
The Digital Operational Resilience Act (DORA), in effect since January 17, 2025, is a European Union legislation that aims to manage information and communication technology risks (ICT) across the European financial sector. We will outline a few key points financial firms should be aware of when adhering to the DORA legislation, as well as how consentmanager can support them.
DORA overview and key facts
What is DORA? An EU legislation setting standardized rules so financial firms and their IT partners can swiftly respond to and recover from tech failures or cyber incidents
Who must comply? EU-authorized finance players: banks, payment companies, credit institutions, insurers, asset managers, investment firms, crypto providers and their ICT vendors (e.g., cloud hosts, software suppliers)
Effective date: January 17, 2025
Covered regions: European Union
5 Key Pillars of DORA:
1. Build and maintain an ICT risk management system
2. Report and manage incidents
3. Test operational resilience
4. Oversee third-party tech suppliers
5. Share threat insights
Fines: Financial institutions can be fined up to 2% of their global annual turnover
What is DORA in the EU?
The Digital Operational Resilience Act (DORA) is an EU regulation that took effect on 17 January 2025, requiring financial entities—like banks, insurers, and investmentfirms and their technology suppliers—to build strong defences against IT disruptions, including cyberattacks and system failures. It was introduced to harmonise digital resilience standards across the EU and protect the stability of the financial system, much as the General Data Protection Regulation (GDPR) did for data privacy.
Which entities need to adhere to the DORA regulation?
- Credit institutions, payment institutions, and electronic money institutions
- Investment firms and asset managers
- Insurance and reinsurance undertakings
- Trading venues, central securities depositories, and central counterparties
- Crypto-asset service providers and issuers of asset-referenced tokens
- ICT third-party service providers (e.g. cloud, software, data centers)
- And more, as defined in Article 2(1) of the DORA Regulation EU
The five DORA pillars and requirements for financial firms

The Digital Operational Resilience Act is built around five core pillars: the first four are mandatory for DORA compliance, while the fifth—information sharing—is encouraged but optional. Understanding these pillars will help your business comply, as they form the structural foundation of this act.
→ Let’s take a closer look at each pillar and what financial institutions are expected to implement.
1. ICT risk management framework
Financial institutions must establish a structured approach to managing technology risks. This includes:
- Establishing an ICT risk management policy aligned with your overall risk strategy
- Defining security controls, response plans, and risk mitigation measures
- Using secure, up-to-date, and scalable IT systems
- Maintaining business continuity and disaster recovery plans
- Preparing crisis communication procedures for major incidents
2. Incident detection & reporting
Companies are required to:
- Establish and maintain a process to detect, manage, document, and report ICT-related incidents
- Identify and classify incidents based on severity and impact (e.g. cyberattacks, system outages, data breaches)
- Report major ICT incidents to the relevant supervisory authority within the timelines set by DORA
3. Digital resilience testing
To stay prepared, companies must regularly test their ability to handle ICT disruptions. Activities include:
- Conducting vulnerability scans and assessments to uncover technical weaknesses
- Running scenario-based exercises to test responses to simulated cyberattacks or system failures
- Performing compatibility checks to ensure smooth integration of systems and software
- Carrying out end-to-end and performance tests to evaluate system behavior under stress or high demand
Additional requirement for high-risk firms: Higher-risk institutions must conduct threat-led penetration testing (TLPT) at least once every 3 years, simulating sophisticated cyberattacks.
4. Managing third-Party ICT risks
Under DORA, financial institutions must treat third-party ICT risk as a core part of their overall digital risk strategy. This involves:
- Ensuring contracts meet DORA’s legal and security requirements
- Considering risk vs. cost when selecting or switching vendors
- Including clear roles, responsibilities, SLAs, and exit clauses in contracts
- Maintaining a detailed register of all ICT providers, and submitting it to regulators for critical functions
5. Participating in threat information sharing
While not mandatory, the DORA regulation encourages participation in industry-wide information sharing to:
- Share insights such as threat indicators, attacker tactics, and known vulnerabilities
- Strengthen sector-wide awareness and resilience
How consentmanager can help
At consentmanager, we adhere to high standards of security resilience.
Customers can contact our customer service team directly to send revised contracts for non-critical third-party service providers with updated DORA-mandated provisions for us to sign, if necessary. Contact our support team by filling out this form here: https://www.consentmanager.net/en/contact/
Please note:
This article is intended for informational purposes only and does not constitute legal advice. For full details, refer to the official text of the DORA Regulation available here.
FAQ
Does consentmanager qualify as a critical ICT third-party provider under DORA EU?
No, consentmanager does not fall within the scope of “critical ICT third-party service providers,” as defined by the regulation, and is therefore a non-critical third-party service provider.
Who is exempt from DORA Regulation EU?
Microenterprises (fewer than 10 employees or annual turnover/balance sheet total under €2 million) and small insurance or reinsurance undertakings may be exempt from various parts of the regulation. These entities are subject to a simplified ICT risk management framework.
Is the Digital Operational Resilience Act (DORA) applicable to the UK?
DORA is an EU regulation and does not apply directly in the UK. However, UK-based financial entities and ICT service providers that operate in the EU or have EU clients may need to comply with DORA.