DORA sets uniform requirements for the digital operational resilience of EU financial entities, including ICT risk management, incident reporting, resilience testing and oversight of critical third-party providers.
Who it affects
- Credit institutions, investment firms, insurers and reinsurers
- Payment, e-money and crypto-asset service providers
- Trading venues, CCPs and CSDs
- Critical ICT third-party providers serving the above
Key obligations
- ICT risk management framework owned by the management body
- Classification and reporting of major ICT-related incidents
- Advanced threat-led penetration testing (TLPT) for significant entities
- Contractual and ongoing oversight of ICT third parties and sub-contractors
Penalties
Administrative measures and periodic penalty payments set by national competent authorities; up to 1% of average daily worldwide turnover for critical third-party providers.
How RisQo helps
RisQo's Cyber and Supplier modules surface third-party concentration, posture decay and incident signals so DORA register-of-information and oversight workflows stay evidence-backed.
This explainer is provided for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions.