DORA is live. Your ICT resilience now has to be provable.
Since 17 January 2025, banks, insurers, investment firms and their ICT providers must manage ICT risk, report major incidents, test their resilience, and account for every critical third party — under one EU regulation. Setu Innovation joins the advisory that reads DORA to the engineering that satisfies it, so you meet the supervisor with evidence, not intentions.
- In force · Jan 2023
- Applies · 17 Jan 2025
- 5 pillars
- TLPT · every 3 yrs
If you're a regulated financial entity — or serve them ICT — DORA applies.
DORA covers a wide span of financial entities: banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, fund and asset managers, trading venues and more. It also reaches the ICT third-party providers that serve them.
A 20-second self-check
- Are you authorised or registered as a financial entity in the EU?
- Do you rely on ICT systems to deliver financial services?
- Do you provide ICT services (cloud, software, data) to financial entities?
- Do you depend on third parties for critical or important functions?
Mostly "yes"? You're almost certainly in scope. For the financial sector DORA is lex specialis over NIS 2 on ICT risk and incident reporting. A short call confirms the detail.
What DORA demands.
DORA organises digital operational resilience into five pillars, owned and overseen by the management body.
ICT risk management
A documented ICT risk-management framework: governance, identification of ICT-supported functions, protection and prevention, detection, response and recovery, backups, and continuous learning.
ICT incident management & reporting
Detect, classify and manage ICT-related incidents, and report major incidents to your competent authority within the defined timelines, with initial, intermediate and final reports.
Resilience testing
A programme of digital operational resilience testing on ICT systems — and, for entities identified as significant, threat-led penetration testing (TLPT) at least every three years under TIBER-EU.
ICT third-party risk
Manage third-party ICT risk end to end: contractual safeguards, exit strategies, and the Register of Information. Critical ICT third-party providers fall under a dedicated EU oversight regime.
Information sharing
Voluntary arrangements to exchange cyber-threat information and intelligence among trusted financial entities, to raise collective resilience.
Management accountability
The management body defines, approves and oversees the ICT risk framework, holds ultimate responsibility, and must maintain sufficient ICT knowledge through regular training.
Entities, providers and the oversight regime.
DORA binds financial entities directly and, for the first time, reaches their ICT supply chain through an EU-level oversight of the providers the sector depends on.
Financial entities
Banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, fund managers, trading venues and more — over twenty categories.
ICT third-party providers
Cloud, software and data providers serving the sector. Those designated critical (CTPPs) come under direct EU oversight, with fines up to 1% of average daily worldwide turnover.
Simplified regime
Microenterprises and some smaller entities apply a proportionate, simplified ICT risk-management framework — lighter, but not exempt from the core obligations.
Where DORA leads
For ICT risk and incident reporting in finance, DORA takes precedence over NIS 2 as lex specialis — so financial entities work to DORA first, with NIS 2 as the wider backdrop.
DORA is proven in the framework, the register and the test.
Supervisors ask for artefacts: the risk framework, the Register of Information, incident reports, test results. Setu does the advisory and the engineering, in one team.
Scope & gap
Confirm scope and proportionality, map a prioritised gap across the five pillars, and set the governance and accountability the management body has to own.
Engineer the framework
Stand up the ICT risk-management framework, incident classification and reporting workflow, the Register of Information, and the third-party risk and resilience-testing programmes.
Reach the supervisor
Prepare the register submission, rehearse incident reporting, ready the entity for TLPT, and brief management before the competent authority engages.
DORA, answered plainly.
When does DORA apply?
It entered into force on 16 January 2023 and has applied since 17 January 2025. Financial entities and their ICT providers are expected to be compliant now.
Who is in scope?
A broad set of financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, fund managers, trading venues and more — plus the ICT third-party providers serving them. Critical providers come under a dedicated EU oversight regime.
What is the Register of Information?
A register of all your contractual arrangements for ICT services from third-party providers, reported to your competent authority. It's one of the first concrete deliverables supervisors ask to see.
Do we need threat-led penetration testing?
Entities identified as significant must run TLPT at least every three years under the TIBER-EU framework. All in-scope entities run a broader programme of resilience testing on their ICT systems.
How does DORA relate to NIS 2?
For the financial sector DORA is lex specialis: where they overlap on ICT risk and incident reporting, financial entities follow DORA. NIS 2 remains the wider backdrop and governs many non-financial sectors.
Get DORA-ready, from gap analysis to evidence.
A focused review: scope and proportionality, the gap across the five pillars, your Register of Information, and the realistic route to evidence the supervisor accepts. Tell us where you are and we'll take it from there — or ask for a call if that's easier.
Talk to our team →