What Is DORA Regulation? Everything Financial Entities Need to Know
The EU's Digital Operational Resilience Act went into full application on January 17, 2025 , fundamentally changing how financial entities and their ICT providers must manage digital risk. If your organization operates across multiple entities, subsidiaries, or jurisdictions in the financial sector, understanding DORA isn't optional. Non-compliance carries supervisory penalties, contractual disruption, and reputational damage.
Trusted by compliance teams managing
50+
group entities
Swiss-Hosted
data sovereignty
ISO 27001
aligned platform
GDPR-Compliant
by design
What Is DORA and Why Does It Matter Now?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is the EU's regulatory framework for ensuring financial entities can withstand, respond to, and recover from ICT-related disruptions. It replaces a patchwork of national guidelines with a single, harmonized set of requirements , enforceable since January 17, 2025.
Before DORA, ICT risk management in the financial sector was governed by sector-specific guidelines . EBA Guidelines on ICT and Security Risk Management, EIOPA Guidelines on Outsourcing to Cloud Service Providers, and various national supervisory expectations. The result: inconsistent standards, regulatory arbitrage, and systemic blind spots when critical ICT providers served multiple financial entities across borders.
DORA changes this fundamentally. It creates a single regulatory framework that applies across all EU financial sub-sectors , banking, insurance, investment, payment services, crypto-assets, and more , with direct requirements for the ICT third-party providers these entities depend on.
For organizations managing compliance across multiple entities and jurisdictions, DORA introduces both complexity and opportunity. The complexity comes from coordinating five interconnected pillars across every subsidiary. The opportunity comes from finally having a clear, unified standard to build your operational resilience program around.
Who Must Comply With DORA?
DORA applies to virtually all regulated financial entities in the EU, plus the ICT providers they depend on. The European Commission estimates over 22,000 entities fall within scope.
Financial Entities (Article 2)
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms and management companies
- Insurance and reinsurance undertakings
- Central securities depositories
- Central counterparties and trade repositories
- Crypto-asset service providers
- Crowdfunding service providers
- Institutions for occupational retirement provision
- Credit rating agencies and securitisation repositories
ICT Third-Party Providers
- Cloud service providers serving financial entities
- Data analytics and data centre providers
- Software providers (SaaS, core banking, etc.)
- ICT infrastructure providers
- Managed security service providers
- Critical ICT third-party providers designated by ESAs are subject to the new EU-level oversight framework with direct supervisory powers
Proportionality principle: DORA applies proportionally , microenterprises and certain entities face simplified requirements under Articles 16(1) and 25(1). But proportionality doesn't mean exemption.
What DORA Actually Requires , and Why Multi-Entity Groups Struggle Most
DORA's requirements span five interconnected pillars. For organizations managing compliance across multiple subsidiaries and jurisdictions, each pillar multiplies in complexity. Here's what your compliance program must cover.
PILLAR 1
ICT Risk Management Framework
Articles 5–16 mandate a comprehensive ICT risk management framework with direct management body accountability. Your organization must document identification, protection, detection, response, and recovery processes , including legacy system management , across every entity.
The multi-entity challenge: Each subsidiary needs its own documented framework, but group-level consistency is required for supervisory review.
4 hours
Maximum time to detect and classify a major ICT incident once identified . DORA Article 17 classification criteria
PILLAR 2
Incident Reporting and Classification
Articles 17–23 require harmonized incident classification and a strict reporting timeline: initial notification within 4 hours of classification, intermediate report within 72 hours, and a final report within one month. Voluntary reporting of significant cyber threats is also encouraged.
The multi-entity challenge: A single ICT incident can affect multiple subsidiaries simultaneously, each with its own reporting obligation to different national authorities.
72 hours
Deadline for intermediate incident report to competent authority . DORA Article 19 reporting requirements
PILLAR 3
Digital Operational Resilience Testing
Articles 24–27 require regular testing of ICT systems, from basic vulnerability assessments for all entities to advanced threat-led penetration testing (TLPT) every three years for systemically important institutions. Testing programs must cover all critical ICT systems and applications.
The multi-entity challenge: Coordinating TLPT exercises across shared infrastructure serving multiple subsidiaries requires centralized planning and evidence management.
Every 3 years
Minimum frequency for threat-led penetration testing at significant financial entities . DORA Article 26
PILLAR 4
Third-Party ICT Risk Management
Articles 28–44 establish rigorous requirements for managing ICT third-party providers. Financial entities must maintain a register of all ICT outsourcing arrangements, conduct pre-contract due diligence, include mandatory contractual clauses, and continuously monitor provider performance and risk.
The multi-entity challenge: The same cloud provider may serve 15 subsidiaries under 15 different contracts , without centralized vendor management, gaps are invisible until a supervisor finds them.
22,000+
Financial entities and ICT providers subject to DORA . European Commission estimates, 2022
PILLAR 5
Information Sharing Arrangements
Article 45 encourages financial entities to exchange cyber threat intelligence and vulnerability information with peers through trusted arrangements. While voluntary, participating in information-sharing communities strengthens collective resilience and demonstrates proactive risk management to supervisors.
The multi-entity challenge: Sharing threat intelligence across subsidiaries in different jurisdictions requires data governance controls to avoid inadvertently breaching GDPR or confidentiality obligations.
Jan 17, 2025
DORA full application date , all five pillars enforceable across EU member states . Regulation (EU) 2022/2554
THE COMMON THREAD
Every Pillar Gets Harder With Every Subsidiary You Add
For groups managing compliance across multiple entities, DORA's five pillars don't just add requirements , they multiply them. Centralized vendor registers, coordinated incident reporting, and consistent risk frameworks become impossible in spreadsheets.
Book a 30-Min WalkthroughDORA Timeline: From Adoption to Enforcement
200+
Hours saved on ROPA management
Medtec redirected 200+ hours from manual ROPA maintenance to ISO 27001 preparation , achieving certification 3 months ahead of schedule.
60%
Lower compliance admin time
Aircraft manufacturer cut compliance admin time by 60% in their first 6 months , with predictable pricing based on entities, not per-user fees.
3 mo
Ahead of schedule on ISO 27001
Medtec achieved ISO 27001 certification 3 months ahead of their projected timeline using Priverion's audit-ready evidence packages.
The OneTrust alternative built for mid-market reality
Enterprise platforms sell you complexity you don't need at prices you can't justify. Here's what changes when your privacy tool is designed for how multi-entity organizations actually work.
The typical enterprise platform experience
Hosting and data residency
US-headquartered, data often processed outside the EU. Post-Schrems II, this creates transfer risk you have to document and justify to supervisory authorities.
Pricing model
Per-user, per-module pricing that balloons as you onboard subsidiaries. Budget surprises every renewal cycle. Features locked behind tier upgrades.
Implementation
6–12 month rollouts requiring dedicated consultants. You're paying for the platform before you've configured it for a single subsidiary.
User experience
Built for GRC teams with dedicated admin staff. Business unit owners resist adoption because the interface requires training just to submit a processing activity.
Platform scope
Sprawling suite covering ESG, ethics, third-party risk, and more. You pay for everything, use a fraction, and still need workarounds for multi-entity privacy management.
The Priverion experience
Swiss-hosted, European data residency
All data processed within Swiss infrastructure. In a post-Schrems II world, Swiss hosting isn't a marketing checkbox . it's a legal advantage for cross-border data transfers. One fewer risk to document.
Predictable, group-based pricing
Pricing based on number of companies and organizational size , not per-user or per-module. Onboard every business unit owner without watching costs climb. No expansion traps at renewal.
Operational in weeks, not months
Aircraft manufacturer achieved a 60% reduction in compliance admin time within their first 6 months. Most customers are running production workflows within weeks of signing.
Based on Aircraft manufacturer deployment, first 6 months
Designed for the people who actually do the work
Business unit owners complete ROPA recertifications without training. AI-assisted drafting handles the heavy lifting for DPIAs and risk scoring. Your DPO focuses on strategy, not spreadsheet maintenance.
All-in-one privacy platform, nothing you don't need
ROPA, DPIA, vendor risk, incident management, DSR handling, cross-entity data mapping, AI Register , everything for group-wide privacy management in a single platform. We don't cover ESG or cookie consent. We go deep where it matters.
Honest note: We're not built for single-entity companies, and we don't offer 200 integrations. We integrate deeply with the systems that matter for privacy workflows . HR, procurement, IT asset management , rather than offering shallow connectors that create maintenance overhead.
Book a 30-min walkthroughYour DORA Compliance Readiness Checklist
Use this checklist to assess your organization's readiness across all five DORA pillars. For multi-entity groups, each item must be evaluated at both the subsidiary and group level.
Pillar 1: ICT Risk Management
- 1. Documented ICT risk management framework approved by the management body for each entity
- 2. Defined roles and responsibilities for ICT risk management, including a dedicated control function
- 3. Complete inventory of ICT assets, systems, and their interdependencies across all entities
- 4. Business continuity and disaster recovery plans that cover ICT-related disruptions
- 5. Annual review and update process for the ICT risk management framework
Pillar 2: Incident Reporting
- 6. Incident classification process aligned with DORA Article 18 criteria (clients affected, data integrity, criticality of services, duration)
- 7. Reporting workflows capable of meeting the 4-hour initial notification, 72-hour intermediate, and 1-month final report deadlines
- 8. Coordination process for incidents affecting multiple subsidiaries with different national authorities
- 9. Incident root cause analysis process with lessons-learned documentation
Pillar 3: Resilience Testing
- 10. Annual testing program covering vulnerability assessments, network security tests, and scenario-based testing
- 11. TLPT program established (if designated as a significant entity) with qualified external testers
- 12. Remediation tracking for all findings from testing activities with defined timelines
Pillar 4: Third-Party Risk Management
- 13. Complete register of all ICT third-party provider arrangements, including intra-group services
- 14. Pre-contract due diligence process for new ICT providers covering risk assessment and concentration risk
- 15. Existing contracts reviewed for mandatory clauses (audit rights, exit strategies, data location, sub-outsourcing)
- 16. Ongoing monitoring process for ICT provider performance and compliance
- 17. Exit strategies documented for all critical or important ICT service arrangements
Pillar 5: Information Sharing
- 18. Assessment completed on whether to participate in threat intelligence sharing arrangements
- 19. If participating: data governance controls in place to manage GDPR and confidentiality obligations in shared intelligence
- 20. Internal process for distributing relevant threat intelligence across subsidiaries and business units
Need Help Coordinating DORA Compliance Across Multiple Entities?
See how Priverion's group-wide vendor risk management, incident workflows, and audit-ready evidence packages help multi-entity organizations build DORA readiness without spreadsheet chaos.
Book a 30-Min WalkthroughFrequently Asked Questions About DORA
What is DORA regulation?
DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554, which establishes uniform requirements for the security of network and information systems of financial entities and their critical ICT third-party service providers. It has been fully applicable since January 17, 2025, replacing a patchwork of sector-specific guidelines with a single harmonized framework.
Who must comply with DORA?
DORA applies to virtually all regulated financial entities in the EU , including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers , as well as their critical ICT third-party service providers. The European Commission estimates over 22,000 entities fall within scope. The regulation applies proportionally, with simplified requirements for microenterprises, but proportionality doesn't mean exemption.
What are the 5 pillars of DORA?
The five pillars are: (1) ICT Risk Management Framework (Articles 5–16), (2) Incident Reporting and Classification (Articles 17–23), (3) Digital Operational Resilience Testing (Articles 24–27), (4) Third-Party ICT Risk Management (Articles 28–44), and (5) Information Sharing Arrangements (Article 45). Each pillar has specific requirements that must be addressed at both entity and group level.
When did DORA come into effect?
DORA entered into force on January 16, 2023, with a two-year implementation period. It became fully applicable on January 17, 2025, meaning all five pillars are now enforceable across EU member states. The ESAs (EBA, ESMA, EIOPA) developed Regulatory Technical Standards and Implementing Technical Standards throughout 2023–2024 to provide detailed implementation guidance.
What are the penalties for DORA non-compliance?
DORA empowers national competent authorities to impose administrative penalties and remedial measures, including periodic penalty payments. For critical ICT third-party providers under the EU oversight framework, penalties can reach up to 1% of average daily worldwide turnover for each day of non-compliance, for up to six months. Beyond financial penalties, non-compliance creates reputational risk and potential contractual disruption with financial entity clients.
How does DORA affect ICT third-party providers?
DORA requires financial entities to maintain registers of all ICT outsourcing arrangements, conduct pre-contract due diligence, include mandatory contractual clauses (covering audit rights, exit strategies, data location, and sub-outsourcing), and monitor provider performance. Critical ICT third-party providers designated by the ESAs are subject to a new EU-level oversight framework with direct supervisory powers , a significant change from the previous indirect supervision model.
How does DORA relate to GDPR?
DORA and GDPR are complementary regulations. DORA focuses on ICT operational resilience for financial entities, while GDPR covers personal data protection. An ICT incident under DORA that involves personal data will also trigger GDPR breach notification obligations (72-hour notification to supervisory authorities under Article 33). Organizations need coordinated incident response processes that satisfy both regulatory frameworks simultaneously , particularly challenging for multi-entity groups reporting to multiple authorities.
Stop Managing Privacy Compliance in Spreadsheets. Start Managing It for Real.
Aircraft manufacturer cut compliance admin time by 60% in their first six months. AXA hit 100% automated ROPA recertification. Medtec saved 200+ hours preparing for ISO 27001.
In 30 minutes, we'll show you exactly how group-wide privacy management works when it's built for multi-entity organizations , not bolted on as an afterthought. Swiss-hosted. AI-assisted with full human oversight. Predictable pricing without per-user traps.
Weeks, Not Months
Average time to go live
50+ Entities
Proven group-wide scale
100% Swiss-Hosted
European data residency guaranteed
No commitment required. No sales pressure. Just a clear look at what's possible.
