Frameworks
8 min

DORA Compliance: What Financial Entities Need to Know in 2025

A practical guide to the Digital Operational Resilience Act — the 5 pillars, key deadlines, and how to build your evidence pack.

Netallion Team·January 15, 2026

DORA Compliance: What Financial Entities Need to Know

The Digital Operational Resilience Act (DORA) became applicable on 17 January 2025, marking a fundamental shift in how EU financial entities manage ICT risk. If you operate in banking, insurance, investment, or crypto-asset services within the EU, DORA applies to you.

What is DORA?

DORA establishes uniform requirements for the security of network and information systems across the financial sector. Unlike previous directives, DORA is a regulation — it applies directly without national transposition, creating a level playing field across all EU member states.

The 5 Pillars

Pillar 1: ICT Risk Management (Articles 5-16)

Financial entities must establish a comprehensive ICT risk management framework. This includes:

  • Governance — the management body bears ultimate responsibility for ICT risk
  • Risk identification — maintain an up-to-date inventory of ICT assets and systems
  • Protection — implement security policies for access control, encryption, and network security
  • Detection — deploy monitoring and anomaly detection capabilities
  • Response and recovery — maintain and test business continuity plans

Pillar 2: ICT Incident Reporting (Articles 17-23)

Major ICT incidents must be reported to competent authorities within strict timeframes:

  • Initial notification — within 4 hours of classification as major
  • Intermediate report — within 72 hours
  • Final report — within 1 month of resolution
The classification criteria include: number of clients affected, duration, geographic spread, data losses, and criticality of services impacted.

Pillar 3: Digital Operational Resilience Testing (Articles 24-27)

All financial entities must conduct regular testing:

  • Basic testing — vulnerability assessments, network security reviews, gap analyses
  • Advanced testing — significant entities must perform threat-led penetration testing (TLPT) at least every 3 years, following the TIBER-EU framework

Pillar 4: ICT Third-Party Risk (Articles 28-44)

DORA introduces extensive requirements for managing ICT service providers:

  • Maintain a register of all ICT third-party service providers
  • Include mandatory contractual provisions (service levels, audit rights, exit strategies)
  • Assess and manage concentration risk — over-reliance on a single provider
  • Critical providers face direct oversight by European Supervisory Authorities

Pillar 5: Information Sharing (Article 45)

Financial entities are encouraged to participate in cyber threat intelligence sharing arrangements, with appropriate safeguards for confidentiality.

Building Your DORA Evidence Pack

  1. Map your current state — use the Netallion assessment wizard to identify gaps against each DORA pillar
  2. Build your ICT asset register — this is foundational for Pillar 1
  3. Document your incident response process — including the classification criteria and reporting templates
  4. Compile your testing evidence — vulnerability scans, penetration test reports, DR test results
  5. Review vendor contracts — ensure all ICT providers have DORA-compliant contractual provisions
  6. Export your compliance pack — generate an audit-ready deliverable with control mappings and evidence

How Netallion Helps

Netallion GRC provides 37 DORA-specific controls mapped to articles, covering all 5 pillars. Each control includes evidence hints, article references, and priority ratings. The cross-framework mapping automatically identifies where your existing ISO 27001 evidence satisfies DORA requirements.

Start by creating a DORA assurance pack at grc.netallion.app.

DORA
Financial Services
EU Regulation
ICT Risk

Ready to build your compliance evidence pack?

Start with a free starter kit or create your first assurance pack.