DORA Regulation 2022/2554 — the five pillars for banking, fintech and insurance (with implementation timeline)
Digital Operational Resilience Act: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. Checklist and 2025-2027 deadlines.
DORA Regulation 2022/2554 — the five pillars for banking, fintech and insurance (with implementation timeline)
DORA, Regulation (EU) 2022/2554, entered into force on 16 January 2023 with direct mandatory application from 17 January 2025. Unlike NIS2, DORA is a regulation, not a directive, so it applies directly to entities without waiting for national transposition. That was a surprise for several European fintechs that thought they had time until national-law transposition.
In Romania, BNR and ASF are the competent authorities, and the first DORA on-site assessments started in Q2 2025. This article explains the five pillars and the real implementation timeline.
TL;DR
- DORA covers 21 categories of financial entities: banks, insurers, NBFIs, investment firms, electronic money institutions, crypto-assets, market data providers.
- The five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk, information sharing.
- TLPT (Threat-Led Penetration Testing) is mandatory once every 3 years for significant entities.
- Fines can reach 1% of daily turnover for breaches.
- Real timeline: final RTS and ITS published in July 2024, BNR/ASF on-site reviews started Q2 2025.
Pillar 1 — ICT Risk Management Framework (Art. 5-16)
Articles 5-16 require the entity to maintain an ICT risk management framework that is:
- Proportional to the size, complexity, risk profile of the entity.
- Documented in a policy approved by the management body.
- Reviewed annually and after any major incident.
The framework must cover identification, protection, detection, response and recovery — the NIST CSF pattern applied to the financial sector. For entities with turnover below 100 million EUR a simplified regime applies (“micro entities”) with reduced requirements, but the pillars remain the same.
Operational key point: the management body approves the digital resilience strategy and is personally liable for non-compliance. Board members must follow regular ICT risk training, similar to the NIS2 requirement (see our NIS2 article).
Pillar 2 — ICT-related Incident Reporting (Art. 17-23)
DORA introduces a three-step reporting procedure similar to NIS2 but with thresholds and definitions specific to the financial sector:
- Initial notification — within 4 hours after the incident is classified as “major”.
- Intermediate report — within 72 hours if the situation evolves significantly.
- Final report — within one month of the initial notification.
The definition of “major ICT incident” (Art. 18) includes thresholds quantified through the RTS: number of clients affected, duration of unavailability, financial losses, reputational impact. The final RTS adopted by the European Commission in June 2024 sets out the classification methodology.
For Romania, reporting is to BNR (banks) or ASF (insurance, capital markets). Lexnomia automates form completion with data extracted from the SIEM and the incident management system — see on-premise SIEM with local LLM.
Pillar 3 — Digital Operational Resilience Testing (Art. 24-27)
The most costly pillar for large entities. Article 24 requires an annual testing programme that includes:
- Vulnerability assessments, scenario-based tests, end-to-end testing.
- Open source software analysis, network security tests, penetration testing.
- Source code reviews, performance testing, compatibility testing.
Article 26 introduces TLPT (Threat-Led Penetration Testing) as a mandatory requirement for “significant” entities (banking institutions above 30 billion in assets, insurers above 1 billion gross written premium per year). TLPT must be:
- Conducted at least once every 3 years.
- Based on real threat intelligence scenarios, not generic ones.
- Coordinated by a national authority (BNR for Romania, following the TIBER-EU methodology).
- Performed by providers certified under the DORA TLPT RTS (published July 2024).
Typical cost of a TLPT for a mid-size banking institution: 200-400 000 EUR per exercise. Equivalent to 0.003-0.007% of total assets.
Pillar 4 — ICT Third-Party Risk Management (Art. 28-44)
Articles 28-44 are the most detailed part of the regulation. Key requirements:
ICT-third-party register (Art. 28). The entity must maintain a register of all ICT providers including: legal identity, services provided, sub-contractors, critical dependencies, data processing location, applicable jurisdiction.
Third-party strategy (Art. 28(2)). Board-approved policy including selection criteria, due diligence, continuous monitoring, exit plan.
Mandatory contractual clauses (Art. 30). Exhaustive list of elements that must be included in any contract with a critical ICT provider: description of services, processing locations, service levels, incident notification terms, audit rights, testing assistance, exit plan, reporting to authority.
Critical ICT Third-Party Providers (CTPP) — Art. 31-44. The European Commission established the first official CTPP list through Decision 2025/420 on 26 March 2025. The list includes expected names (Microsoft, AWS, Google Cloud, Oracle, IBM) plus several European payment and custody providers. CTPPs are directly supervised by a joint EBA/EIOPA/ESMA Lead Overseer.
For SMBs delivering services to banks, this means going through an indirect audit — the bank must demonstrate that you, as supplier, comply with Article 30. Without SBOM, transparent supply chain, documented audit pack, access to the European banking sector becomes difficult.
Pillar 5 — Information Sharing (Art. 45)
Article 45 encourages (does not impose) participation in cyber threat information sharing mechanisms. In practice, this means FS-ISAC, ECCG, or participation in ENISA working groups. It is a “soft” requirement compared to the other four, but authorities monitor it during inspections as a sign of maturity.
Real implementation timeline
| Date | Event |
|---|---|
| 16 Jan 2023 | DORA enters into force. |
| 17 Jul 2024 | Final RTS and ITS adopted (incident reporting, TLPT, third-party register). |
| 17 Jan 2025 | Direct application of the regulation. All entities must be compliant. |
| 30 Apr 2025 | Deadline for first ICT third-party register submission to the authority. |
| Q2 2025 | First BNR/ASF on-site reviews. |
| 26 Mar 2025 | First CTPP list officially published. |
| 17 Jan 2026 | End of the tolerance period; sanctions become aggressive. |
| 17 Jan 2028 | First mandatory TLPT round for significant entities. |
Fines — up to 1% of daily turnover
Article 50 sets the maximum sanctions applicable by national authorities. For persistent breaches, the authority may impose an administrative fine of up to 1% of daily global turnover, recurring for the duration of the breach. For a bank with 5 billion EUR annual turnover, that means 137 000 EUR per day.
In addition, Article 35 allows the European Lead Overseer to apply periodic penalty payments to CTPPs of up to 1% of daily global turnover, capped at 6 months.
How Lexnomia helps
Lexnomia includes a DORA module that:
- Automatically generates the ICT third-party register in the EBA ITS-2024/79 format.
- Maps Article 30 contractual clauses to the existing contract inventory.
- 4h/72h/30days notification with pre-filled templates to BNR and ASF.
- TLPT readiness checklist with automated evidence collection.
- Cross-mapping with NIS2 and ISO 27001:2022 for dual-regulated entities.
See also the CAI-AUTH page for live DORA Art. 19 webhook integrated in the IdP.
Related articles
- NIS2 implementation — operational checklist for essential and important entities
- ISO/IEC 27001:2022 — migrating from the 2013 edition with the 93 controls reorganised
- Cyber Resilience Act (Regulation 2024/2847) — obligations for products with digital elements
- Why a Romanian law firm cannot use Auth0 — Schrems II
- Pillar Lexnomia — the sovereign EU compliance platform
Next steps
For a DORA readiness assessment tailored to your sector, the Lexnomia page holds the DORA module and implementation plan. Or write to contact for a technical discussion.