Who needs to comply with DORA? All your questions answered
The Digital Operational Resilience Act (DORA) was developed to protect the financial sector—a frequent target of cyberattacks. According to the IMF’s 2024 Global Financial Stability Report, cyber incidents have risen steadily since 2004, and nearly 20% of attempts target financial institutions.
DORA is an EU regulation intended to improve cybersecurity and operational resilience across the financial ecosystem. While it applies most directly to institutions offering financial services in the EU, many critical third-party ICT providers also fall within its scope—often through contractual and oversight requirements imposed by financial entities.
If you are asking who needs to comply with DORA, this guide answers scope, deadlines, penalties, and a practical path to readiness.
This guide covers:
- Who must comply with DORA (and who is exempt)
- ICT third-party service providers and extraterritorial reach
- The January 2025 compliance deadline and oversight timeline
- Penalties for financial entities and critical ICT providers
- Four steps to achieve and maintain DORA compliance
GIF via GIPHY
Related guides:
- What is DORA? Everything you need to know
- The 5 pillars of DORA: a detailed breakdown
- The DORA compliance checklist
- GDPR, NIS 2, and DORA: third-party risk convergence
- How DORA impacts UK entities
Key takeaways
- DORA applies to 21 categories of financial and ICT entities under Article 2—including banks, insurers, investment firms, and ICT third-party service providers (ICT TPSPs).
- ICT TPSPs (cloud, software, MSPs, cybersecurity vendors) are often in scope indirectly through financial-entity contracts and critical provider oversight—not only EU-headquartered firms.
- The main compliance deadline was January 17, 2025; oversight of critical ICT TPSPs ramps up after designation and register processes (including the April 30, 2025 register milestone referenced in the regulatory timeline).
- Penalties can reach up to 2% of global annual turnover for financial entities and substantial fines for critical ICT providers, plus reputational and operational restrictions.
- There is no single official DORA certification today—teams typically demonstrate readiness through gap analysis, control implementation, evidence, and executive self-attestation, supported by ongoing monitoring.
DORA at a glance
DORA is an EU regulation designed to strengthen the financial sector—including financial entities and their critical third-party information and communications technology (ICT) service providers—so organizations can manage, respond to, and recover from cyber and operational risks.
It establishes a structured risk management framework drawing from widely used security programs (for example, ISO 27001- and NIST-aligned practices). In practice, DORA pushes organizations to formalize expectations for:
- ICT risk management
- ICT third-party risk management
- Digital operational resilience testing
- ICT incident management, reporting, and classification
- Information-sharing arrangements (optional but part of mature programs)
Before DORA, EU jurisdictions applied disparate—and sometimes generic—rules that could create gaps and conflicts. DORA aims to harmonize ICT risk management requirements across the EU’s financial ecosystem.
Who must comply with DORA?
DORA’s scope is designed with the stability and resilience of the EU’s financial supply chain in mind.
Threat actors often compromise an organization by exploiting weaknesses in third-party technology dependencies. DORA addresses that risk by requiring in-scope entities—and certain critical third parties—to follow a comprehensive ICT risk framework.
As of January 2025, Article 2 of DORA specifies 21 categories of in-scope entities:
| # | Entity category |
|---|---|
| 1 | Credit institutions |
| 2 | Payment institutions (including those exempted under Directive (EU) 2015/2366) |
| 3 | Account information service providers |
| 4 | Electronic money institutions |
| 5 | Investment firms |
| 6 | Crypto-asset service providers |
| 7 | Central securities depositories |
| 8 | Central counterparties |
| 9 | Trading venues |
| 10 | Trade repositories |
| 11 | Alternative investment fund managers |
| 12 | Management companies |
| 13 | Data reporting service providers |
| 14 | Insurance and reinsurance undertakings |
| 15 | Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries |
| 16 | Institutions for occupational retirement provision |
| 17 | Credit rating agencies |
| 18 | Administrators of critical benchmarks |
| 19 | Crowdfunding service providers |
| 20 | Securitization repositories |
| 21 | ICT third-party service providers |
Financial entities in practice
DORA directly applies to entities providing financial services in the EU in any capacity. Depending on authorization and activities, this can include banks, investment firms, funds, pension institutions, insurers, payment institutions, and other regulated organizations in the financial services ecosystem.
ICT third-party service providers (ICT TPSPs)
The final category—ICT TPSPs—is where many technology vendors enter the picture. ICT TPSPs can include:
- Software vendors
- Cloud service providers
- Data analytics firms
- Managed service providers (MSPs)
- Cybersecurity and other technology providers supporting core financial services
DORA’s oversight model distinguishes critical ICT providers from non-critical ones. Financial entities impose contractual requirements on vendors; critical providers face direct supervisory oversight under the framework described in Article 31.
Extraterritorial reach: A US-based SaaS company or UK-based MSP serving EU financial entities may still need to meet DORA-driven contractual and oversight expectations—similar in spirit to how GDPR can apply beyond EU borders when processing EU data.
Example: a cloud provider with access to a bank’s customer financial records may be treated as an ICT TPSP in scope, regardless of where the vendor is headquartered.
ICT TPSPs commonly must support requirements such as:
- Cooperating with financial entities on resilience testing
- Notifying financial entities about ICT-related incidents and disruptions
- Maintaining business continuity and operational resilience plans
- Complying with applicable EU privacy and confidentiality obligations
For third-party risk operationalization, see GDPR, NIS 2, and DORA: third-party risk.
Who is exempt from DORA?
DORA excludes certain entities due to smaller size, limited ICT risk exposure, or non-critical operations.
Per Article 2, exemptions include:
- Managers of alternative investment funds referred to in Article 3(2) of Directive 2011/61/EU
- Small insurance and reinsurance undertakings referred to in Article 4 of Directive 2009/138/EC
- Institutions for occupational retirement provision operating pension schemes with fewer than 15 members
- Natural or legal persons under MiFID II, per Articles 2 and 3 of Directive 2014/65/EU
- Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries that are microenterprises or SMEs
- Post office giro institutions as mentioned in Article 2(5) of Directive 2013/36/EU
Member States may also exclude certain entities from DORA’s scope if they notify the Commission and publish the decision.
Even if exempt, adopting DORA-aligned practices can still help you:
- Strengthen security posture and resilience testing discipline
- Build third-party risk management that wins enterprise deals
- Improve operational continuity and incident response maturity
- Demonstrate trust to financial-sector customers and partners
What's the deadline for DORA compliance?
| Milestone | Date (regulatory timeline) |
|---|---|
| DORA entered into force | January 16, 2023 |
| Application / compliance deadline | January 17, 2025 |
| Critical ICT TPSP register milestone (ESA process) | April 30, 2025 (as referenced in oversight implementation) |
The January 17, 2025 date marks when applicable requirements needed to be in place for in-scope financial entities, and when oversight activities by European Supervisory Authorities (ESAs) and competent authorities (per Article 46) intensified.
Operationally, oversight includes:
- Competent authorities designating ICT TPSPs as critical or non-critical
- ESAs maintaining a register of critical ICT TPSPs, then proceeding with supervision for designated critical providers
UK entities with EU exposure should also read How DORA impacts UK entities.
What are the consequences of non-compliance with DORA?
DORA is mandatory. Non-compliance can create financial, operational, and reputational consequences for financial entities and ICT TPSPs. Member States define administrative penalties and remedial measures in national law.
The table below summarizes maximum penalty frameworks described in the regulation (confirm current national implementation with counsel):
| Applicable to | Potential penalties (high level) |
|---|---|
| Financial entities | Up to 2% of total annual worldwide turnover, or up to 1% of average daily worldwide turnover; up to €1,000,000 for individual non-compliance in some cases |
| Critical ICT TPSPs (entities) | Up to €500,000 for designated critical providers (companies) |
| ICT TPSPs (individuals) | Up to €500,000 for individual non-compliance in some cases |
Beyond fines, competent authorities may impose:
- Public reprimands
- Operational and business restrictions
- Legal action against senior management in certain jurisdictions (outcomes vary by Member State)
4 steps to meet DORA compliance requirements
Step 1: Understand the framework’s pillars
DORA is commonly organized into five pillars:
- ICT risk management
- ICT third-party risk management
- Digital operational resilience testing
- ICT incident management, reporting, and classification
- Information sharing (optional but valuable at maturity)
Work with IT, security, risk, and compliance stakeholders to define policies, processes, and systems for each pillar. Use The DORA compliance checklist to translate requirements into owned deliverables.
Step 2: Perform a gap analysis
Review current ICT risk practices through security reviews, risk assessments, and infrastructure audits. Document gaps in a format that maps directly to remediation tasks and evidence needs.
Step 3: Implement missing controls
Translate gaps into an implementation plan with:
- Task owners and responsibilities
- Timeline and milestones
- KPIs for progress tracking
- Regular reporting cadence for leadership and risk committees
Step 4: Perform self-attestation—and plan ongoing monitoring
There is not yet a single official third-party certification for DORA widely used like ISO 27001. Many organizations demonstrate readiness through documented self-attestation signed by a senior executive or compliance leader, supported by evidence of control operation.
Compliance does not end at attestation. Plan ongoing monitoring for control drift, vendor changes, incidents, and regulatory updates.
Get DORA-compliant faster with SecureSlate
DORA forces teams to move quickly: confirm scope, map pillars to controls, close gaps, and produce defensible evidence under oversight.
SecureSlate helps operationalize that work so readiness is not trapped in spreadsheets:
- Map DORA requirements to controls with owners, due dates, and status tracking
- Centralize evidence for ICT risk, incidents, testing, and third-party oversight
- Automate collection through integrations across cloud, SaaS, identity, and security tooling (200+ integrations—validate your stack in a pilot)
- Cross-map frameworks so SOC 2, ISO 27001, GDPR, and NIS 2 evidence supports DORA where controls overlap
- Vendor risk workflows aligned to ICT third-party pillars—inventory, tiering, assessments, and monitoring triggers
- Continuous control monitoring to reduce surprises between oversight reviews
If you already run SOC 2 or ISO 27001 in SecureSlate, you can often reuse evidence and policies—reducing duplicate work when adding DORA.
FAQ: Who needs DORA compliance?
Do UK companies need to comply with DORA?
UK firms without EU financial services activities may fall outside direct DORA application—but many still face contractual DORA requirements from EU financial customers and critical-provider expectations. See How DORA impacts UK entities.
Do US SaaS vendors need DORA compliance?
If you provide ICT services to EU financial entities—especially in critical or material ways—you may need to meet contractual and oversight obligations even if you are US-headquartered. Scope depends on services, designation as critical, and customer contracts.
Is DORA the same as NIS 2?
No. DORA targets the financial sector and ICT resilience for financial entities and critical ICT providers. NIS 2 applies more broadly to essential and important entities across many sectors. Some organizations may need to consider both.
What is the difference between a financial entity and an ICT TPSP?
Financial entities are regulated organizations providing financial services in the EU. ICT TPSPs provide technology services to those entities; critical providers can face direct supervisory oversight in addition to contractual duties.
Is there an official DORA certification?
Not in the same way as ISO 27001. Teams typically rely on gap analysis, control implementation, evidence, monitoring, and self-attestation—validated by internal governance and supervisory review.
How long does DORA implementation take?
Timelines vary by maturity, entity type, and vendor complexity. Teams with existing ISO 27001 or SOC 2 programs often move faster because policies, risk processes, and evidence models already exist.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute legal advice or create an attorney-client relationship. DORA applicability, exemptions, penalties, and oversight processes depend on your entity type, Member State implementation, and contracts. Confirm obligations with qualified counsel and competent authorities.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · DORA
An actionable DORA compliance checklist for financial entities
SecureSlate Team
Jun 1, 2026 · Vendor Risk ManagementGDPRDORA
GDPR, NIS 2, and DORA: How third-party risk management converges across EU regulations
SecureSlate Team
May 4, 2026 · DORAComparisons and reviews
Best TPRM software in 2026: the shift to continuous monitoring (and what to evaluate)
SecureSlate Team
