Banks are used to managing capital risks. DORA carries the same seriousness over to the digital side: outages, attacks, and dependencies on IT service providers have counted since January 2025 as risks that must be managed and evidenced just as systematically.
What is DORA?
The Digital Operational Resilience Act is EU Regulation 2022/2554 on digital operational resilience in the financial sector. As a regulation, it applies directly in all member states, without a national transposition law; it has been applicable since 17 January 2025.
The scope is broad: banks, insurers, investment firms, payment and e-money institutions, trading venues, and other financial players, around 20 categories in total. The distinctive point: ICT third-party service providers also come into view. Critical providers can be overseen directly by the European supervisory authorities, and every service provider of a financial entity has the requirements passed on to it through contracts and the register of information.
The five pillars of DORA
- ICT risk management: A documented framework covering systems, roles, and protective measures; explicitly required are strategies that limit the impact of ICT incidents, together with detection and recovery capabilities.
- Incident management and reporting: Classification of ICT incidents and reporting of major incidents to the supervisory authority in fixed stages and deadlines.
- Digital resilience testing: Regular testing of systems and controls; for significant institutions, additionally threat-led penetration testing (TLPT) roughly every three years.
- ICT third-party risk: A complete register of information for all ICT contracts, mandatory clauses with service providers, and exit strategies for critical services.
- Information sharing: A framework for the voluntary sharing of threat information within the industry.
Why it matters
- The regulation applies directly and is supervised by BaFin and the Bundesbank; transition periods have expired.
- The evidence obligations are concrete: registers, classifications, test reports, and reporting processes cannot be improvised.
- IT service providers of financial entities are bound by contract and must be able to evidence their measures.
- The focus on limiting impact shifts budgets from pure prevention toward containment and recovery.
Typical scenarios
- A bank builds its register of information and finds that dozens of network and cloud contracts need mandatory DORA clauses.
- A payment institution segments its transaction systems in order to evidence the required limitation of incident impact.
- An insurer rehearses the failure of a critical ICT service provider, including the exit scenario.
- An IT provider in the financial sector receives identically worded questionnaires from several customers about resilience, testing, and subcontractors.
What auditors want to see in practice
Since the start of application, it has become clear what audits focus on. The register of information must be complete and up to date, including subcontractor chains; incomplete registers are the fastest route to findings. Incident classification needs practiced processes: those who only clarify in an emergency whether an incident is reportable will miss deadlines. And the required limitation of impact wants to be evidenced technically, for example through documented segmentation policies, recovery tests, and traceable data flows.
The principle of proportionality applies here: a small payment institution does not have to demonstrate the testing depth of a large bank, but it does need a lived framework appropriate to its size. For ICT service providers, the reverse holds: those who deliver ready-made evidence to their financial customers, from operating reports through test results to contractually assured exit support, turn from a risk factor into a competitive advantage in audits and noticeably shorten every contract negotiation.
DORA and NIS-2: the difference
Both frameworks stem from the same EU package but address different things: NIS-2 is a cross-sector directive with national leeway for transposition, DORA a directly applicable special regulation for the financial sector. For financial entities, DORA takes precedence in its subject areas as the more specific framework; anyone affected by both, for example as an IT service provider across several industries, must serve both sets of requirements. The classification of all frameworks is brought together in the entry Cybersecurity Compliance .
How KAEMI helps
The core DORA requirement, limiting the impact of ICT incidents, is a question of architecture: Zero Trust microsegmentation keeps the radius of an attack small and provides the visibility over data flows that eases registers and audits; private, redundant connections via Cloud Connectivity & SDN strengthen the availability side. KAEMI operates both as a managed service with the documentation depth that financial supervisors expect. A detailed classification with a practical guide is offered by our blog post DORA: What the financial sector needs to know .