The EU's landmark ICT risk regulation for financial services, in force since January 2025. Mandatory for banks, insurers, investment firms, and their critical ICT third-party providers in the EU.
DORA consolidates ICT risk management obligations for EU financial entities into a single binding framework covering five pillars. Scyverge provides a named compliance lead who manages your DORA programme end-to-end, from gap assessment through ICT risk framework implementation, incident classification, third-party register, and TLPT preparation, aligned with the ESAs' Regulatory Technical Standards.
Gap analysis against all five DORA pillars and ESAs' RTS/ITS per Articles 5-16, identifying non-conformities and proportionality provisions.
Design ICT risk framework per Chapter II Articles 5-16: asset inventory, risk identification, protection, detection, and response/recovery plans.
Incident classification per Article 20 with major incident thresholds: 4-hour initial report, 72-hour intermediate, and final report templates.
Determine entity classification and proportionality per Article 16, identifying requirements by size, business model, and systemic importance.
Identify and classify ICT TPPs per Chapter V Articles 28-30, determining Critical TPPs subject to direct EU oversight.
Prioritised roadmap across all five pillars aligned with supervisory authority timeline and proportionality classification.
Annual resilience testing per Chapter IV Articles 24-27; for significant entities, TLPT preparation with threat scenarios and authority coordination.
End-to-end TPRM per Chapter V Articles 28-30: provider register, contractual review, concentration risk, exit strategies, and CTPP oversight.
Establish voluntary threat intel sharing per Chapter VI Article 31, integrating shared intelligence into your ICT risk process.
Implement DORA's incident taxonomy per Article 20 with severity levels and reporting triggers covering CIA impact criteria per ESAs' ITS.
Build mandatory ICT provider register per Article 30 and review contracts for audit rights, exit strategies, and concentration risk per RTS.
Prepare for TLPT per Articles 26-27: scope definition, threat-intel scenarios, red team coordination, and authority notification for significant entities.
Ongoing annual testing per Articles 24-27 including vulnerability assessments, penetration testing, and TLPT cycles for significant entities.
Periodic review of ICT risk controls, incident reporting readiness, and TPRM posture to maintain compliance across all five pillars.
Maintain incident classification per Article 20, 4-hour initial templates, 72-hour intermediate procedures, and final report documentation.
Ongoing ICT provider oversight per Articles 28-30: maintain register, review contractual compliance, monitor concentration risk, update exit strategies.
Track evolving ESA RTS/ITS, assess impact on your programme, and implement updates within regulatory timelines.
Maintain and expand voluntary threat intel sharing per Article 31, integrating shared intelligence into ICT risk and incident detection.
All EU-licensed credit institutions, payment institutions, e-money institutions, and investment firms are directly in scope. DORA replaces and consolidates fragmented national ICT risk requirements under a single EU regime.
Insurers, reinsurers, insurance intermediaries, UCITS management companies, AIFMs, crypto-asset service providers (CASPs), and central counterparties are all within DORA's mandatory scope.
Cloud service providers, data analytics firms, and other critical ICT TPPs serving EU financial entities are subject to direct oversight by EU supervisory authorities. CTPPs face mandatory oversight requirements under DORA Chapter V.
A structured six-phase process from initial gap assessment through to ongoing compliance monitoring and ESA technical standards tracking.
Structured assessment across all five DORA pillars with entity classification, proportionality analysis, and a prioritised compliance roadmap aligned with your supervisory authority's examination timeline.
Design and implement your ICT risk management framework including asset inventory, risk register, protection controls, and incident detection capabilities aligned to DORA Chapter II and the ESAs' RTS.
Implement DORA's incident classification taxonomy with severity levels, major incident thresholds, and reporting templates covering 4-hour initial, 72-hour intermediate, and final report procedures.
Establish annual resilience testing programme and, for significant entities, prepare for Threat-Led Penetration Testing including scope definition, threat scenarios, and authority coordination per DORA Chapter IV.
Build the ICT third-party provider register, review contractual arrangements for DORA compliance, assess concentration risk, develop exit strategies, and prepare for CTPP oversight under DORA Chapter V.
Continuous compliance monitoring, annual reviews, incident reporting readiness, TPRM oversight, and ESA technical standards tracking as Regulatory Technical Standards evolve.