Glossary
What Is DORA?
DORA (Digital Operational Resilience Act) is an EU regulation requiring financial entities to ensure their ICT systems can withstand, respond to, and recover from disruptions and cyber threats. In force since January 2025, it sets specific requirements for ICT risk management, incident reporting, and security testing - including mandatory penetration testing.
Jan 2025
Applicable since
Annual
Pentesting required (Art. 24)
21 types
Of financial entity covered
Who Does DORA Apply To?
DORA applies to virtually all regulated financial entities in the EU, including banks and credit institutions, investment firms, insurance and reinsurance companies, payment institutions, electronic money institutions, crypto-asset service providers, central securities depositories, trade repositories, credit rating agencies, and their critical ICT third-party service providers.
If your organisation holds an EU financial services licence - even a fintech with a payment institution or e-money licence - DORA applies to you.
The Five Pillars of DORA
1. ICT Risk Management (Articles 5-16)
Establish and maintain a comprehensive ICT risk management framework, including identification, protection, detection, response, and recovery capabilities.
2. ICT Incident Reporting (Articles 17-23)
Classify, report, and manage ICT-related incidents. Major incidents must be reported to competent authorities within strict timelines.
3. Digital Operational Resilience Testing (Articles 24-27)
Test ICT systems regularly to identify weaknesses. Article 24 requires annual testing including penetration testing. Articles 26-27 define TLPT for significant entities. This is where pentesting requirements live.
4. Third-Party Risk Management (Articles 28-44)
Manage risks from ICT third-party providers through contractual arrangements, monitoring, and oversight. Critical ICT providers are subject to direct EU oversight.
5. Information Sharing (Article 45)
Voluntary sharing of cyber threat intelligence between financial entities to strengthen collective resilience.
Article 24 vs. TLPT: Understanding the Two Testing Levels
| Article 24 (Annual Testing) | Articles 26-27 (TLPT) | |
|---|---|---|
| Who | All in-scope entities | Significant entities only |
| Frequency | At least annually | At least every 3 years |
| Scope | ICT systems supporting critical functions | Critical functions on live production |
| Method | Penetration testing | Red team + threat intelligence |
| Tester | Internal or external | Certified external testers |
Important: SQUR supports DORA Article 24 annual testing requirements. SQUR does not provide TLPT (Articles 26-27) services. TLPT requires external threat intelligence providers, certified red team testers, and testing on live production systems - a fundamentally different engagement model. See our DORA compliance page for details on how SQUR supports Article 24.
DORA vs. NIS2: What's the Difference?
Both are EU cybersecurity regulations, but they serve different purposes. NIS2 applies broadly across critical sectors (energy, transport, health, digital infrastructure), while DORA is specific to financial services. DORA is considered lex specialis - the more specific law - so financial entities that comply with DORA are generally exempt from NIS2's corresponding requirements.
If you operate in financial services, DORA is your primary obligation. If you also provide services to non-financial critical sectors, NIS2 may apply to those activities separately.
Frequently Asked Questions
Who does DORA apply to?
Virtually all regulated financial entities in the EU - banks, investment firms, insurers, payment institutions, e-money institutions, crypto-asset service providers, and more. Also applies to their critical ICT third-party service providers.
When did DORA come into effect?
DORA entered into force on 16 January 2023 and became applicable on 17 January 2025. All in-scope entities must comply since January 2025.
What is the difference between Article 24 and TLPT?
Article 24 requires annual ICT testing including penetration testing for all in-scope entities. Articles 26-27 define TLPT - a more advanced requirement involving red team exercises informed by threat intelligence on live production systems, required every three years for significant financial entities only.
What are the penalties for non-compliance?
National competent authorities can impose administrative penalties including fines, public statements, and orders to cease specific conduct. Critical ICT providers can face fines up to 1% of average daily global turnover per day of non-compliance, for up to six months.
Is DORA the same as NIS2?
No. DORA is specific to financial services; NIS2 applies broadly across critical sectors. Financial entities under DORA are generally exempt from NIS2's corresponding requirements (lex specialis principle).