DORA — Digital Operational Resilience Act

Article-by-article readiness and implementation programmes for EU financial entities subject to Regulation (EU) 2022/2554, applicable from 17 January 2025.

Scope of Application

DORA applies directly to a broad set of EU financial entities: credit institutions, payment and electronic-money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and UCITS, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories — together with their ICT third-party service providers.

The Five DORA Pillars

  1. ICT Risk Management (Articles 5–16) — governance, risk framework, business continuity, incident response, and learning
  2. ICT-Related Incident Management, Classification, and Reporting (Articles 17–23) — major incident classification thresholds and timelines
  3. Digital Operational Resilience Testing (Articles 24–27) — testing programme, advanced Threat-Led Penetration Testing (TLPT)
  4. Managing ICT Third-Party Risk (Articles 28–44) — register of information, concentration risk, contractual requirements, sub-outsourcing, and exit strategies
  5. Information Sharing Arrangements (Article 45) — voluntary intelligence-sharing communities

Engagement Scope

  • Applicability and proportionality assessment — including the simplified ICT risk management framework for micro-enterprises
  • Gap assessment against all five pillars and the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)
  • Register of Information design and population for ICT third-party arrangements
  • Incident classification and reporting workflow implementation
  • Threat-Led Penetration Testing (TLPT) — TIBER-EU-compatible engagements led by CREST-certified penetration testers
  • Contractual remediation for in-flight ICT third-party agreements
  • Board reporting and governance package

TLPT and CREST Alignment

DORA’s advanced testing requirements (Article 26–27) mandate threat-led penetration testing every three years for designated financial entities. Nesil Teknoloji’s status as a CREST International Member and TSE Class A penetration testing firm directly supports TLPT delivery and the supporting threat-intelligence and red-team functions.

See also: Penetration Testing · Regulatory Penetration Testing

Request a DORA Gap Assessment