name: eu-dora-compliance description: Implement DORA Regulation (2022/2554) digital operational resilience for financial entities — ICT risk management, incident reporting, resilience testing, third-party risk. version: "1.0.0" last-updated: "2026-04-17" model_tested: "claude-sonnet-4-6" category: compliance platforms: [claude-code, codex, gemini-cli, cursor, copilot, windsurf, cline] language: en geo_relevance: [eu] priority: critical dependencies: mcp: [] skills: [eu-regulatory-router] apis: [] data: [] update_sources:
- url: "https://eur-lex.europa.eu/eli/reg/2022/2554/oj" check_frequency: "quarterly" last_checked: "2026-04-17" license: MIT
EU DORA Compliance (Digital Operational Resilience Act)
DISCLAIMER: This skill provides guidance only. It does not constitute legal or financial advice. Always verify with qualified professionals.
When to Use
- Building software for financial institutions in the EU
- Assessing ICT risk management for fintech
- Setting up ICT incident reporting for financial entities
- Designing resilience testing programs
- Managing third-party ICT service provider relationships
Scope — Who Is Affected?
DORA applies to virtually all EU financial entities:
| Category | Entities |
|---|---|
| Banking | Credit institutions, payment institutions, e-money institutions |
| Investment | Investment firms, trading venues, central securities depositories |
| Insurance | Insurance/reinsurance undertakings, intermediaries |
| Pension | IORPs (Institutions for Occupational Retirement Provision) |
| Crypto | Crypto-asset service providers (MiCA-regulated) |
| Infrastructure | CCPs, trade repositories, securitization repositories |
| Other | Credit rating agencies, crowdfunding providers, data reporting services |
| ICT providers | Third-party ICT service providers to the above (critical designation) |
5 Pillars of DORA
Pillar 1: ICT Risk Management (Articles 5-16)
Establish an ICT risk management framework:
- Identify all ICT assets, risks, dependencies
- Protect through security policies, access controls, encryption
- Detect anomalies and incidents via continuous monitoring
- Respond with incident response and crisis communication plans
- Recover with backup policies, restoration procedures, lessons learned
Pillar 2: ICT Incident Reporting (Articles 17-23)
Classify and report major ICT-related incidents:
| Criterion | Threshold for Major |
|---|---|
| Clients affected | > 10% of clients or significant clients |
| Duration | > 2 hours for critical services |
| Geographic spread | > 2 member states |
| Data loss | Integrity, confidentiality, or availability compromised |
| Economic impact | Material financial loss |
| Criticality of services | Core banking, payment processing, trading |
Reporting timeline:
- Initial notification: within 4 hours of classification as major
- Intermediate report: within 72 hours
- Final report: within 1 month
Pillar 3: Digital Operational Resilience Testing (Articles 24-27)
| Test Type | Frequency | Who |
|---|---|---|
| Vulnerability assessments | At least annually | All entities |
| Network security testing | At least annually | All entities |
| Scenario-based testing | At least annually | All entities |
| Threat-Led Penetration Testing (TLPT) | At least every 3 years | Significant entities only |
TLPT must be conducted by qualified external testers following the TIBER-EU framework.
Pillar 4: Third-Party ICT Risk (Articles 28-44)
For all ICT third-party service providers:
- Maintain a register of all ICT service agreements
- Conduct pre-contract due diligence
- Include mandatory contractual clauses (audit rights, exit strategies, data location)
- Monitor ongoing compliance
- Have exit plans for critical providers
Critical ICT third-party providers (designated by ESAs) face direct EU oversight.
Pillar 5: Information Sharing (Article 45)
Financial entities may participate in voluntary information-sharing arrangements on:
- Cyber threat intelligence
- Indicators of compromise
- Tactics, techniques, and procedures (TTPs)
- Security alerts and configuration tools
Key Date
- 17 January 2025: DORA fully applicable
What This Skill Does NOT Do
- Does not conduct penetration testing or TLPT
- Does not configure ICT security tools
- Does not manage third-party provider contracts
- Does not replace compliance officer or legal counsel