DORA Compliance for Third-Party Risk Management: What Financial Services Firms Must Do in 2026
DORA (Regulation EU 2022/2554, the Digital Operational Resilience Act) applies to approximately 22,000 EU financial entities from 17 January 2025. It requires firms to manage ICT risk, report incidents, test resilience and govern ICT third-party relationships through formal programmes, contractual controls and continuous monitoring. All five pillars are in force. Enforcement is active.
Table of Content
Who it applies to
Five pillars
Articles 28-30
ICT register
Concentration risk
Article 30 contracts
Does DORA apply to UK
2026 enforcement
DORA checklist
How Neotas helps
FAQs
Last reviewed: June 2026 | Reading time: 18 minutes
What is DORA compliance?
DORA compliance is a regulated financial entity’s adherence to Regulation (EU) 2022/2554, which has applied across EU financial services since 17 January 2025. The regulation requires firms to maintain formal ICT risk frameworks, classify and report incidents within defined timelines, test operational resilience annually, oversee all ICT third-party providers through structured programmes and contractual controls, and maintain a complete Register of Information covering every ICT vendor arrangement.
DORA is a Regulation, not a Directive. It is directly applicable law across all EU member states, binding in its entirety without national transposition. Supervisory enforcement by national competent authorities (NCAs) and the European Supervisory Authorities has been active since January 2025. EIOPA DORA guidance
What does DORA stand for?
DORA stands for Digital Operational Resilience Act. Its full legal designation is Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
The regulation was introduced because EU financial services had accumulated under fragmented national ICT risk frameworks, with no unified standard governing how third-party technology relationships should be managed. DORA replaces that patchwork with a single, harmonised rulebook. For the financial sector specifically, it supersedes the cybersecurity risk-management and reporting obligations of NIS2 – Article 1(2) DORA states this explicitly. DORA full text and updates
Related: What is TPRM? Complete guide to third-party risk management | TPRM framework guide | Enhanced due diligence services
Who does DORA apply to?
DORA applies to 20 categories of EU-regulated financial entity. Proportionality provisions exist – smaller entities can apply less complex frameworks but no entity in scope can opt out of third-party risk obligations entirely. Microenterprises (fewer than 10 employees, turnover below €2m) face the most reduced requirements, but still have ICT third-party risk obligations under Article 28.
| Entity type | In scope | Proportionality |
|---|---|---|
| Banks and credit institutions | Yes | Full requirements |
| Insurance and reinsurance undertakings | Yes | Full requirements |
| Investment firms | Yes | Full requirements |
| Payment institutions | Yes | Full requirements |
| E-money institutions | Yes | Full requirements |
| Crypto-asset service providers | Yes | Full requirements |
| Central counterparties | Yes | Full requirements |
| Pension funds (IORPs) | Yes | Proportionate application |
| Microenterprises | Yes | Significantly reduced |
| Critical ICT providers (CTPPs) | Yes – direct ESA oversight | Oversight framework applies |
Non-EU firms are affected in two distinct ways. ICT service providers based outside the EU but serving EU-regulated financial entities fall within DORA’s third-party risk framework through their clients’ Article 28 obligations. Any non-EU entity formally designated as a Critical ICT Third-Party Provider faces direct ESA oversight regardless of domicile.
Penalties for DORA non-compliance
- Financial entities: fines up to 10% of annual global turnover or €10 million for serious breaches
- Critical ICT providers: periodic penalty payments up to 1% of average daily worldwide turnover
- Individual senior managers: fines up to €1 million – personal liability, not just corporate
- Public disclosure of non-compliance decisions – reputational consequences beyond the financial penalty
Enforcement has been active since January 2025. The regulatory posture in 2026 is explicitly interventionist: regulators are examining firms for compliance evidence, not remediation plans. EBA DORA supervisory framework
DORA applies to 20 categories of EU financial entity from January 2025, with penalties up to 10% of annual global turnover for serious breaches. Non-EU ICT service providers serving EU-regulated clients fall within scope through their clients’ Article 28 obligations. Proportionality applies to smaller entities but does not exempt them from third-party risk requirements.
The five pillars of DORA
DORA organises its requirements around five pillars. All five are in force from January 2025. Pillar 4 – ICT third-party risk management, Articles 28-30 carries the highest rate of compliance gaps in supervisory assessments and is the section with the most operational change for most regulated firms.
| Pillar | Articles | Core obligation | 2026 enforcement focus |
|---|---|---|---|
| 1. ICT risk management | 5-16 | Formal ICT risk framework, asset inventory, risk appetite, BCP/DR | Framework documentation, board accountability records |
| 2. Incident management | 17-23 | Classify and report major incidents: 4-hour initial, 72-hour intermediate, 1-month final | Classification criteria, 4-hour notification readiness, incident logs |
| 3. Resilience testing | 24-27 | Annual basic testing; TLPT every 3 years via TIBER-EU for systemically important firms | Test scope covering third-party dependencies, remediation tracking |
| 4. ICT third-party risk | 28-30 | TPRM programme, Register of Information, concentration risk assessment, contractual requirements | ROI completeness, CIF classification, Art. 30 contract provisions |
| 5. Information sharing | 45-49 | Voluntary cyber threat intelligence sharing with regulators and sector peers | Policy documentation, GDPR and competition law compliance |
Related: TPRM lifecycle: 7 stages explained | Full TPRM regulatory requirements table
All five DORA pillars are in force. Pillar 4 (ICT third-party risk management, Articles 28-30) requires a formal programme, a maintained Register of Information, concentration risk assessment and specific contractual provisions in every ICT agreement making it the most operationally demanding section for most regulated firms.
DORA third-party risk management: Articles 28-30
Articles 28, 29 and 30 are the sections that require the most operational redesign for firms that previously managed third-party risk through questionnaire-based programmes. They impose a formal programme structure, a Register of Information with specific data fields, portfolio-level concentration risk assessment and mandatory contractual provisions that most legacy ICT contracts do not contain.
Article 28: the ICT TPRM programme
Article 28 requires financial entities to manage ICT third-party risk as an integral part of their overall ICT risk framework. It must be embedded in governance, connected to risk appetite and formally overseen by the management body. A standalone vendor questionnaire process does not satisfy Article 28 – the regulation requires a documented programme with board accountability.
Specific Article 28 obligations:
- Formal ICT third-party risk strategy adopted and reviewed regularly, applying at entity, sub-consolidated and consolidated levels
- Pre-contractual due diligence proportionate to criticality, covering substitutability, insolvency risk, data protection compliance and subcontracting chains (Article 28(4) full text)
- Management body accountability: the board must periodically review risks arising from all ICT contractual arrangements
- Multi-vendor strategy to avoid excessive single-provider dependency
- Continuous monitoring of active ICT third-party relationships, risk-tiered by criticality
- Exit strategies for functions with high concentration risk, documented and tested periodically
Critical or important function (CIF) classification
DORA’s strictest obligations apply to arrangements supporting critical or important functions (CIF). Article 3(22) defines a CIF as any function whose disruption would materially impair financial performance, regulatory compliance or service continuity. Getting this classification right is material: under-classify and you apply inadequate controls to CIF-level arrangements, creating direct enforcement risk; over-classify and you create disproportionate burden without regulatory necessity.
In 2026 supervisory reviews, CIF classification depth, documented rationale and consistency of application are actively examined. Regulators verify that classification decisions are recorded and defensible, not applied by category convention. EBA DORA supervisory expectations
Related: Enhanced due diligence at Neotas: OSINT-enhanced vendor screening for Article 28 requirements | TPRM questionnaire limitations and Article 28 compliance
The DORA Register of Information (ROI)
Article 28(3) requires a Register of Information (ROI) covering all ICT third-party contractual arrangements, maintained at entity, sub-consolidated and consolidated levels. The ROI must be built to the ITS (Implementing Technical Standards) data model specified by the ESAs and submitted to the relevant national competent authority. It is the first document examined in every DORA supervisory review.
ROI compliance reality check: In the 2024 ESA dry-run exercise, only 6.5% of nearly 1,000 participating firms passed all 116 data quality checks. The most common failures were incomplete contract data, missing subcontractor information and incorrect CIF classifications. The 2026 submission cycle – reference date 31 December 2025 operates under significantly higher supervisory expectations. ESAs 2024 dry-run report
What the ROI must contain
- Provider legal entity name and LEI (Legal Entity Identifier)
- Contract reference number and type
- Description of ICT services provided
- All countries where data is stored, processed or transmitted
- CIF classification with documented rationale per arrangement
- Sub-contractor details for CIF arrangements: names, jurisdictions, functions
- Contract start and end dates, and termination notice periods
- Audit rights provisions
- Incident notification obligations
Why spreadsheet-based ROIs fail regulatory review
The ITS data model requires relational integrity between entities, contracts and functions. An Excel spreadsheet cannot maintain this structure beyond the first regulatory submission without significant manual intervention. At scale, 50+ ICT vendors across a group, spreadsheet-based ROIs consistently produce data quality failures of the type the ESA dry-run identified.
Analysis of DORA readiness across European banks in Q1 2025 showed a consistent supervisory pattern: the ROI is checked for completeness and ITS compliance as the first supervisory step. CIF classification is then examined for documentation consistency. Contract provisions are sample-checked against the Article 30 mandatory list. Firms with gaps at step one typically do not get a full review of steps two and three – they receive remediation requirements instead.
The DORA Register of Information must be built to the ESAs’ ITS data model and submitted to the national competent authority. Only 6.5% of firms passed all 116 data quality checks in the 2024 ESA dry-run. Spreadsheet-based ROIs typically fail by the first formal submission. The most common failures are incomplete contract data, missing sub-contractor information and incorrect CIF classifications.
DORA concentration risk: Article 29
Article 29 requires financial entities to identify and manage situations where critical or important functions depend on a single ICT provider, a single geographic region or shared underlying infrastructure. This is portfolio-level analysis and individual vendor risk assessments do not satisfy Article 29. Firms must understand what happens when multiple critical functions simultaneously lose the same provider.
Industry context
The ECB has found that more than 30% of total outsourcing budgets at significant EU banks is concentrated on just 10 ICT providers. That concentration is real and systemic and it is precisely what DORA Article 29 targets. Most TPRM programmes track individual vendor risk. Article 29 requires firms to understand cross-portfolio concentration that individual scorecards cannot detect. ECB supervisory data
Article 29 obligations in practice
- Portfolio-level concentration mapping: which critical functions share the same provider, geography or cloud infrastructure
- Pre-contractual concentration assessment: before entering any new CIF arrangement, formally assess whether it increases portfolio concentration
- Exit strategies for high-concentration functions that do not themselves create additional concentration risk
- Regular reporting to the management body on concentration risk findings
- Documentation that concentration risk was explicitly considered in vendor selection decisions
The ECB finalised its Guide on outsourcing cloud services in July 2025, reinforcing the risk-based approach to concentration assessment and emphasising documented rationale for cloud provider selection where concentration risk is material. ECB July 2025 cloud outsourcing guide
Article 29 requires portfolio-level concentration risk assessment – not individual vendor scorecards. The ECB has found that over 30% of significant banks’ outsourcing budgets concentrate on just 10 providers. Firms must assess concentration before entering new CIF arrangements, develop exit strategies for high-concentration functions and report findings to the management body.
DORA Article 30: contractual requirements for ICT agreements
Every ICT contract must contain the provisions specified in Article 30. Contracts supporting critical or important functions have additional enhanced requirements. There is no grace period for legacy contracts gaps must be addressed at next renewal. Regulators sample-check Article 30 provisions against the mandatory list in supervisory reviews.
| Contractual provision | All ICT contracts | CIF contracts | What to check in existing contracts |
|---|---|---|---|
| Service description and performance levels | Required | Required + specific performance targets | Are functions, data scope, locations and SLAs explicitly stated? |
| Data locations | Required | Required + change notification obligation | All processing countries named? Change notification required? |
| Audit and inspection rights | Required | Required + agreed methodologies and standards | Is audit scope defined? Are accepted standards specified? |
| ICT incident notification | Required | Required + DORA-aligned timelines | Does vendor notification allow you to meet DORA’s 4-hour window? |
| Business continuity obligations | Required | Required + BCP test evidence sharing | Does contract require vendor BCP testing and results disclosure? |
| Termination rights | Required | Required + DORA-specific grounds | Do rights include material breach, service deterioration, regulatory non-compliance? |
| Exit assistance | CIF only | Required – minimum period specified | Is data migration support and knowledge transfer contractually committed? |
| Sub-contractor disclosure | Required | Required + prior approval or notification for changes | Full disclosure required? Changes subject to approval? |
In 2026 supervisory sample checks, Article 30 provisions are verified against the mandatory list. Firms with CIF vendors on legacy contracts that predate January 2025 carry direct enforcement risk at the next supervisory interaction. Every ICT contract renewal from 2025 onwards must include the full Article 30 provisions before signature.
Related: TPRM policy guide – contract standards section | Vendor risk assessment template
Article 30 requires specific provisions in all ICT contracts. CIF contracts need enhanced requirements including exit assistance and full sub-contractor disclosure. There is no grace period – legacy contracts must be updated at next renewal. Regulators actively sample-check Article 30 compliance in supervisory reviews.
Does DORA apply to UK firms?
Direct answer: DORA does not directly bind UK-only regulated firms. UK firms with EU subsidiaries, EU branches or EU-authorised entities must comply with DORA for those entities. UK ICT service providers serving EU-regulated financial entities are subject to DORA’s third-party risk requirements through their clients’ Article 28 obligations. UK-only firms operate under FCA PS21/3, PRA SS1/21 and SMCR.
| UK firm type | DORA obligation | Applicable framework |
|---|---|---|
| UK-only regulated firm, no EU operations | No direct obligation | FCA PS21/3 (full implementation March 2025), PRA SS1/21, SMCR, UK Critical Third Parties regime (PS24/16) |
| UK firm with EU subsidiary or EU-authorised branch | Yes – for EU entities | DORA applies to EU entities directly. UK parent must ensure EU entities comply. UK entities governed by FCA/PRA framework. |
| UK ICT service provider serving EU-regulated clients | Yes – indirect | DORA flows via client contracts. Must satisfy Art. 30 requirements imposed by EU-regulated clients. CTPP designation possible. |
| UK group IT function serving EU subsidiary | Yes | Inter-group ICT arrangements fall within Art. 28 scope of the EU subsidiary and must appear in the EU entity’s ROI. |
DORA and SMCR: personal accountability
For UK firms with EU operations, a DORA breach at the EU-entity level can trigger both EU regulatory action and personal liability under SMCR for the accountable UK Senior Manager. Under SMCR, a named Senior Manager is personally accountable for operational resilience failures – including TPRM failures in their designated area. Board documentation of DORA compliance oversight is therefore both a DORA obligation for EU entities and an SMCR obligation for UK Senior Managers with EU responsibilities.
UK operational resilience framework vs DORA
| Feature | DORA (EU) | FCA PS21/3 / PRA SS1/21 (UK) |
|---|---|---|
| Legal type | Regulation – directly applicable | Policy statement – principles-based |
| Full implementation | January 2025 | March 2025 |
| Third-party risk | Prescriptive – Articles 28-30, ROI, Art. 30 contracts | Principles-based – firms determine how to manage outsourcing risk |
| Incident reporting | Harmonised – 4h/72h/1 month timelines | FCA operational incident reporting rules – separate regime |
| Critical third parties | CTPP designation – direct ESA oversight | UK Critical Third Parties regime (PS24/16) – BoE/FCA/PRA oversight |
| Penalty structure | Up to 10% annual global turnover | FCA enforcement powers – unlimited fines for serious breaches |
Firms operating to DORA standards will generally satisfy FCA and PRA operational resilience expectations. The reverse is not always true – DORA’s prescriptive contractual and ROI requirements go further than the UK principles-based framework in specific areas. FCA PS21/3 – Building Operational Resilience
Related: Full TPRM regulatory requirements table: DORA, FCA, OCC | TPRM framework guide
DORA does not directly bind UK-only regulated firms. UK firms with EU subsidiaries, EU group IT functions serving EU entities, or UK ICT providers serving EU-regulated clients are in scope through those EU relationships. For firms in scope on both sides, DORA standards satisfy FCA/PRA expectations, but the reverse is not always true.
DORA enforcement in 2026: what has changed
DORA has been in force since January 2025. The regulatory posture in 2026 has shifted from remediation-oriented guidance to enforcement action. Regulators are examining firms for compliance evidence.
- First ROI submission cycle: The 2026 cycle covers ICT third-party arrangements with a reference date of 31 December 2025. National regulator submission deadlines vary. The ESAs use ROI data for CTPP designation decisions and supervisory prioritisation.
- CTPP designations confirmed: 19 ICT providers were designated as critical ICT third-party service providers in November 2025, including major cloud infrastructure providers. These firms now face direct ESA inspection and oversight powers. Financial entities using designated CTPPs may receive information requests from the ESAs as part of the oversight process. ESAs CTPP designation – November 2025
- ECB cloud outsourcing guidance: The ECB finalised its Guide on outsourcing cloud services in July 2025, reinforcing the risk-based approach to concentration risk and specifying supervisory expectations for documented rationale in cloud provider selection.
- Interventionist supervision: Regulatory commentary across the industry describes the 2026 supervisory posture as interventionist. Regulators now expect real-time, data-driven evidence of resilience. Policy documentation alone is not accepted as evidence of compliance.
What regulators examine in DORA supervisory reviews (2026)
- ROI completeness and ITS data model compliance – first check in every review
- CIF classification depth, documentation consistency and alignment with the Article 3(22) definition
- Article 30 contract provisions in sample checks against the mandatory list
- Monitoring records, not the existence of a monitoring process, but confirmed continuous operation with documented output
- Concentration risk assessment at portfolio level – individual vendor scores are not accepted
The 2026 DORA supervisory posture is enforcement-oriented. 19 critical ICT providers were designated in November 2025 and face direct ESA oversight. The first ROI submission cycle is active. Regulators are verifying compliance evidence – ROI completeness, CIF classification rationale and Article 30 contract provisions, not remediation timelines.
Why standard database checks are insufficient for DORA Article 28
DORA Article 28(4) requires pre-contractual assessment covering substitutability, insolvency risk, data protection compliance and subcontracting chains. Article 28(6) requires continuous ongoing monitoring. Standard TPRM approaches – questionnaires, cybersecurity ratings, credit reports and structured database sanctions checks address parts of this. They consistently miss the areas DORA specifically targets.
What structured database checks fail to surface:
- Adverse media in non-English languages: vendors operating internationally generate adverse media that structured databases capture with significant lag, if at all
- Emerging financial crime indicators: enforcement actions follow intelligence by weeks or months; OSINT-based screening identifies indicators before they appear on structured lists
- Beneficial ownership opacity: multi-layer holding structures across jurisdictions obscure ultimate beneficial ownership that company register checks do not reach
- Sub-contractor relationships creating hidden concentration risk: vendors using the same cloud infrastructure or data processors create concentration exposure that individual vendor assessments cannot detect which is precisely what Article 28(4)(d) targets
- ESG violations in vendor operations: modern slavery and ABAC exposure embedded in vendor supply chains are not captured by cybersecurity or credit assessments
Article 28(4)(d) specifically requires firms to assess “whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions.” This is fourth-party risk territory. It requires active intelligence-led investigation. DORA Article 28 full text
Related: Enhanced due diligence: OSINT-enhanced vendor screening for DORA Article 28 | 7 key third-party risk categories | Supply chain risk management and DORA fourth-party requirements
DORA compliance checklist: five-pillar summary
The following is a condensed checklist. The full article-level version including Article 30 mandatory provisions, ROI data field requirements and CIF classification guidance is available as a free PDF download.
Pillar 1: ICT risk management (Articles 5-16)
- ICT risk management framework formally documented and board-approved
- ICT asset inventory complete and classified by criticality
- ICT risk appetite defined and formally approved
- Annual ICT risk assessment completed and documented
- Business continuity and disaster recovery policy aligned to ICT risk framework
- Multi-vendor strategy documented where critical functions depend on ICT providers
Pillar 2: ICT incident management (Articles 17-23)
- Major vs minor ICT incident classification criteria defined and documented
- 4-hour initial notification procedure documented, tested and understood by response team
- 72-hour intermediate notification template prepared and accessible
- 1-month final report process established with assigned owner
- ICT incident log maintained and accessible for regulatory review
- Vendor-caused incidents covered by the same classification and notification process
Pillar 3: Digital operational resilience testing (Articles 24-27)
- Annual basic resilience testing programme in place and documented
- Test scope covers all critical ICT systems and third-party dependencies
- Test results documented with remediation tracked to closure
- TLPT applicability formally assessed (mandatory every 3 years for systemically important firms via TIBER-EU)
Pillar 4: ICT third-party risk management (Articles 28-30)
- Formal ICT TPRM programme documented and board-approved (Art. 28)
- ICT third-party risk strategy adopted at entity, sub-consolidated and consolidated levels (Art. 28(2))
- Pre-contractual due diligence process defined, covering all Art. 28(4) assessment criteria
- Register of Information built to ITS data model standards and maintained at all levels (Art. 28(3))
- CIF classification applied consistently with documented rationale per arrangement (Art. 3(22))
- Sub-contractor information included in ROI for all CIF arrangements
- ROI submitted to national competent authority, or submission plan confirmed
- All ICT contracts reviewed against Article 30 mandatory provisions
- Concentration risk assessment completed at portfolio level (Art. 29)
- Exit strategies for CIF functions documented and periodically tested (Art. 28(8))
- Continuous monitoring in place for all CIF vendors with documented records (Art. 28(6))
- Adverse media and sanctions screening active for high-risk vendor relationships
Pillar 5: information sharing (Articles 45-49)
- Policy on cyber threat information sharing established
- Sharing arrangements reviewed for GDPR and competition law compliance
- Participation in sector information sharing communities assessed
How Neotas supports DORA compliance
Neotas is an intelligence-led third-party risk management provider, rated in the Chartis FCC50 as a leading financial crime compliance technology provider. Standard TPRM platforms satisfy some of DORA’s Article 28 requirements and leave gaps where intelligence-led screening is required.
| Neotas capability | DORA article | What it delivers |
|---|---|---|
| Intelligence-led vendor due diligence | Art. 28(4) – pre-contractual | OSINT-enhanced assessment covering all Art. 28(4) criteria: substitutability, financial health, data protection compliance, subcontracting chains, adverse media, financial crime and ESG indicators |
| DORA ROI gap assessment | Art. 28(3) – Register of Information | Reviews vendor inventory against ITS data model requirements; identifies completeness gaps, CIF classification issues and missing sub-contractor data before regulatory submission |
| Article 30 contract audit | Art. 30 – contractual requirements | Reviews existing ICT contracts against all mandatory and enhanced Art. 30 provisions; flags gaps for action at next renewal |
| Concentration risk mapping | Art. 29 – concentration risk | Portfolio-level analysis of ICT provider concentration across critical functions and geographies; identifies single-provider dependencies not visible from individual vendor assessments |
| Fourth-party sub-contractor screening | Art. 28(4)(d) – subcontracting chains | OSINT mapping of sub-contractor relationships for CIF vendors; surfaces hidden concentration risk and financial crime exposure at sub-contractor level |
| Ongoing adverse media monitoring | Art. 28(6) – continuous monitoring | Continuous adverse media, sanctions and regulatory action alerts across 200+ languages; analyst-reviewed for Tier 1 vendors |
| Financial crime compliance integration | Art. 28(4) – pre-contractual and ongoing | AML, KYC and sanctions screening embedded in TPRM due diligence; produces regulatory evidence trails |
| DORA readiness assessment | All pillars | Gap analysis across all five DORA pillars with prioritised remediation roadmap and effort estimates |
Build a DORA-compliant TPRM programme with Neotas
Neotas works with CROs, compliance leads and legal counsel at regulated financial institutions across the UK and EU. We address the gaps in Articles 28-30 compliance that questionnaire-only programmes consistently leave.
FCA-regulated. Chartis FCC50 recognised. Covered by professional indemnity insurance.
Frequently asked questions about DORA compliance
What is DORA compliance?
DORA compliance is a regulated financial entity’s adherence to Regulation (EU) 2022/2554, the Digital Operational Resilience Act which applies across EU financial services from 17 January 2025. It requires firms to manage ICT risk through formal frameworks, report major incidents within defined timelines, test operational resilience annually, and govern all ICT third-party relationships through structured programmes, contractual controls and continuous monitoring. EIOPA DORA guidance
What does DORA stand for?
DORA stands for Digital Operational Resilience Act. Its full legal designation is Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector. It applies to approximately 22,000 EU-regulated financial entities and their ICT third-party service providers, and has been in force since January 2025.
What are the five pillars of DORA compliance?
The five pillars are: (1) ICT risk management (Articles 5-16), (2) ICT incident management and reporting (Articles 17-23), (3) digital operational resilience testing (Articles 24-27), (4) ICT third-party risk management (Articles 28-30), and (5) information sharing arrangements (Articles 45-49). Pillar 4 carries the highest rate of compliance gaps in 2025-2026 supervisory assessments, driven by ROI failures, CIF classification errors and Article 30 contractual gaps.
What does DORA Article 28 require?
Article 28 requires financial entities to manage ICT third-party risk as an integral component of their overall ICT risk framework. Key obligations: a formal TPRM programme with board oversight, pre-contractual due diligence proportionate to criticality (covering substitutability, insolvency risk, data protection compliance and subcontracting chains), a multi-vendor strategy, continuous monitoring and a Register of Information covering all ICT contractual arrangements. DORA Article 28 full text
What does DORA Article 30 require in ICT contracts?
Article 30 requires all ICT contracts to include: service description and performance levels, data locations and notification of changes, audit rights, ICT incident notification obligations, business continuity requirements and termination rights. Contracts supporting critical or important functions additionally require exit assistance and full sub-contractor disclosure. Legacy contracts that predate DORA must be updated at next renewal. There is no grace period.
What is the Register of Information under DORA?
The Register of Information (ROI) is a structured record of all ICT third-party contractual arrangements, required under Article 28(3) at entity, sub-consolidated and consolidated levels. It must be built to the ESAs’ ITS data model and submitted to the national competent authority. In the 2024 ESA dry-run exercise, only 6.5% of nearly 1,000 participating firms passed all 116 data quality checks. Spreadsheet-based ROIs typically fail the first formal submission. EBA DORA ROI guidance
What is concentration risk under DORA Article 29?
Article 29 concentration risk is the systemic exposure created when critical or important functions depend on a single ICT provider, a single geographic region or shared underlying infrastructure. DORA requires firms to assess concentration risk before entering new CIF arrangements, monitor it continuously and develop exit strategies. The ECB has found that more than 30% of significant banks’ outsourcing budgets concentrate on just 10 providers, precisely what Article 29 targets. ECB supervisory data
Does DORA apply to UK firms?
DORA does not directly bind UK-only regulated firms. UK firms with EU subsidiaries or EU-authorised entities must comply with DORA for those entities. UK ICT service providers serving EU-regulated financial entities fall within scope through their clients’ Article 28 obligations. UK-only firms operate under FCA PS21/3, PRA SS1/21 and the UK Critical Third Parties regime (PS24/16). For UK firms with EU operations, a DORA breach can also create personal SMCR liability for the accountable Senior Manager. FCA PS21/3
What is a critical ICT third-party provider under DORA?
Critical ICT third-party service providers (CTPPs) are designated by the European Supervisory Authorities based on systemic importance, substitutability and how many financial entities rely on them. Once designated, CTPPs face direct ESA inspection and oversight powers. In November 2025, the ESAs designated 19 ICT providers as critical, including major cloud infrastructure and data providers. Financial entities using CTPPs may receive information requests from the ESAs as part of the oversight process. ESAs CTPP designation – November 2025
What are the DORA compliance deadlines?
DORA became fully applicable on 17 January 2025. There is no remaining compliance deadline – all obligations are in force. The 2026 ROI submission cycle (reference date 31 December 2025) is active, with submission deadlines varying by national regulator. Enforcement by national competent authorities has been active since January 2025. The regulatory posture in 2026 is explicitly enforcement-oriented, not remediation-oriented.
What are the penalties for DORA non-compliance?
Financial entities face fines up to 10% of annual global turnover or €10 million for serious breaches, whichever is higher. Critical ICT providers face periodic penalty payments up to 1% of average daily worldwide turnover for sustained non-compliance. Individual senior managers face fines up to €1 million. National competent authorities may also publicly disclose non-compliance decisions, creating reputational consequences beyond the financial penalty.
How does DORA differ from NIS2?
NIS2 is an EU-wide cybersecurity directive covering critical infrastructure across multiple sectors. DORA is a financial-sector-specific regulation that supersedes NIS2 for EU financial entities – Article 1(2) DORA explicitly states that financial entities within DORA’s scope are exempt from NIS2’s cybersecurity risk-management and reporting obligations. DORA’s third-party risk and incident reporting requirements are considerably more prescriptive than NIS2 in the financial sector context.
What is the DORA compliance checklist?
A DORA compliance checklist is a structured tool covering all five DORA pillars at article level, including CIF classification guidance, ROI data field requirements and Article 30 contractual provisions. The Neotas DORA Compliance Checklist is available as a free PDF and covers all five pillars with priority ratings based on 2026 supervisory enforcement focus, plus an Article 30 contract provisions audit table and ROI data field guide. Download it at the top of this page.
How does DORA affect third-party risk management?
DORA converts ICT third-party risk management from a best-practice discipline into a binding legal obligation for EU financial entities. Articles 28-30 require a formal programme with board oversight, risk-tiered pre-contractual due diligence, a Register of Information submitted to regulators, specific contractual provisions in all ICT agreements, portfolio-level concentration risk assessment and continuous monitoring with documented records. Questionnaire-only approaches do not satisfy these requirements. Full TPRM guide
What is the DORA Register of Information format?
The ROI must be built to the ITS (Implementing Technical Standards) data model specified by the ESAs. Required fields per ICT arrangement include: provider legal entity name and LEI, contract reference, service description, data locations, CIF classification with documented rationale, sub-contractor details for CIF arrangements, contract start/end dates, termination notice periods, audit rights provisions and incident notification obligations. The data model requires relational integrity between entities, contracts and functions a structure spreadsheets cannot reliably maintain at scale.
What is a DORA readiness assessment?
A DORA readiness assessment is a structured gap analysis of a firm’s current third-party risk programme against DORA’s five pillar requirements, with particular focus on Articles 28-30. It identifies gaps in the Register of Information, CIF classification rationale, Article 30 contract provisions, pre-contractual due diligence depth and concentration risk assessment. Neotas runs DORA readiness assessments for regulated financial institutions across the UK and EU, with results delivered within 5 working days. Request an assessment
Related Resources
What is TPRM? Third-Party Risk Management Complete Guide 2026
“DORA’s Articles 28-30 sit within the broader TPRM discipline for the full picture of what third-party risk management requires, see our complete TPRM guide.”
Third-Party Risk Management Framework: Building a DORA-Compliant Programme
“Building a TPRM framework that satisfies DORA, FCA and OCC requirements simultaneously requires a structured programme design covered in detail in our TPRM framework guide.”
Enhanced Due Diligence: Intelligence-Led Vendor Assessment
“DORA Article 28 pre-contractual due diligence goes beyond questionnaires – see how intelligence-led enhanced due diligence addresses the substitutability, insolvency and sub-contractor screening requirements.”
TPRM Best Practices: What DORA-Compliant Programmes Look Like in 2026
“For the specific programme design practices that satisfy DORA’s Article 28 requirements from risk tiering to monitoring frequency – see TPRM best practices.”
Supply Chain Risk Management and DORA Fourth-Party Obligations
“DORA Article 28(4)(d) requires firms to assess how subcontracting chains affect monitoring capability, the same problem that supply chain risk management programmes address.”
Vendor Risk Assessment Template
“DORA Article 28 due diligence obligations require structured vendor assessments across cybersecurity, operational resilience, subcontractor oversight, and compliance evidence – explore our complete Vendor Risk Assessment Template and operational checklist.”
