DORA
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, establishing uniform requirements for the security of network and information systems of EU financial entities and critical ICT third-party providers. Covers ICT risk management (governance, framework, identification, protection, detection, response/recovery, backup, learning), ICT-related incident management and major-incident reporting to competent authorities, digital operational resilience testing (including threat-led penetration testing), ICT third-party risk management (Register of Information, key contractual provisions, concentration risk) with a Union Oversight Framework for critical ICT third-party providers, and cyber threat information sharing. Applies from 17 January 2025.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (5)
DORA Chapter II: ICT Risk Management
| Code | Title |
|---|---|
| DORA-Art.10 | Detection |
| DORA-Art.11 | Response and recovery |
| DORA-Art.12 | Backup policies and procedures, restoration and recovery |
| DORA-Art.13 | Learning and evolving |
| DORA-Art.14 | Communication |
| DORA-Art.16 | Simplified ICT risk management framework |
| DORA-Art.5 | Governance and organisation |
| DORA-Art.6 | ICT risk management framework |
| DORA-Art.7 | ICT systems, protocols and tools |
| DORA-Art.8 | Identification |
| DORA-Art.9 | Protection and prevention |
DORA Chapter III: ICT-Related Incident Management
| Code | Title |
|---|---|
| DORA-Art.17 | ICT-related incident management process |
| DORA-Art.18 | Classification of ICT-related incidents and cyber threats |
| DORA-Art.19 | Reporting of major ICT-related incidents |
| DORA-Art.23 | Operational or security payment-related incidents |
DORA Chapter IV: Digital Operational Resilience Testing
| Code | Title |
|---|---|
| DORA-Art.24 | General requirements for the performance of digital operational resilience testing |
| DORA-Art.25 | Testing of ICT tools and systems |
| DORA-Art.26 | Advanced testing of ICT tools, systems and processes based on TLPT |
| DORA-Art.27 | Requirements for testers for the carrying out of TLPT |
DORA Chapter V: ICT Third-Party Risk Management
| Code | Title |
|---|---|
| DORA-Art.28 | ICT third-party risk: general principles |
| DORA-Art.29 | Preliminary assessment of ICT concentration risk at entity level |
| DORA-Art.30 | Key contractual provisions |
| DORA-Art.31 | Designation of critical ICT third-party service providers |
DORA Chapters VI-VII: Information Sharing, Penalties and Data Protection
| Code | Title |
|---|---|
| DORA-Art.45 | Information-sharing arrangements on cyber threat information and intelligence |
| DORA-Art.50 | Administrative penalties and remedial measures |
| DORA-Art.56 | Data protection |
Your Compliance Coverage
If you comply with DORA, you already cover:
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
46%
12 controls mapped
Compare →NIST Cybersecurity Framework 2.0
42%
11 controls mapped
Compare →EU Payment Services Directive (PSD2)
31%
8 controls mapped
Compare →+ 16 more: EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07) (31%), NIST SP 800-53 Rev 5 (23%)
See all 19 mapped frameworks ↓Maps to 19 other frameworks
Frequently Asked Questions
What is DORA?
DORA is a compliance framework from European Union with 5 domains and 26 controls. The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, establishing uniform requirements for the security of network and information systems of EU financial entities and critical ICT third-party providers. Covers ICT risk management (governance, framework, identification, protection, detection, response/recovery, backup, learning), ICT-related incident management and major-incident reporting to competent authorities, digital operational resilience testing (including threat-led penetration testing), ICT third-party risk management (Register of Information, key contractual provisions, concentration risk) with a Union Oversight Framework for critical ICT third-party providers, and cyber threat information sharing. Applies from 17 January 2025. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does DORA have?
DORA has 26 controls organised across 5 domains. The largest domains are DORA Chapter II: ICT Risk Management (11 controls), DORA Chapter III: ICT-Related Incident Management (4 controls), DORA Chapter IV: Digital Operational Resilience Testing (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does DORA map to?
DORA maps to 19 other compliance frameworks. The top mapping partners are EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) (46% coverage), NIST Cybersecurity Framework 2.0 (42% coverage), EU Payment Services Directive (PSD2) (31% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with DORA compliance?
Start your DORA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about DORA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 26 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required