Request a Quote

Netragard is trusted by leading brands and featured in major publications for a reason: decades of hands-on experience and advanced research drive every engagement, uncovering risks that scanners and AI miss. Each assessment delivers detailed, prioritized findings and practical, tailored guidance enabling clients to improve real-world security where it matters most. Organizations trust Netragard’s expert team to help them face emerging threats with confidence while meeting compliance requirements along the way.

Table of Contents

What is the DORA? Requirements & Compliance

Dora
May 19, 2026
Author: Adriel Desautels
Reading Time: 7 Minutes

Key Takeaways:

  • DORA is a directly applicable EU regulation that standardizes how financial entities manage ICT risk, incident response, resilience testing, and critical third‑party oversight across all member states.

  • DORA’s scope is broad, covering banks, insurers, investment firms, payment and crypto‑asset providers, crowdfunding and data services, and critical ICT third‑party providers, with requirements scaled by size and risk under the proportionality principle.

  • Compliance is continuous, not a one‑off project: firms must maintain documented ICT risk frameworks, incident response and reporting, operational resilience testing (including mandatory TLPT for systemic entities), and rigorous third‑party governance, supported by ongoing monitoring, testing, and record‑keeping.

  • The stakes are high for both organizations and leadership: non‑compliance can trigger fines up to 2% of global turnover or €10 million, daily penalty accruals, public naming, and even personal financial sanctions on senior management, making genuine, threat‑led penetration testing a critical way to demonstrate due diligence.

The Digital Operational Resilience Act (DORA) represents the European Union’s most significant cybersecurity regulation for financial services. Effective January 17, 2025, DORA establishes binding requirements for how financial entities manage ICT risk, respond to incidents, test operational resilience, and oversee third-party providers. Organizations that fail to achieve DORA compliance face substantial penalties and regulatory action.

What is DORA?

DORA is an EU regulation designed to strengthen the operational resilience of financial sector entities against ICT-related disruptions and cyber threats. Unlike directives that require member state transposition, DORA applies directly and uniformly across all EU member states.

The regulation recognizes that financial institutions have become entirely dependent on information and communication technology. A significant ICT failure or cyberattack at a major institution could cascade across the financial system, threatening economic stability. This is not theoretical risk. Cyberattacks on European financial services more than doubled in 2023, with banks across Belgium, France, Italy, and other member states targeted by DDoS attacks linked to geopolitical tensions.

One incident stands out: in January 2023, a ransomware attack on ION Trading, a financial data provider, disrupted derivatives trading across dozens of European banks and brokers for several days, demonstrating precisely how a single third-party provider failure can cascade across the financial system. DORA addresses this systemic risk by mandating comprehensive ICT risk management, incident reporting, resilience testing, and third-party oversight.

Three European Supervisory Authorities oversee DORA implementation: the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA). These bodies develop technical standards and coordinate supervision across the financial sector.

What is the Purpose and Scope of DORA?

DORA’s purpose is to ensure financial entities can withstand, respond to, and recover from ICT-related incidents. The regulation harmonizes previously fragmented cybersecurity requirements across the EU financial sector, creating a consistent framework that applies to:

  • Banks and credit institutions
  • Investment firms and trading venues
  • Insurance and reinsurance companies
  • Payment service providers
  • Crypto-asset service providers
  • ICT third-party service providers deemed critical
  • Crowdfunding platforms and data reporting providers

DORA applies the proportionality principle, meaning requirements scale based on size, risk profile, and complexity. Smaller entities face simplified obligations, while systemically important institutions must meet the most rigorous standards, including mandatory threat-led penetration testing.

How Do ICTs Comply with DORA?

DORA compliance requires financial entities to implement comprehensive ICT risk management frameworks, establish incident response capabilities, conduct regular resilience testing, and maintain oversight of third-party ICT providers. The regulation demands documented policies, procedures, and governance structures that demonstrate ongoing commitment to operational resilience.

Compliance is not a one-time achievement. DORA requires continuous monitoring, regular testing, and periodic reviews of all ICT risk management practices. Organizations must maintain detailed records and be prepared for regulatory examination at any time.

The penalties for non-compliance are substantial. Financial institutions face fines up to 2% of global annual turnover or €10 million, whichever is higher. Fines can accumulate daily until compliance is achieved. Regulators can also publicly disclose violations, compounding financial penalties with reputational damage.

Critically, DORA holds senior management personally accountable. Board members and executives face individual fines reaching €1 million or more depending on member state. This is not corporate liability that gets absorbed into operating costs. Personal assets are at stake. When regulators investigate a compliance failure, they will examine whether leadership ensured adequate testing was conducted. Genuine penetration testing creates a documented record of due diligence. Industry standard checkbox assessments do not. The difference between the two can determine whether executives face personal sanctions when something goes wrong.

What are the DORA Requirements?

DORA establishes five pillars of requirements that financial entities must address:

1. ICT Risk Management

Financial entities must establish and maintain comprehensive ICT risk management frameworks. This includes identifying all ICT assets and dependencies, assessing risks, implementing protective measures, and continuously monitoring for threats. Management bodies bear direct responsibility for ICT risk oversight and must approve risk management policies.

Key requirements include documented ICT security policies, access control mechanisms, encryption standards, vulnerability management processes, and business continuity planning. Organizations must also implement detection capabilities to identify anomalous activities and potential security incidents promptly.

2. Incident Response & Reporting

DORA mandates standardized incident classification, response procedures, and reporting obligations. Financial entities must classify ICT-related incidents based on defined criteria and report major incidents to competent authorities within strict timeframes.

Initial notifications must be submitted within hours of incident detection, with follow-up reports providing root cause analysis and remediation details. Organizations must maintain incident registers documenting all ICT-related incidents, their impacts, and lessons learned. This incident reporting framework enables regulators to identify systemic threats and coordinate sector-wide responses.

3. Operational Resilience Testing

DORA mandates that all covered entities conduct regular penetration testing and resilience assessments of their ICT systems. This is not optional. Basic testing requirements include vulnerability testing, network security assessments, and scenario-based testing of business continuity plans.

Systemically important entities must go further. DORA requires these organizations to conduct threat-led penetration testing (TLPT), which is far different from the industry standard. These advanced tests emulate real attack scenarios based on current threat intelligence, testing the full detection and response chain. TLPT must be conducted by qualified testers using methodologies aligned with the TIBER-EU framework.

4. Third-Party Risk Management

Financial entities must implement rigorous oversight of ICT third-party service providers. This includes conducting due diligence before engagement, maintaining registers of all ICT service arrangements, and ensuring contracts include specific provisions addressing security requirements, audit rights, and exit strategies.

DORA introduces a novel oversight framework for critical ICT third-party providers. Regulators can designate providers as critical based on systemic importance, subjecting them to direct regulatory oversight. This addresses concentration risk where multiple financial institutions depend on the same cloud providers or technology vendors.

5. Information Sharing (Optional)

DORA encourages voluntary information sharing about cyber threats, vulnerabilities, and incidents among financial entities. While not mandatory, participation in trusted information sharing arrangements helps organizations benefit from collective intelligence about emerging threats and effective defensive measures.

How Netragard Can Help

DORA’s operational resilience testing requirements demand genuine penetration testing capabilities that go far beyond automated vulnerability scanning or AI penetration testing services. Netragard’s penetration testing services deliver the human-driven, intelligence-led tests that DORA compliance requires.

Threat-Led Penetration Testing

For entities subject to DORA’s advanced testing requirements, Netragard delivers threat-led penetration testing aligned with TIBER-EU (Threat Intelligence‑Based Ethical Red Teaming) standards. Our assessments begin with threat intelligence specific to your organization, identifying the threat actors most likely to target you and the techniques they employ. We then emulate realistic attack scenarios that test your detection capabilities, incident response procedures, and overall operational resilience.  The end result delivers the contextualized threat intelligence you need to build effective threat informed defenses.

Since 2006, Netragard has specialized in advanced penetration testing that emulates real-world attackers. Our Real Time Dynamic Testing methodology provides the depth and rigor that DORA demands, delivering documented evidence of your security posture that demonstrates due diligence to regulators, while also delivering real protective value. When compliance questions arise, leadership needs to show they invested in genuine security testing, not superficial assessments that satisfy procurement but fail under scrutiny. Request a Quote to discuss how we can support your DORA compliance program.

For organizations also subject to GDPR, see our guide on GDPR penetration testing requirements.

Download the DORA Compliance Checklist

DORA Compliance Checklist

Use this checklist to assess your organization's DORA readiness:

ICT Risk Management

Incident Response & Reporting

Operational Resilience Testing

Third-Party Risk Management

FAQ

Is DORA only for companies based in the EU?

DORA applies to financial entities operating within the EU, regardless of where they are headquartered. Non-EU firms with EU operations, subsidiaries, or branches must comply. Additionally, ICT third-party service providers serving EU financial entities may be designated as critical and subject to direct oversight, even if based outside the EU. Organizations providing services to EU financial institutions should assess whether DORA requirements affect their operations.

DORA and the NIS2 Directive both address cybersecurity but target different sectors with different mechanisms. NIS2 is a directive requiring member state transposition that applies broadly across essential and important sectors including energy, transport, healthcare, and digital infrastructure. DORA is a regulation applying directly and specifically to financial services. Financial entities subject to DORA are generally exempt from NIS2’s corresponding requirements, though they must still comply with other NIS2 provisions. DORA’s requirements are more prescriptive and include unique elements like the critical third-party oversight framework.

Threat-led penetration testing is an advanced form of security assessment that simulates realistic attacks based on current threat intelligence. Unlike standard penetration testing that broadly assesses security controls, TLPT focuses on emulating the specific threat actors targeting your organization and sector. Testers use intelligence about adversary tactics, techniques, and procedures to craft scenarios that test your full detection and response capabilities. DORA requires systemically important financial entities to conduct TLPT at least every three years using methodologies aligned with the TIBER-EU framework. The assessment must be performed by qualified internal or external testers and include a red team phase that tests live production systems.

- For More Information -

We Protect You From People Like Us.
Contact Us

Adriel Desautels

Adriel Desautel Profile Picture
Founder & Chief Executive Officer
Divider

Adriel is a recognized leader in the information security industry with over 20 years of professional experience. In 1998, he founded Secure Network Operations, Inc., home to the renowned SNOsoft Research Team, which helped shape today’s best practices for responsible vulnerability disclosure. Adriel pioneered the zeroday Exploit Acquisition Program (EAP), later integrated into Netragard, and has served as an expert witness in US Federal court.

In 2006, Adriel founded Netragard to deliver high-quality, realistic threat penetration testing, now known as Red Teaming, and has since expanded its offerings to include mobile application security, source code reviews, web application assessments, and more. As the primary architect behind Netragard’s innovative services, Adriel continues to push the boundaries of research-based cybersecurity.

Frequently sought as a subject matter expert, Adriel has been featured by Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, The Register, and has appeared in documentaries and authoritative books such as “Unauthorized Access” and “This Is How They Tell Me the World Ends.” He is also a seasoned public speaker, presenting at leading conferences like Blackhat USA, InfoSec World, BSides, and the NAW Billion Dollar CIO Roundtable.