DORA applies to around 20 types of financial entities — banks, insurers and reinsurers, investment firms, payment and electronic-money institutions, crypto-asset service providers, fund managers, and more — as well as to critical ICT third-party service providers, which fall under direct oversight by the European Supervisory Authorities.

What are the five pillars?

DORA is organized into five areas: ICT risk management; ICT-related incident management, classification, and reporting; digital operational resilience testing (including threat-led penetration testing for significant entities); ICT third-party risk management (including the Register of Information); and information- and intelligence-sharing arrangements.

How does DORA relate to NIS2?

For financial entities, DORA acts as lex specialis — it takes precedence over the more general NIS2 Directive in the areas it specifically regulates, so in-scope financial firms generally follow DORA's ICT requirements rather than NIS2's.

Digital operational resilience, in one place

Comply with the EU DORA regulation

ICT risk management, incident classification and reporting timers, the Register of Information, and ICT third-party risk — implemented as living controls for financial entities and their ICT providers.

Start free trial Book a demo

What is DORA?

The Digital Operational Resilience Act — Regulation (EU) 2022/2554 — is an EU regulation that harmonizes how financial entities manage the resilience of the information and communication technology (ICT) they depend on. It has been directly applicable across the EU since January 17, 2025, and because it is a regulation rather than a directive, it applies as written with no national transposition. 2026 marks the first genuine supervisory enforcement cycle, with regulators signaling they will act on incident-reporting failures and gaps in the Register of Information.

Who must comply

DORA covers roughly 20 types of financial entities — banks, insurers and reinsurers, investment firms, payment and electronic-money institutions, crypto-asset service providers, trading venues, and fund managers among them. Critically, it also reaches critical ICT third-party service providers (such as major cloud and software vendors), which the European Supervisory Authorities can oversee directly.

The five pillars

ICT risk management — a governance framework, controls, and continuity capabilities owned and overseen by the management body.
ICT-related incident management — classify ICT incidents by severity and report major incidents to the competent authority within defined windows (initial, intermediate, and final reports).
Digital operational resilience testing — a testing program that, for significant entities, includes threat-led penetration testing (TLPT).
ICT third-party risk management — maintain a Register of Information on all ICT third-party arrangements, impose contractual requirements, and manage concentration risk.
Information and intelligence sharing — voluntary arrangements to share cyber threat information among financial entities.

How DORA relates to NIS2

For financial entities, DORA is lex specialis: where DORA and the broader NIS2 Directive overlap, DORA's ICT-specific requirements take precedence. In practice, in-scope financial firms run their ICT resilience program to DORA.

How episki helps

episki implements DORA as living controls: an ICT risk register, incident classification with reporting timers, the Register of Information on your ICT providers, and resilience-testing tracking. Because the same vendor and security evidence maps to ISO 27001 and SOC 2, your DORA program reuses work you already do instead of standing up a parallel one.

DORA outcomes with episki

Quantify the impact security and compliance brings to your business.

5 pillars

ICT risk, incident reporting, resilience testing, third-party risk, and info sharing.

A maintained Register of Information on ICT third-party arrangements.

In force

Directly applicable across the EU since January 17, 2025 — no transposition needed.

Why teams choose episki for DORA

Framework-specific automation, collaboration, and reporting in one workspace.

ICT risk management framework

The governance, controls, and continuity expected of an in-scope financial entity.

ICT risk register tied to control treatments
Business continuity and ICT response plans
Management-body accountability and oversight

Incident reporting and testing

Classify ICT incidents, hit the reporting windows, and track resilience testing.

Incident classification and reporting timers
Major-incident notifications to the competent authority
Resilience testing, including TLPT where required

ICT third-party risk

The Register of Information and contractual controls DORA requires.

Register of Information on ICT providers
Contractual requirements and concentration risk
Reuse of vendor evidence across frameworks

DORA readiness inside episki

What an in-scope financial entity needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ ICT risk management framework and policies
✓ ICT asset and dependency inventory
✓ Incident classification and reporting workflow
✓ Register of Information on ICT third-party arrangements
✓ Digital operational resilience testing program (incl. TLPT)
✓ Business continuity and ICT response and recovery plans

DORA accelerators

DORA readiness accelerators

Stand up a defensible resilience program and survive the first supervisory cycle.

Maintain the DORA Register of Information on your ICT third-party arrangements.

Incident reporting timers

Classify ICT incidents and track the initial, intermediate, and final report windows.

Third-party risk crosswalk

Reuse vendor due-diligence evidence across DORA, ISO 27001, and SOC 2.

DORA frequently asked questions

Build a DORA program in episki

Stand up ICT risk, incident reporting, and the Register of Information — and reuse the evidence across ISO 27001 and SOC 2.

Start free trial Book a walkthrough