Coming Q4 2026

DORA compliance,built for financial sector resilience.

DORA applies to over 22,000 financial entities across the EU. ONTRACE.AI will manage your ICT risk framework, incident classification, third-party provider oversight, and resilience testing programmes — autonomously.

In force January 2025

5 key pillars

Critical ICT third-party oversight

Framework Overview

What is DORA?

The Digital Operational Resilience Act (EU 2022/2554) is an EU regulation that entered into force on 17 January 2025. It establishes a comprehensive framework for ICT risk management, incident reporting, resilience testing, and third-party risk management specifically for the EU financial sector.

DORA consolidates and supersedes existing ICT risk guidelines from EBA, ESMA, and EIOPA, creating a single, harmonised framework. It applies directly to financial entities and — uniquely — creates regulatory oversight of critical ICT third-party service providers.

Unlike most frameworks, DORA's direct regulation of technology providers means cloud platforms, managed service providers, and SaaS vendors serving EU financial entities may themselves fall under direct regulatory supervision.

Covered Entities

Credit institutions

Payment institutions

Electronic money institutions

Investment firms

Crypto-asset service providers

Central securities depositories

Central counterparties

Trading venues

Trade repositories

Managers of alternative investment funds

Management companies

Data reporting service providers

Insurance/reinsurance undertakings

ICT third-party service providers (critical)

The Five Pillars of DORA

Digital resilience across your entire ICT landscape.

ICT Risk Management

A comprehensive ICT risk management framework — governance, strategy, policies, and continuous risk assessment for all ICT assets.

ICT risk appetite statementAsset and data classificationBusiness impact analysisRecovery objectives (RTO/RPO)

ICT Incident Management

Classify, manage, and report ICT-related incidents. Major incidents must be reported to regulators within strict timeframes.

Incident classification criteriaInitial report: 4 hoursIntermediate report: 72 hoursFinal report: 1 month

Digital Operational Resilience Testing

Annual basic testing for all entities, with Threat-Led Penetration Testing (TLPT) required every 3 years for significant institutions.

Vulnerability assessmentsScenario-based testingTLPT frameworkThird-party tester requirements

Third-Party ICT Risk

Strict requirements for managing ICT third-party service providers — contractual requirements, concentration risk, and oversight.

ICT provider registerContractual minimumsConcentration risk assessmentCritical provider supervision

Information Sharing

Financial entities are encouraged to share cyber threat intelligence and information on vulnerabilities within trusted communities.

Threat intelligence sharingCommunity participationConfidential information protectionVoluntary but encouraged

Available Now

ISO 27001 forms a strong foundation for DORA's ICT risk management pillar.

DORA's ICT risk management framework (Pillar 1) closely mirrors ISO 27001's approach to information security risk management. Financial entities already certified to ISO 27001 are significantly ahead in their DORA compliance journey.

Join the Waitlist

DORA support is coming Q4 2026.
Get ahead of your supervisors.

Join the waitlist for DORA compliance support on ONTRACE.AI. We'll notify you the moment it launches.