Question 1

What is DORA?

Accepted Answer

DORA is the EU Digital Operational Resilience Act, a regulation that establishes a harmonised framework for ICT risk management, incident reporting, resilience testing and third-party risk across the financial sector.

Question 2

Who must comply with DORA?

Accepted Answer

DORA applies to a wide range of financial entities including banks, investment firms, payment institutions, insurers, crypto-asset service providers and trading venues, as well as critical ICT third-party providers supervised at EU level.

Question 3

When does DORA apply?

Accepted Answer

DORA has applied since 17 January 2025. Financial entities and their critical ICT providers must be able to demonstrate full compliance, including registers of information and incident reporting readiness.

Question 4

What are the five DORA pillars?

Accepted Answer

DORA is structured around ICT risk management, ICT-related incident management and reporting, digital operational resilience testing, ICT third-party risk management, and information sharing on cyber threats.

Question 5

What is a major ICT-related incident?

Accepted Answer

A major incident is one that meets DORA classification thresholds covering impact on clients, reputational consequences, duration and service downtime, geographical spread, data losses and economic impact. Major incidents must be reported to the competent authority.

Question 6

What is threat-led penetration testing?

Accepted Answer

TLPT is advanced, intelligence-led testing of live production systems using real attacker tactics. It is mandatory at least every three years for significant financial entities identified by competent authorities.

Question 7

What is the register of information?

Accepted Answer

The register of information is a structured inventory of all contractual arrangements with ICT third-party providers. It supports supervisory oversight, including the identification of critical third parties and concentration risks.

Question 8

What is oversight of critical ICT providers?

Accepted Answer

Critical ICT third-party providers designated under DORA are subject to direct oversight by European Supervisory Authorities, which may issue recommendations, require corrective actions and coordinate with competent authorities.

Question 9

How does DORA relate to NIS2 and ISO 27001?

Accepted Answer

DORA is the sector-specific regime for finance and generally prevails over NIS2 for entities in its scope, while ISO 27001 provides an underlying management system that can be reused to meet many DORA control requirements.

Question 10

How does Basenorm support DORA?

Accepted Answer

Basenorm supports DORA with an integrated platform for ICT risk, incident handling, testing, third-party oversight and information sharing, with controls and evidence mapped to the Unified Control Library.

Operational Resilience
for Financial Entities under DORA

ICT Risk Management and Governance

ICT Risk Framework

Management Body Accountability

Incident Management, Reporting and Resilience Testing

ICT Third-Party Risk and Information Sharing

Third-Party ICT Oversight

Ready to prove digital operational resilience?

Frequently Asked Questions

Operational Resiliencefor Financial Entities under DORA

ICT Risk Management and Governance

ICT Risk Framework

Management Body Accountability

Incident Management, Reporting and Resilience Testing

ICT Third-Party Risk and Information Sharing

Third-Party ICT Oversight

Ready to prove digital operational resilience?

Frequently Asked Questions

What is DORA?

Who must comply with DORA?

What are the five pillars of DORA?

How does ICT risk management work under DORA?

What is a major ICT-related incident?

What is digital operational resilience testing?

What are the ICT third-party risk requirements?

What is oversight of critical ICT providers?

How does DORA interact with NIS2 and ISO 27001?

How does Basenorm support DORA compliance?

Related FAQ Topics

Operational Resilience
for Financial Entities under DORA