DORA Compliance Guide: Digital Operational Resilience Act For Financial Entities And ICT Providers
The EU Digital Operational Resilience Act, usually called DORA, is now one of the most important cybersecurity and ICT risk regulations for the European financial sector. It applies from 17 January 2025 and changes how financial entities manage ICT risk, incidents, resilience testing, third-party providers and operational continuity.
DORA is different from many older cybersecurity rules because it treats digital resilience as a core part of financial stability. A bank, insurer, payment institution, investment firm, crypto-asset service provider or other financial entity does not only need good technical controls. It must also be able to prove that it can identify ICT risks, protect critical functions, detect and report major incidents, recover from disruption, test resilience, manage third-party dependencies and keep evidence for supervisors.
For ICT third-party providers, DORA is equally important even when the provider is not itself a regulated financial entity. Financial customers increasingly need contractual evidence, audit rights, incident cooperation, security documentation, testing results, vulnerability handling and exit support from their ICT suppliers. In practice, DORA has become a major procurement and vendor-risk requirement across the European financial technology ecosystem.
SecPoint products such as the Penetrator vulnerability scanner and Protector security appliance can support DORA readiness activities by helping organizations discover vulnerabilities, document technical risk, prepare testing evidence and strengthen network security. They do not replace the financial entity's DORA governance duties and they do not constitute DORA certification.
What Is DORA?
DORA is Regulation (EU) 2022/2554 on digital operational resilience for the financial sector. It entered into force on 16 January 2023 and applies from 17 January 2025. The regulation aims to harmonize ICT risk management and digital operational resilience requirements across the EU financial sector.
Before DORA, ICT risk requirements were spread across different EU and national rules for banking, insurance, investment services, payments, securities markets and other financial activities. DORA creates a common framework for digital operational resilience. It is not only about preventing cyberattacks. It is about ensuring that financial entities can continue critical services, recover from disruption and manage ICT dependencies in a controlled way.
DORA is built around several practical themes: ICT risk management, incident management and reporting, digital operational resilience testing, ICT third-party risk management, information sharing and oversight of critical ICT third-party providers. These themes are connected. An organization cannot report major ICT incidents quickly if it cannot detect and classify them. It cannot manage third-party risk if it does not know which providers support critical or important functions. It cannot test resilience if it has not defined what needs to remain available, authentic, intact and confidential.
Who Must Care About DORA?
DORA primarily applies to financial entities in the EU financial sector. It also creates a framework for ICT third-party service providers, including contractual expectations for providers used by financial entities and EU-level oversight for providers designated as critical. Article 2 lists many categories of financial entities and also refers to ICT third-party service providers. Regulatory summaries often describe DORA as applying to around 20 categories of financial entities, plus the ICT third-party provider framework.
| Group | Examples | DORA Relevance |
|---|---|---|
| Banks and payment sector | Credit institutions, payment institutions, electronic money institutions, account information service providers | Directly relevant for ICT risk management, incident reporting, testing and third-party risk |
| Investment and markets | Investment firms, trading venues, central securities depositories, central counterparties, trade repositories | Directly relevant where the entity falls within DORA scope |
| Funds and asset management | Management companies, alternative investment fund managers, data reporting service providers | Applies according to DORA scope and specific exclusions |
| Insurance and pensions | Insurance undertakings, reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision | Applies with specific scope rules and exclusions for some smaller entities |
| Crypto and crowdfunding | Crypto-asset service providers, issuers of asset-referenced tokens, crowdfunding service providers | Important for newer digital finance businesses that rely heavily on ICT infrastructure |
| ICT third-party service providers | Cloud providers, SaaS providers, managed service providers, software vendors, data centers, security service providers | Affected through customer contracts and, if designated critical, through EU-level oversight |
DORA includes proportionality. The way a large systemic bank implements DORA will not be identical to the way a smaller regulated financial entity implements it. However, proportionality is not an exemption from having controls, policies, evidence and governance. It means the design and depth of controls should reflect the entity's size, risk profile, complexity, services and dependencies.
DORA Is Not A Product Certification
DORA should not be confused with a product certification regime. It is not the same as CE marking, CRA conformity assessment or an official cybersecurity certificate for a firewall, scanner or cloud platform. DORA is mainly a financial-sector operational resilience regulation. It tells financial entities how to govern ICT risk, manage third-party dependencies, test resilience and report major incidents.
This distinction matters for cybersecurity vendors. A vendor should be careful with marketing language. It is safer and more accurate to say that a product or service can support DORA readiness, DORA evidence, DORA testing, DORA ICT risk management or DORA third-party risk documentation. It is usually not accurate to say that a product is "DORA certified" unless a specific recognized certification or supervisory mechanism actually exists for that claim.
The Five Practical Pillars Of DORA
DORA is often explained through five practical pillars. These pillars are useful because they translate a complex legal text into operational workstreams.
| Pillar | What It Means | Typical Evidence |
|---|---|---|
| ICT risk management | Governance, policies, controls, identification, protection, detection, response, recovery and learning | Risk framework, asset inventory, control mapping, vulnerability records, security architecture, policies |
| ICT incident reporting | Detect, classify and report major ICT-related incidents to competent authorities within required timelines | Incident procedures, classification records, notification templates, escalation logs, post-incident reports |
| Digital operational resilience testing | Test ICT systems, controls, continuity, recovery and, for selected entities, threat-led penetration testing | Vulnerability scans, penetration tests, recovery tests, tabletop exercises, test remediation tracking |
| ICT third-party risk | Manage providers that support business operations, especially critical or important functions | Register of information, contracts, SLAs, audit rights, exit plans, subcontractor details, concentration risk analysis |
| Information sharing | Allow financial entities to share cyber threat information and intelligence under controlled conditions | Sharing agreements, threat intelligence process, confidentiality rules, internal handling procedure |
Governance And Management Responsibility
DORA makes ICT risk a management responsibility. Article 5 requires financial entities to have an internal governance and control framework that ensures effective and prudent management of ICT risk. The management body is responsible for defining, approving, overseeing and implementing arrangements related to the ICT risk management framework.
In practical terms, DORA is not something that can be delegated entirely to an IT administrator or outsourced to a vendor. The board or management body must understand the risk, approve the framework, allocate resources, define roles and ensure that the organization can maintain high standards of availability, authenticity, integrity and confidentiality of data.
Governance Checklist
- Define management responsibility for ICT risk and digital operational resilience.
- Document roles and responsibilities across management, IT, security, compliance, risk, procurement and business owners.
- Maintain an ICT risk management framework approved at the appropriate level.
- Link ICT risk decisions to critical or important business functions.
- Review ICT risk reporting regularly, not only after incidents.
- Ensure outsourced ICT services remain under internal oversight.
- Keep evidence of decisions, reviews, risk acceptance and remediation tracking.
ICT Risk Management Under DORA
DORA expects financial entities to manage ICT risk throughout the lifecycle of systems and services. This includes identifying assets and dependencies, protecting systems, detecting anomalous activity, responding to incidents, recovering services and learning from events.
A useful DORA readiness question is: can the organization prove which ICT assets support which critical or important functions, which vulnerabilities affect them, which controls protect them, which providers operate them, and how quickly they can be recovered?
| Risk Area | Practical Control Questions | Evidence To Keep |
|---|---|---|
| Asset and dependency identification | Do we know which systems, applications, networks, databases, endpoints and providers support each function? | Asset inventory, network diagrams, CMDB, service mapping, provider register |
| Vulnerability management | Do we scan regularly, classify findings, prioritize remediation and document accepted risk? | Scan reports, remediation tickets, exception approvals, patch records |
| Access control | Are privileged accounts controlled, reviewed and monitored? | Access reviews, MFA records, privileged account inventory, audit logs |
| Network security | Are critical environments segmented and protected by appropriate perimeter and internal controls? | Firewall rules, change records, segmentation tests, IDS/IPS events |
| Backup and recovery | Can we restore critical services within defined recovery objectives? | Backup logs, restore tests, RTO/RPO evidence, continuity plans |
| Monitoring and detection | Can we detect abnormal activity quickly enough to classify and report major incidents? | SIEM logs, alert procedures, triage records, incident timelines |
DORA Incident Reporting
DORA requires financial entities to manage, classify and report major ICT-related incidents. The reporting regime is designed to harmonize how serious ICT incidents are notified to competent authorities across the EU financial sector.
Current DORA reporting rules are generally described as a three-step process for major ICT-related incidents: an initial notification, an intermediate report and a final report. Regulatory materials describe the initial notification as due as early as possible, within four hours from classification as major and no later than 24 hours from becoming aware of the incident; the intermediate report within 72 hours; and the final report within one month according to the applicable reporting rules.
Incident Reporting Readiness Checklist
- Define what counts as an ICT-related incident and how incidents are classified.
- Define when an incident becomes major and who can make that decision.
- Maintain 24/7 or appropriate escalation paths for critical signals.
- Prepare initial, intermediate and final report templates.
- Assign responsibility for regulator communication.
- Keep evidence of detection time, classification time, impact assessment and decisions.
- Run incident simulations to test whether reporting deadlines can be met.
- Include third-party incident notification duties in vendor contracts.
Digital Operational Resilience Testing
DORA requires financial entities to test digital operational resilience. Testing should not be treated as a one-time penetration test. It should be a structured program that gives management evidence that ICT systems, controls, continuity arrangements and recovery capabilities are working.
Testing can include vulnerability assessments, vulnerability scans, open-source analysis, network security assessments, gap assessments, scenario-based tests, compatibility testing, performance testing, end-to-end testing, penetration testing, physical security reviews, source-code reviews where relevant, and business continuity or disaster recovery exercises.
DORA also includes threat-led penetration testing, often called TLPT, for certain financial entities. TLPT is not necessarily required for every financial entity. It is a more advanced form of testing for entities that meet the relevant criteria and are instructed or required under the applicable DORA framework.
How SecPoint Penetrator Can Support Testing Evidence
SecPoint Penetrator can help prepare vulnerability scanning and security testing profiles that support DORA readiness. This can include external network scanning, internal vulnerability assessment, authenticated scanning, web application checks, reporting and remediation evidence.
The important word is support. A Penetrator scan report can be useful evidence for ICT risk management and resilience testing, but it is not a DORA certification. DORA compliance depends on the financial entity's full governance, risk management, incident reporting, testing, third-party risk and supervisory obligations.
| DORA Need | How Vulnerability Scanning Helps | What It Does Not Do |
|---|---|---|
| Identify ICT weaknesses | Find exposed services, missing patches, weak configurations and known vulnerabilities | Does not replace risk governance or management approval |
| Document remediation | Provide before-and-after evidence showing reduced technical risk | Does not decide legal compliance by itself |
| Support testing program | Run recurring profiles for external, internal, web and authenticated testing | Does not replace all forms of resilience testing or TLPT where required |
| Support third-party review | Help assess exposed systems or vendor-operated environments where contractually allowed | Does not override contractual or legal restrictions on testing |
ICT Third-Party Risk Under DORA
ICT third-party risk is one of the most operationally important parts of DORA. Financial entities increasingly depend on cloud platforms, SaaS systems, managed service providers, cybersecurity vendors, payment technology providers, data processors, software suppliers and infrastructure operators. DORA requires this dependency to be governed, documented and controlled.
Article 28 states that financial entities remain fully responsible for compliance even when they use ICT third-party service providers. This is a core DORA principle: outsourcing work does not outsource accountability.
Before entering into contractual arrangements for ICT services, financial entities need to assess whether the service supports a critical or important function, assess relevant risks, consider concentration risk, perform due diligence and ensure the provider is suitable. Article 30 sets out key contractual provisions for ICT services, including clear service descriptions, locations where services and data processing are provided, subcontracting conditions, security requirements, access and audit rights, termination rights and exit arrangements.
Third-Party Provider Checklist
- Maintain a register of ICT third-party service providers and contractual arrangements.
- Identify which providers support critical or important functions.
- Document service descriptions, SLAs, data locations and subcontracting rules.
- Assess concentration risk and substitutability for important providers.
- Include incident notification duties and cooperation timelines in contracts.
- Include access, audit and information rights where required.
- Define exit strategies for providers supporting critical or important functions.
- Review provider security evidence regularly, not only at contract signature.
Register Of Information
DORA requires financial entities to maintain a register of information for contractual arrangements with ICT third-party service providers. The register helps financial entities monitor ICT third-party risk and helps competent authorities and the European Supervisory Authorities understand dependencies and identify critical ICT third-party providers.
For many organizations, the register is one of the first places where DORA becomes operationally painful. A company may discover that it has dozens or hundreds of ICT services spread across cloud accounts, SaaS subscriptions, security tools, outsourced support, development platforms, data providers and business applications.
| Register Field Area | Practical Information To Collect |
|---|---|
| Provider identity | Legal name, group relationship, contact details, service owner, contract owner |
| Service description | ICT service provided, business function supported, criticality, dependencies |
| Contract details | Start date, renewal, termination, SLAs, support model, audit rights, subcontracting terms |
| Location and data | Service countries, data processing locations, storage locations, cross-border concerns |
| Risk and exit | Critical or important function, concentration risk, substitutability, exit plan, continuity impact |
Critical ICT Third-Party Providers
DORA creates an EU-level oversight framework for critical ICT third-party service providers, often called CTPPs. These are providers whose services are considered critical for the financial sector. The European Supervisory Authorities can designate critical providers and assign a Lead Overseer.
This does not mean every software vendor to a bank automatically becomes a critical ICT third-party provider under direct EU oversight. However, even non-critical providers can be deeply affected by DORA because financial customers must manage their ICT provider risk and often pass requirements into contracts.
DORA, NIS2, CRA And GDPR: How They Differ
DORA sits alongside other EU digital and cybersecurity rules. It is useful to understand what each regulation is trying to do.
| Regulation | Main Focus | Typical Question |
|---|---|---|
| DORA | Digital operational resilience in the financial sector | Can the financial entity manage ICT risk, report incidents, test resilience and control ICT providers? |
| NIS2 | Cybersecurity risk management and incident reporting for essential and important entities | Is the organization in a covered sector and does it manage cybersecurity risk appropriately? |
| CRA | Cybersecurity requirements for products with digital elements placed on the EU market | Is the hardware or software product secure by design, documented, supported and conformant? |
| GDPR | Protection of personal data and privacy rights | Is personal data processed lawfully, securely and transparently? |
A single organization or service can touch several regimes. A financial entity may be under DORA for ICT risk. A software product sold to that financial entity may be under CRA. Personal data processed during the service may be under GDPR. A provider or customer may also have NIS2 obligations depending on sector and national implementation.
DORA Readiness For ICT Providers
ICT providers serving financial customers should expect more questions from procurement, compliance, security and vendor-risk teams. Even when the provider is not directly supervised under DORA, the customer may need evidence from the provider to meet its own obligations.
What Financial Customers May Ask For
- Security overview and control documentation.
- Vulnerability management and patching process.
- Incident notification process and contact details.
- Service availability commitments and operational resilience evidence.
- Penetration test or vulnerability assessment summaries.
- Data processing and service location information.
- Subcontractor list and subcontracting change process.
- Business continuity, disaster recovery and backup approach.
- Exit support and data return or deletion process.
- Audit rights, customer assurance reports or independent assessment evidence.
A provider that can answer these questions clearly will be easier for financial customers to approve. A provider that cannot answer them may become a procurement risk, even if the product is technically strong.
How SecPoint Can Support DORA Readiness
SecPoint can support DORA readiness by helping organizations build technical evidence around vulnerability exposure, security testing and network protection. This support is most useful when it is integrated into the customer's governance and evidence process.
| SecPoint Area | DORA Readiness Support | Important Limit |
|---|---|---|
| Penetrator vulnerability scanning | Helps prepare scan profiles, detect vulnerabilities, document risk and provide remediation evidence | Does not certify DORA compliance or replace legal assessment |
| Protector security appliance | Supports network protection, firewalling, filtering and security control implementation | Controls must be configured and governed by the organization |
| Dark Web Search | Can support threat awareness, exposed credential checks and risk visibility | Does not replace full threat intelligence or incident reporting duties |
| Reporting and evidence | Scan reports can support audits, risk reviews, remediation tracking and management reporting | Reports are evidence inputs, not regulatory approval |
Practical DORA Checklist
The checklist below is a practical starting point for organizations that need to structure DORA readiness work. It is not a complete legal checklist, but it can help teams move from general awareness to evidence.
| Area | Question | Evidence |
|---|---|---|
| Scope | Is the organization a financial entity or ICT provider affected by DORA? | Scope assessment, legal entity mapping, service mapping |
| Governance | Has the management body approved ICT risk governance? | Policies, minutes, risk reports, responsibility matrix |
| Critical functions | Which services and ICT assets support critical or important functions? | Function inventory, asset mapping, dependency map |
| Risk management | Are ICT risks identified, assessed, treated and monitored? | Risk register, controls, remediation plans, acceptance records |
| Vulnerability management | Are systems scanned and remediated according to risk? | Scan reports, tickets, patch logs, exception approvals |
| Incident reporting | Can major ICT incidents be classified and reported on time? | Incident procedure, templates, exercises, escalation contacts |
| Testing | Is there a recurring digital operational resilience testing program? | Test plan, vulnerability scans, penetration tests, recovery tests |
| Third-party risk | Are ICT providers documented and controlled? | Register of information, contracts, due diligence, exit plans |
| Continuity | Can critical services continue or recover after disruption? | BCP/DR plans, restore tests, RTO/RPO evidence |
| Improvement | Are lessons learned from incidents and tests turned into action? | Post-incident reviews, remediation tracking, management updates |
Common DORA Mistakes
- Treating DORA as a one-time policy project instead of an operational evidence program.
- Assuming the IT department can own DORA alone without management, risk, compliance and procurement.
- Keeping vendor information in scattered spreadsheets without a controlled register.
- Running vulnerability scans without remediation ownership or evidence of closure.
- Having incident response plans that do not match regulatory reporting deadlines.
- Signing ICT provider contracts without audit rights, subcontractor visibility or exit support.
- Confusing a security product report with DORA certification.
- Waiting for a major incident before testing communication and escalation paths.
DORA Article-To-Action Mapping
DORA is a legal regulation, but implementation must become operational. The table below translates several important DORA areas into practical actions that security, compliance, procurement and management teams can understand. It is not a complete legal mapping, but it is useful for planning a readiness project and for explaining why technical evidence matters.
| DORA Area | Operational Meaning | Practical Action |
|---|---|---|
| Governance and organization | Management must own ICT risk and ensure responsibilities are clear | Create a DORA governance map, assign owners and report ICT risk to management regularly |
| ICT risk management framework | ICT risk must be identified, protected against, detected, responded to and recovered from | Maintain risk register, asset inventory, control mapping, monitoring process and recovery evidence |
| Identification | The entity must know which ICT assets, systems and providers support functions | Map critical or important functions to applications, infrastructure, networks, users and providers |
| Protection and prevention | Security controls must reduce ICT risk before disruption occurs | Use hardening, access control, segmentation, patching, vulnerability management and secure configuration |
| Detection | The entity must detect anomalous activity and ICT incidents quickly | Use logging, alerting, monitoring, vulnerability intelligence and defined triage procedures |
| Response and recovery | The entity must contain incidents and restore services | Maintain incident response plans, backups, restore tests, communication plans and lessons learned |
| Testing | Controls and resilience must be tested, not only described | Run vulnerability scans, penetration tests, recovery exercises and remediation verification |
| Third-party risk | ICT providers must be assessed and controlled through the lifecycle | Maintain provider register, due diligence, contract clauses, audit rights, exit plans and incident contacts |
Penetrator DORA Scan Profiles
A practical way to support DORA readiness is to create repeatable scan profiles. The goal is not to run random scans. The goal is to create predictable, documented testing evidence that can be repeated, compared and used for remediation tracking.
SecPoint Penetrator profiles can be prepared around the way financial entities think about ICT risk: external exposure, internal infrastructure, web applications, authenticated checks, critical systems, third-party connections and remediation validation. This makes the scan output easier to connect to DORA governance and risk reporting.
| Profile | Purpose | DORA Evidence Value |
|---|---|---|
| External exposure profile | Scan internet-facing IPs, VPN portals, remote access, web services and exposed infrastructure | Shows management and auditors what attackers can see from outside |
| Internal vulnerability profile | Scan internal servers, network devices, management interfaces and infrastructure services | Supports ICT risk identification and remediation prioritization |
| Authenticated system profile | Use credentials where allowed to check missing patches, package versions and local configuration | Provides deeper evidence than unauthenticated scanning alone |
| Web application profile | Check common web application weaknesses, TLS issues, headers, exposed files and application risks | Supports testing for customer portals, fintech apps and administration interfaces |
| Critical function profile | Focus scanning on systems supporting critical or important business functions | Connects technical findings to DORA criticality and business impact |
| Remediation validation profile | Rescan previously identified findings after patching or hardening | Creates evidence that risk was reduced, not only detected |
| Third-party boundary profile | Assess exposed services or integrations operated by providers where contractually allowed | Supports vendor-risk review and provider assurance conversations |
The strongest scan program is one where each profile has a purpose, schedule, owner, approval process, evidence folder and remediation workflow. For example, an external exposure profile may run monthly, while remediation validation may run after every critical fix. Critical systems may require a different scanning window and stronger change control.
Protector And Network Resilience
DORA does not require a specific firewall brand or one named technical architecture. It requires financial entities to manage ICT risk and maintain digital operational resilience. Network protection is one practical part of that wider control environment.
A security appliance such as SecPoint Protector can support network protection by helping enforce traffic rules, filtering, segmentation, VPN access, gateway security and other controls depending on configuration and deployment. For DORA purposes, the evidence is not merely that a firewall exists. The evidence should show why the control is needed, how it is configured, who approved the rules, how changes are reviewed and how logs or alerts are used.
Network Control Evidence
- Network diagram showing protected zones and critical systems.
- Firewall rule review records and change approvals.
- VPN and remote access configuration evidence.
- Segmentation test results for critical or important functions.
- Logs showing blocked or monitored activity where relevant.
- Backup and restore procedure for gateway configuration.
- Update and patching records for the security appliance.
- Incident response steps for suspected gateway compromise or misconfiguration.
This is also where DORA and CRA can meet in practice. DORA is about the financial entity's operational resilience. CRA is about cybersecurity requirements for products with digital elements placed on the EU market. A financial entity may ask a firewall vendor for both DORA-supporting evidence and product-security evidence under other regimes. The vendor should answer accurately and avoid mixing the regimes into one unclear claim.
DORA Evidence Folder Model
DORA readiness becomes much easier when evidence is organized by topic and date. A common problem is that organizations do many good security activities but cannot prove them quickly during an audit, supervisory review, vendor assessment or incident investigation. A structured evidence folder helps turn daily work into defensible proof.
The evidence folder does not need to be complicated at the beginning. It can start as a controlled document repository with owners and naming rules. Over time it can become part of a GRC platform, ticketing system or compliance evidence tool.
| Folder | Example Contents |
|---|---|
| 01-Governance | ICT risk policy, management approvals, roles, meeting minutes, reporting templates |
| 02-Asset-And-Function-Mapping | Critical functions, asset inventory, system owners, dependency maps, network diagrams |
| 03-Risk-Management | ICT risk register, control mapping, treatment plans, accepted risks, review records |
| 04-Vulnerability-Management | Penetrator reports, remediation tickets, exception approvals, patch evidence, rescan results |
| 05-Incident-Management | Incident playbooks, classification criteria, contact lists, report templates, exercise results |
| 06-Testing | Testing plan, vulnerability scans, penetration tests, recovery tests, tabletop exercises |
| 07-Third-Party-Risk | Provider register, due diligence, contracts, audit evidence, subcontractor data, exit plans |
| 08-Continuity-And-Recovery | BCP, disaster recovery plans, backup logs, restore tests, RTO/RPO evidence |
| 09-Management-Reporting | KPI dashboards, risk summaries, open remediation, overdue actions, board reports |
Vendor Questionnaire: How To Answer Safely
ICT providers selling to financial entities may receive DORA questionnaires. These questionnaires can ask whether the provider is DORA compliant, whether the product is DORA certified, whether the provider supports incident reporting, whether subcontractors are used and whether the customer can audit the provider.
The safest approach is to answer clearly without overclaiming. If a vendor is not itself a regulated financial entity or designated critical ICT third-party provider, it should avoid pretending to have the same DORA obligations as a bank. At the same time, it should show that it understands customer requirements and can provide security evidence.
| Customer Question | Careful Answer Style |
|---|---|
| Are you DORA certified? | DORA is not generally a product certification regime. SecPoint can provide security documentation and evidence that may support customer DORA readiness, but SecPoint does not issue or claim DORA certification. |
| Can your product support DORA? | Yes, SecPoint products can support DORA readiness activities such as vulnerability scanning, network security controls, dark web exposure checks and reporting evidence. |
| Can you help with vulnerability management? | Yes, Penetrator can run vulnerability scanning profiles, generate reports, support remediation validation and provide evidence for ICT risk management. |
| Do you support incident investigation? | SecPoint products can provide technical findings and security visibility. The customer's DORA incident classification and reporting duties remain the customer's responsibility. |
| Can we use your reports for audits? | Reports can be used as technical evidence inputs, subject to the customer's internal audit, compliance and supervisory requirements. |
DORA Metrics Management Should Track
DORA readiness should be measurable. Management needs more than long policy documents. It needs a small set of indicators that show whether ICT risk is improving or getting worse.
- Number of critical or high vulnerabilities open on critical systems.
- Average time to remediate critical and high vulnerabilities.
- Percentage of critical systems scanned within the required schedule.
- Number of overdue remediation actions.
- Percentage of ICT providers classified and entered in the register.
- Number of providers supporting critical or important functions without complete contract evidence.
- Backup restore success rate for critical systems.
- Incident detection-to-classification time during exercises.
- Incident classification-to-notification readiness during simulations.
- Number of open audit findings related to ICT risk or third-party providers.
These metrics should be reviewed by the right governance forum. DORA is not only about having controls; it is about knowing whether those controls are operating and whether risk is within the organization's tolerance.
30-Day DORA Readiness Start Plan
A full DORA program can be large, but the first steps should be practical and evidence-oriented.
| Days | Action | Output |
|---|---|---|
| 1-5 | Confirm DORA scope, entity type, regulated services and responsible owners | Scope memo and responsibility map |
| 6-10 | Identify critical or important functions and supporting ICT assets | Function and asset dependency map |
| 11-15 | Start ICT third-party register and classify providers | Initial register of information |
| 16-20 | Run baseline vulnerability scans on key exposed and internal systems | Risk-ranked vulnerability evidence |
| 21-25 | Review incident classification and reporting workflow | Incident reporting playbook and escalation list |
| 26-30 | Create management summary with gaps, risks, budget and next steps | DORA readiness action plan |
Frequently Asked Questions
Is DORA already active?
Yes. DORA applies from 17 January 2025. Financial entities in scope should already be operating under DORA requirements.
Is DORA only for banks?
No. DORA covers a broad range of financial entities, including banking, payments, investment services, insurance, market infrastructure, crypto-asset service providers and other financial-sector entities listed in the regulation.
Does DORA apply directly to all ICT vendors?
DORA includes ICT third-party service providers in its framework and creates direct EU-level oversight for providers designated as critical. Many non-critical ICT providers are affected mainly through their financial customers' contractual, audit, incident and assurance requirements.
Can a product be DORA certified?
DORA is not generally a product certification regime. A product can support DORA readiness, but the financial entity remains responsible for its DORA compliance. Vendors should avoid unsupported claims that a product is "DORA certified."
How can vulnerability scanning support DORA?
Vulnerability scanning helps identify ICT weaknesses, prioritize remediation, document technical risk and show evidence of recurring testing. This supports DORA ICT risk management and resilience testing, but it does not replace the full DORA governance framework.
Does DORA require penetration testing?
DORA requires digital operational resilience testing. This can include several types of testing. Threat-led penetration testing applies to selected entities under the relevant criteria and supervisory framework, not automatically to every organization in the same way.
What is the biggest practical DORA challenge?
For many organizations, the hardest parts are evidence, third-party dependency mapping, incident reporting readiness and proving that controls are not just written in policies but actually operating.
Conclusion
DORA turns digital operational resilience into a formal supervisory requirement for the EU financial sector. It is not enough to have cybersecurity tools. Financial entities must show governance, risk management, testing, reporting, third-party control and recovery capability. ICT providers must be ready to support customers with clear evidence, security documentation, incident cooperation and contractual transparency.
SecPoint can support DORA readiness through vulnerability scanning, network security controls, dark web exposure checks and practical reporting evidence. The right approach is honest and evidence-based: use technical controls to support the DORA program, document what they prove, remediate what they find and avoid unsupported certification claims.