annual penetration tests. It introduced a structured testing pillar, with threat-led penetration testing (TLPT) applying to certain financial entities under specified conditions. The operational implication is that testing needs:

  • a defined scope linked to critical or important functions,
  • governance and approvals, and
  • traceable remediation and retesting.
    • digital-operational-resilience-act-2022-visualization-of-harmonized-compliance-w-1.jpg

    The 5 pillars of DORA, and what evidence supervisors typically expect

    Competitor explainers often mention DORA’s “five pillars,” but implementation work tends to stall because teams treat them as topics, not as evidence-producing programs. Under Regulation (EU) 2022/2554, the reality is that each pillar produces distinct artifacts, decision records, and management body outputs. This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance.

    From a practical standpoint, here is what the five pillars usually translate into during audits, supervisory reviews, and internal assurance.

    1) ICT risk management

    Under Chapter II of DORA, you are expected to operate an ICT Risk Management Framework with management body accountability and clear governance. Evidence that is commonly requested includes:

  • documented roles and responsibilities across the first and second line of defense, and escalation paths for ICT risk decisions,
  • risk assessments tied to business processes and systems supporting critical or important functions,
  • records of control operation, exceptions, and remediation actions, including timelines and approvals,
  • management reporting and meeting materials showing oversight, challenge, and follow-up.

    • 2) ICT-related incident management, classification, and reporting

    Under Chapter III of DORA, incident handling is not just an internal security process. It becomes a regulated workflow shaped by RTS and ITS from the ESAs (EBA, ESMA, EIOPA). Evidence typically centers on:

  • how incidents are detected and recorded, including event timelines and decision points,
  • how you classify “major” ICT-related incidents using defined criteria and thresholds,
  • how and when you notified competent authorities, and what supporting evidence you retained,
  • post-incident analysis, remediation, and lessons learned.

    • 3) Digital operational resilience testing (including TLPT where applicable)

    Under Chapter IV of DORA, supervisors typically expect a testing program that is risk-based and scoped to critical or important functions. Depending on your classification and supervisory direction, TLPT may apply. Evidence often includes:

  • a documented testing strategy, annual plan, and rationale for test selection,
  • test scope approvals, including rationale for inclusions and exclusions,
  • results and remediation tracking that shows closure, not only identification of findings,
  • retesting evidence and management reporting demonstrating oversight.

    • 4) ICT third-party risk management

    Under Chapter V of DORA, third-party oversight extends beyond initial due diligence. Evidence packages often include:

  • a complete inventory of ICT third-party service providers and mapped ICT services,
  • linkage of services to critical or important functions, where relevant,
  • documented risk assessments, monitoring results, and approvals for onboarding or renewal,
  • contractual evidence that required clauses are addressed, subject to legal interpretation and applicable RTS.

    • 5) Information sharing arrangements

    Under Chapter VI of DORA, information sharing is permitted on a voluntary basis, and it is often misunderstood as a broad requirement to “share threat intel.” The more defensible interpretation for many institutions is to treat this as a governed option. Evidence might include:

  • decision records on whether you participate in information sharing arrangements and why,
  • governance and confidentiality controls around what can be shared,
  • internal processes demonstrating how shared information is evaluated and used, where applicable.

    • Think of it this way: DORA’s five pillars become sustainable only when each produces repeatable evidence, with ownership, cadence, and audit trails. If you cannot reproduce the same answers quarter after quarter, you likely have a workflow problem, not a policy problem.

    Who is in scope under Regulation (EU) 2022/2554, and why scope clarity changes your 2025 to 2026 work

    One gap in many “DORA 2022” summaries is how much scope decisions affect implementation depth. DORA applies to a wide set of EU-regulated financial entities listed in Article 2 of DORA, including (among others) credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, and crypto-asset service providers. It also introduces an oversight framework for certain critical ICT third-party service providers at EU level.

    Here’s the thing: scope is not only a legal determination. It is also an operating model decision. If you treat DORA as a single central program without clarifying which regulated entities, branches, and activities are in scope, you can end up with misaligned governance and inconsistent evidence.

    What scope clarity typically changes in practice

  • Proportionality decisions: DORA includes proportionality concepts across pillars. In most cases, your implementation approach should be scaled, but it still needs to be defensible, documented, and consistent with supervisory expectations for your sector and competent authority.
  • Entity versus group evidence: Cross-border groups often centralize controls while leaving accountability at entity management bodies. That can work, but only if your evidence clearly shows who approved what, and how local governance is exercised.
  • Testing scope and TLPT readiness: Testing obligations under Chapter IV can be misunderstood if you do not clearly identify critical or important functions and map them to systems and providers. TLPT applicability, where it applies, typically requires more mature scoping and governance than standard testing cycles.
  • Third-party oversight boundary: Article 28 of DORA and related RTS shape contractual expectations and oversight of ICT third-party service providers. Scope clarity affects which contracts must be prioritized, which services map to critical or important functions, and how you justify any phased remediation.

    • ESMA, EBA, and EIOPA publish and maintain DORA materials relevant to their remits. Your institution will typically still engage with its competent authority, and implementation details may vary based on supervisory practice. This section is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance.

    What “changed” operationally: evidence, cadence, and accountability

    For most financial entities, the most meaningful 2022 change was not the wording of a single article, but the shift toward demonstrable operational resilience. That typically pushes institutions toward three design decisions.

    From annual projects to continuous controls

    DORA programs often start as a gap assessment, but they tend to mature into an operating model. That means you will likely need recurring cycles for:

  • updating your ICT third-party information and contracts as they change,
  • reviewing risk assessments and remediation actions,
  • refreshing management reporting on a schedule, and
  • maintaining evidence packages that are audit-ready at any point in time.

    • From “we have a document” to “we have traceability”

    DORA does not usually reward policy volume. It rewards traceability: who did what, when, under which approval, and with which evidence. If your implementation relies on spreadsheets and email, you may meet internal needs, but you will likely struggle with:

  • version control and reproducibility,
  • consistent approvals and segregation of duties,
  • audit trails that survive staff turnover, and
  • data quality across multiple entities.

    • From siloed work to cross-functional workflows

    DORA forces collaboration between teams that historically operated separately: security, IT operations, procurement, vendor management, legal, compliance, risk, and internal audit. The bottleneck is usually not “knowledge of DORA,” but coordination. A practical implementation approach typically includes:

  • clear workflow stages (draft, review, approval, remediation, closure),
  • assigned responsibilities per stage,
  • time-bound tasks and escalations, and
  • reporting that management can actually use.
    • digital-operational-resilience-act-2022-image-representing-five-dora-pillars-wit-1.jpg

    Major ICT-related incident reporting: what a defensible workflow typically includes

    Several competitor resources emphasize that DORA requires incident reporting, but they rarely address what breaks in practice. Under Chapter III of DORA, the hard part is not acknowledging the obligation. It is building a workflow that consistently produces the same classification outcomes, timelines, and reporting artifacts under pressure. This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance.

    1) A documented classification decision path that matches RTS criteria

    DORA requires classification of “major” ICT-related incidents based on criteria developed through RTS and reporting through ITS templates. In most institutions, the defensible approach is a structured decision path that:

  • captures initial facts, impact assessment, and uncertainty explicitly,
  • shows when and why the incident was reclassified as more information became available,
  • separates operational severity from regulatory reporting thresholds to avoid over- or under-reporting.

    • 2) A timeline record that is built during response, not after

    Post-incident reconstruction is where evidence often becomes fragile. A workflow is typically more audit-resilient when it captures a timeline as the incident progresses, including:

  • first detection time, triage actions, containment decisions, and recovery milestones,
  • key communications, including who was notified internally and when,
  • decision records on reporting triggers and approval of submissions to the competent authority.

    • 3) Clear accountability and sign-off routing

    DORA expectations frequently intersect with internal governance. A common failure mode is unclear sign-off, where reporting depends on informal approvals. Consider this: for each reportable incident, you typically want evidence of who:

  • made the classification decision (and on what basis),
  • approved external reporting content, subject to your internal delegations,
  • owned remediation actions and confirmed closure.

    • 4) Integration points with ICT third-party providers

    What many compliance teams overlook is that incident reporting quality depends on third-party responsiveness. If a major service disruption occurs at an ICT third-party service provider, your ability to assess impact and report can be constrained by the quality and timeliness of vendor communications. In practice, you may need to ensure:

  • contractual expectations for incident notification and information sharing are operationalized, not only written,
  • you can map the incident to affected services and critical or important functions quickly,
  • evidence from third parties is retained as part of your reporting package.

    • If your incident reporting process is still largely email-driven, the operational risk is not only missed timelines. It is inconsistent classification and weak traceability. If you are evaluating tooling, keep the focus on decision traceability, approvals, and evidence packaging, not just ticket creation.

    Commercial evaluation: where a DORA-dedicated platform can help

    Many institutions can implement DORA with internal tools, a general GRC platform, or a combination of ticketing systems and spreadsheets. A DORA-dedicated platform may be worth evaluating when the main constraint is evidence quality, recurring reporting, third-party scale, or multi-entity governance.

    What Dorapp (DORApp) is, based on verified platform information

    DORApp is a cloud-based platform designed to manage, execute, and evidence DORA processes in a structured and auditable way. It is modular, aligned to DORA’s five pillars, and is designed so financial entities can start with one pain point and expand over time. Verified modules and roadmap timing include:

  • DORApp ROI (Register of Information): supports management of Register of Information data and DORA report exports, with data import/export and predefined reporting outputs.
  • DORApp TPRM (Third-Party Risk Management and Questionnaire Automation): supports questionnaire-driven information collection, integrated risk scoring/monitoring, approval workflows and review gates, and third-party provider portal capabilities.
  • DORApp IM (Incident Management and Reporting): planned (coming in Q2 2026).
  • DORApp RMG (ICT Risk Management and Governance): planned (coming in Q4 2026).
  • DORApp IIS (Information and Intelligence Sharing): planned (coming in Q4 2026).

    • Capabilities that are directly relevant to “what changed in 2022”

    The 2022 adoption of DORA increased the need for controlled workflows, consistent data, and repeatable reporting. Dorapp’s verified differentiators map to those needs in specific ways:

  • Automatic LEI validation and enrichment embedded into record creation and imports, which can reduce manual errors when maintaining third-party and entity records across cycles.
  • Execution Governance Engine with configurable review gates and single- or multi-user sign-off across modules, supporting maker-checker style control and evidence of approvals.
  • Audit trail for record changes, workflow transitions, approvals, timestamps, responsible users, and decision rationale, supporting traceability expectations.
  • Reports and analytics with predefined and customizable reports, export formats (XLSX, CSV, PDF), dashboards, and scheduling options to support recurring management oversight.

    • If you want to see how the platform is structured at a high level, start with DORApp Modules and DORApp Functions. For implementation teams, the ability to keep ROI and third-party oversight audit-ready year-round is often the first place where a dedicated workflow tool reduces operational burden.

    Strengths and Challenges

    Strengths

  • DORA-specific modular design: You can typically start with the Register of Information (ROI) and expand to third-party risk management (TPRM) and other pillars as they mature.
  • Evidence and traceability orientation: An explicit audit trail and workflow sign-offs align well with the “prove it” posture that became unavoidable after DORA’s 2022 adoption.
  • Operational workflow control: Configurable review gates and approvals can help enforce segregation of duties and consistent quality checks across functions.
  • Reporting and dashboards: Built-in reporting, exports, and analytics can reduce reliance on manual consolidation for management and audit requests.
  • Data quality improvements for third-party records: Automatic LEI validation and enrichment can reduce basic data issues that otherwise degrade RoI and vendor oversight outputs.

    • Implementation Considerations

  • Roadmap timing matters: Some modules are planned for 2026 (IM in Q2 2026; RMG and IIS in Q4 2026). Depending on your supervisory deadlines and internal priorities, you may need interim processes for incident reporting or internal ICT risk governance.
  • Governance still requires design decisions: A platform can enforce workflow stages, but you still need to define roles, thresholds, review cadence, and what “good” looks like for your entity and competent authority.
  • Data migration and normalization effort: Moving from spreadsheets or multiple systems into a structured RoI and TPRM model usually requires initial cleanup, mapping, and ownership alignment.
  • Not a substitute for legal interpretation: Contractual requirements and incident threshold interpretations depend on the applicable RTS/ITS and your classification. You should plan for legal and compliance review alongside tooling.
    • digital-operational-resilience-act-2022-depiction-of-a-defensible-ict-incident-r-1.jpg

    How to evaluate your DORA implementation approach (criteria)

    The “right” DORA approach is context-dependent. A small payment institution with a limited vendor landscape may not need the same operating model as a cross-border banking group. The criteria below are the ones that most often determine whether your 2022-to-2025 transition becomes sustainable.

    1) Regulatory alignment depth (DORA Articles plus RTS/ITS readiness)

    Check whether your approach can incorporate updates from the European Supervisory Authorities (EBA, ESMA, EIOPA) without reworking the entire program. A practical test is whether you can adjust:

  • incident classification logic and reporting content to match the RTS on incident reporting and the ITS on reporting templates,
  • Register of Information structures and exports to align with the ITS on the Register of Information, and
  • third-party oversight documentation as supervisory expectations evolve.

    • Even if you store data centrally, you may still fail this criterion if you cannot produce consistent outputs across reporting cycles.

    2) Evidence quality and auditability

    DORA implementation often breaks on evidence, not intent. Evaluate whether you can reliably show:

  • who approved risk decisions and contractual exceptions,
  • what data was used at the time of decision-making,
  • how issues were tracked to closure, and
  • how recurring oversight was performed (and not only “planned”).

    • Platforms that maintain audit trails and controlled sign-offs can reduce audit friction, but only if you consistently use them as the system of record.

    3) ICT third-party oversight at scale (including dependencies)

    DORA’s 2022 adoption sharpened expectations on ICT TPP oversight and concentration risk. If you have dozens or hundreds of ICT relationships, assess whether your approach supports:

  • repeatable questionnaires and evidence collection,
  • risk scoring that can be explained to auditors and management,
  • workflows for review, challenge, and approval, and
  • visibility into dependencies and supply chain context where relevant.

    • DORApp’s verified TPRM capability is designed around questionnaire automation plus review/approval workflows and risk scoring, which may be relevant if your current process is largely manual.

    4) Reporting cadence and management body oversight

    DORA expects management body oversight. In practice, you need reporting that is:

  • regular (monthly/quarterly, depending on your governance),
  • consistent across entities and periods, and
  • grounded in live data rather than slideware.

    • Evaluate whether you can schedule, reproduce, and explain reports with the same definitions each time. DORApp’s verified reports and analytics capability (including exports and customizable dashboards) is positioned for this type of recurring oversight.

    5) Implementation realism: what you can run continuously

    A sustainable DORA program is usually the one your teams can operate continuously without heroics. Look for friction points:

  • manual consolidation across tools,
  • unclear ownership and sign-off routing,
  • lack of data quality controls (for example, vendor identifiers), and
  • difficulty producing RoI and management outputs on demand.

    • If those are your constraints, it may be worth exploring a DORA-dedicated platform. If your constraints are mainly legal interpretation or organizational change, tooling alone may not solve the problem, but it can still reduce the administrative load once governance is defined.

    Where Dorapp fits (consultative, MOFU recommendation)

    If your main challenge after DORA 2022 is operationalizing repeatable evidence across RoI and ICT third-party oversight, Dorapp is worth a structured evaluation. DORApp’s verified ROI and TPRM modules focus on maintaining an auditable system of record with workflow controls, audit trail, and report outputs. For teams that need to demonstrate “what changed” as measurable execution rather than policy updates, the platform may reduce manual work and improve consistency across reporting cycles.

    You can explore product structure via Why DORApp, or request a walkthrough via Book a Demo. If you want to validate fit before committing, Dorapp also offers a Free Trial – 14 Days (you should still plan for internal governance design and legal review alongside any tool).

    Frequently Asked Questions

    What changed in the Digital Operational Resilience Act in 2022, in practical terms?

    The 2022 adoption made operational resilience a harmonized EU requirement with explicit deliverables across ICT risk management, incident reporting, testing, and ICT third-party oversight. For most financial entities, the practical change was the need for repeatable, evidence-backed processes, not just policies. It also increased pressure to standardize governance and reporting across group entities and jurisdictions.

    Is “DORA 2022” the same as the rules that apply today?

    DORA was adopted in 2022, but it became fully applicable on 17 January 2025. The day-to-day compliance expectations are also shaped by Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (EBA, ESMA, and EIOPA). You should verify which RTS/ITS are applicable to your institution’s classification and activities.

    Where can I find the “Digital Operational Resilience Act 2022 PDF”?

    Many teams search for “digital operational resilience act 2022 pdf” to reference the adopted legal text. In practice, your compliance baseline should include the consolidated DORA text plus the current RTS/ITS and any supervisory communications relevant to your competent authority. Legal counsel can help confirm you are referencing the correct consolidated version and the final technical standards in force.

    Did DORA replace existing ICT and outsourcing requirements?

    DORA generally sits alongside other EU and national requirements rather than eliminating them. Depending on your sector, you may still need to consider existing governance, outsourcing, and security expectations from your competent authority. A good implementation approach typically maps overlaps and conflicts and then uses DORA as the organizing framework for ICT risk, third-party oversight, testing, and incident reporting.

    What is the biggest implementation trap related to the 2022 changes?

    The most common trap is treating DORA as a documentation project instead of an operating model. Financial entities may produce policies and templates but still lack traceable workflows, quality gates, and consistent data. That becomes visible during audits, supervisory reviews, and incident situations. Sustainable compliance usually requires structured processes, clear ownership, and reproducible reporting across cycles.

    How does DORA affect ICT third-party risk management differently than before 2022?

    DORA’s 2022 adoption increased expectations for ongoing oversight of ICT third-party service providers, including better visibility into how ICT services support critical or important functions and how concentration risk is managed. The specifics depend on RTS/ITS and supervisory expectations, but most institutions need stronger inventories, repeatable vendor information collection, documented assessments, and governance evidence.

    Does every financial entity need TLPT under DORA?

    No. Threat-led penetration testing (TLPT) is not automatically required for every financial entity. Applicability depends on criteria and supervisory decisions under DORA’s testing framework and related technical standards. Even when TLPT is not required, DORA still expects a digital operational resilience testing program, with governance, scope definition, and remediation tracking that can be evidenced.

    What should I evaluate in a DORA tool after the 2022 adoption?

    Evaluate whether the tool supports evidence quality, workflow controls, third-party oversight at scale, and repeatable reporting that management bodies and auditors can rely on. You should also assess how the tool aligns to DORA pillars and how easily it can be adapted as RTS/ITS evolve. Tooling should reduce manual coordination, but it cannot replace governance design or legal interpretation.

    Which Dorapp modules are most relevant to the “what changed in 2022” question?

    Based on verified information, DORApp ROI (Register of Information) and DORApp TPRM (Third-Party Risk Management and Questionnaire Automation) align closely with the operational demands that became more explicit after 2022: maintaining structured records, evidence, approvals, and recurring reporting. Modules for incident management (IM), ICT risk management governance (RMG), and information sharing (IIS) are on the product roadmap for 2026.

    How should a financial entity start if its DORA program is behind?

    Most institutions benefit from prioritizing the areas that create the most supervisory exposure: Register of Information completeness, third-party oversight for critical or important functions, and incident classification and reporting readiness. A phased plan can be effective if it is tied to governance and evidence requirements, not only project milestones. Depending on your setup, a dedicated platform can help operationalize the work once responsibilities and review gates are defined.

    What are the 5 pillars of the Digital Operational Resilience Act?

    DORA is commonly structured into five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing (including TLPT where applicable), ICT third-party risk management, and information sharing arrangements. The key implementation point is that each pillar needs owners, cadence, and audit-ready evidence. In most institutions, treating the pillars as operational programs, not themes, is what makes supervisory engagement manageable.

    Who needs to comply with the Digital Operational Resilience Act (DORA)?

    DORA applies to a range of EU-regulated financial entities listed in Article 2 of DORA, including many banks, investment firms, insurance and reinsurance undertakings, payment institutions, and crypto-asset service providers. The scope determination for your institution may depend on authorizations, activities, and group structure. Consult qualified legal or regulatory counsel for institution-specific scope confirmation.

    What does DORA require a financial entity to do during an ICT incident?

    Under Chapter III of DORA, financial entities are expected to manage ICT-related incidents and report major ICT-related incidents to their competent authorities using RTS-defined classification criteria and ITS reporting templates. In practice, you typically need a controlled workflow that captures classification decisions, reporting approvals, timelines, and supporting evidence, and that can be reproduced consistently across incidents.

    Does DORA apply to ICT providers like cloud service providers?

    DORA is primarily a financial sector regulation, but it establishes an EU oversight framework for certain critical ICT third-party service providers. Even where a provider is not directly supervised in the same way as a financial entity, DORA still requires financial entities to manage ICT third-party risk and meet contractual and oversight expectations for ICT services they rely on. How this applies in a specific arrangement can depend on the service, criticality, and supervisory interpretation.

    Key Takeaways

  • DORA’s 2022 adoption changed expectations from fragmented practices to a single, enforceable, cross-sector operating model.
  • The most material “change” was the need for traceable evidence: approvals, workflow history, and reproducible reporting.
  • ICT third-party oversight became a continuous discipline, with more emphasis on dependencies and concentration risk.
  • Testing and incident reporting became regulated workflows shaped by RTS/ITS, not only internal playbooks.
  • A DORA-dedicated platform may help when your constraint is workflow control and evidence quality, not only policy drafting.

    • Conclusion

    The “Digital Operational Resilience Act 2022” moment matters because it marked the shift from optional best practices to a harmonized EU resilience regime with explicit obligations and artifacts that must be maintained over time. For implementation leaders, the practical question is whether your DORA program is built to produce consistent evidence across cycles: RoI updates, ICT third-party assessments, management reporting, and traceable decisions.

    If you are evaluating how to operationalize that evidence burden, Dorapp is worth considering as a DORA-focused platform, particularly for Register of Information execution and third-party risk workflows. You can book a demo to review ROI and TPRM workflows, or use the DORApp Help Center to understand how reporting, audit trails, and workflow controls are designed to support auditable DORA operations.

    Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. DORA compliance obligations vary depending on the classification and size of your financial institution. Consult qualified legal or regulatory counsel to assess your specific obligations under the Digital Operational Resilience Act and applicable regulatory technical standards.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.