DORA

DORA Compliance: Meet the Digital Operational Resilience Act Requirements

The Digital Operational Resilience Act — DORA — has been fully applicable across the EU since January 2025. If your organisation is a financial entity or a critical ICT third-party provider to the financial sector, full DORA compliance is not optional. Competent authorities are conducting supervisory assessments now.

DORA establishes the most comprehensive and demanding set of digital resilience requirements ever applied to the EU financial sector. ShieldIQ provides financial entities and their ICT suppliers with a structured, practical path to meeting those requirements — across all five DORA pillars, covering 14 key requirement areas.

Start your free DORA compliance assessment →

Who Does DORA Apply To?

DORA applies to a wide range of financial entities regulated under EU law, including:

  • Credit institutions (banks)
  • Payment institutions and electronic money institutions
  • Investment firms
  • Insurance and reinsurance undertakings
  • Insurance intermediaries
  • Management companies and alternative investment fund managers
  • Crypto-asset service providers
  • Central counterparties and central securities depositories
  • Trading venues and data reporting service providers
  • Crowdfunding service providers

DORA also applies to critical ICT third-party providers — technology firms designated by the European Supervisory Authorities (ESAs) as systemic to the financial sector. Even ICT providers not formally designated as critical may face DORA obligations flowing down through their financial entity clients' supply chain requirements.

The Five Pillars of DORA Compliance

ShieldIQ's DORA module covers all five pillars, aligned to the 14 requirement areas assessed in your gap report:

Pillar 1: ICT Risk Management

The foundation of DORA compliance. Financial entities must maintain a comprehensive ICT risk management framework that identifies, classifies, and documents all ICT assets and risks. This includes:

  • An ICT asset register aligned to your digital operational resilience strategy
  • Documented risk appetite and tolerance thresholds
  • Protection and prevention measures for all critical ICT assets
  • Continuous monitoring and anomaly detection capabilities
  • A dedicated ICT business continuity policy

ShieldIQ's risk management and asset management modules provide the infrastructure for this pillar.

Pillar 2: ICT-Related Incident Management, Classification and Reporting

DORA introduces specific requirements for how financial entities detect, classify, manage, and report ICT-related incidents. Major incidents must be reported to national competent authorities within defined timeframes — with initial notifications, intermediate reports, and final reports all carrying regulatory obligations.

ShieldIQ's incident management module includes DORA-specific classification criteria, reporting workflows, and deadline tracking. Everything is logged and documented for regulatory purposes.

Pillar 3: Digital Operational Resilience Testing

Beyond paper-based risk assessments, DORA requires financial entities to test their digital resilience through:

  • Annual basic resilience testing (all entities)
  • Threat-led penetration testing (TLPT) every three years (significant entities)
  • Testing of ICT systems supporting critical or important functions

ShieldIQ helps you plan, document, and track your testing programme, manage findings, and evidence remediation for supervisory review.

Pillar 4: ICT Third-Party Risk Management

This is one of the most operationally demanding aspects of DORA. Financial entities must:

  • Maintain a complete register of all ICT third-party arrangements
  • Conduct pre-contractual due diligence on ICT providers
  • Include mandatory DORA contractual provisions in ICT contracts
  • Monitor third-party providers on an ongoing basis
  • Have exit strategies for critical or important ICT services

ShieldIQ's vendor management module is built to handle DORA's third-party risk requirements — from initial due diligence through to ongoing monitoring and contractual management.

Pillar 5: Information and Intelligence Sharing

DORA encourages financial entities to participate in information-sharing arrangements to enhance collective resilience against cyber threats. Entities participating in such arrangements must manage the associated risks and maintain confidentiality. ShieldIQ supports documentation of your information sharing arrangements and the controls that govern them.

ShieldIQ's DORA Compliance Platform

Every DORA requirement maps to a specific capability in ShieldIQ:

| DORA Requirement | ShieldIQ Feature | |---|---| | ICT asset register | Asset management + network scanner | | ICT risk register | Risk management module | | Incident classification and log | Incident management module | | Incident reporting workflows | Incident management with regulatory timelines | | Third-party register | Vendor management module | | Contractual requirements tracking | Vendor management module | | Policy documentation | Policy library with DORA-aligned templates | | Resilience testing records | Controls and evidence tracking | | Executive reporting | AI-generated PDF reports |

Start free — no card required →

DORA and Your Broader Compliance Landscape

DORA does not operate in isolation. Financial entities subject to DORA are also typically subject to:

  • GDPR compliance — data protection obligations continue alongside DORA
  • NIS2 compliance — for entities that also qualify as NIS2 essential or important entities
  • ISO 27001 compliance — many DORA requirements align with ISO 27001 controls; ISO certification can reduce the DORA compliance burden
  • NIST CSF compliance — NIST CSF provides a useful operating model for DORA's ICT risk management requirements

ShieldIQ covers all of these on a single platform, so your compliance work is additive — not duplicated.

Frequently Asked Questions

DORA has been applicable since January 2025 — what if we are not yet compliant?

Supervisory assessments and enforcement actions are underway. The European Supervisory Authorities and national competent authorities have published supervisory expectations and are conducting reviews. The priority is to start now — document your current state, conduct a gap assessment, and build a prioritised remediation plan. A demonstrable, structured compliance programme in progress is significantly better than no programme at all. ShieldIQ gives you a gap assessment in 15 minutes.

We are an ICT provider to banks and insurers, not a financial entity ourselves. Does DORA apply to us?

Directly, DORA applies to financial entities. However, your financial entity clients are now required by DORA to include specific contractual provisions in their ICT contracts, conduct due diligence on your security practices, and monitor you on an ongoing basis. In practice, this means DORA requirements will flow down to you as a supplier. Being able to demonstrate strong ICT risk management — ideally through a platform like ShieldIQ — protects and differentiates your business.

What are the penalties for DORA non-compliance?

Penalties vary by member state and are set by national competent authorities, but they are substantial. For critical ICT third-party providers, the European Supervisory Authorities can impose penalty payments of up to 1% of average daily worldwide turnover per day of non-compliance, for a maximum of six months. Financial entities face regulatory sanctions including warnings, restrictions on activities, and significant financial penalties. Senior management can face personal liability in some circumstances.

How does DORA's third-party risk management requirement work in practice?

You need a complete register of all ICT third-party arrangements, categorised by whether they support critical or important functions. For critical/important function providers, you need enhanced due diligence, specific contractual provisions (access rights, audit rights, SLAs, incident notification obligations, exit provisions), and ongoing monitoring. ShieldIQ's vendor management module is designed to handle exactly this workflow.

Can a small financial entity achieve DORA compliance without a large compliance team?

Yes. DORA recognises the principle of proportionality — requirements can be applied in a manner proportionate to the size, complexity, and risk profile of the entity. Smaller financial entities have fewer ICT systems and third-party arrangements to manage. ShieldIQ is designed to make structured DORA compliance achievable for organisations without a dedicated compliance department.

Start your free DORA compliance assessment — no card required →

Ready to assess your DORA posture?

Free to start. No credit card. No setup calls. Run your first assessment in around 15 minutes.

Start free, no card required