Guide Compliance Financial Services

DORA is live: the third-party risk gap most financial firms still have

The Digital Operational Resilience Act has applied across the EU since 17 January 2025. Banks, insurers, payment firms, and investment companies now operate under binding digital resilience requirements. The five pillars draw most of the attention. Third-party ICT risk, the area where most firms have the deepest gaps, draws far less.

CT
Cyvra Team
Cyvra Consultancy
6 May 2026
6 min read
Key takeaways
  • DORA became applicable on 17 January 2025 with no transition grace period for financial firms
  • Over 20 categories of financial entity must comply, including banks, insurers, and crypto asset service providers
  • DORA requires contractual audit rights over all critical ICT third-party providers. Many existing contracts don't include these clauses
  • Threat-Led Penetration Testing (TLPT) is mandatory every three years for significant entities
  • The third-party ICT risk register is where most firms still have the largest compliance gap

Who DORA actually covers

DORA's scope is broader than most firms initially assume. Banks and investment firms are the obvious targets, but the regulation covers more than 20 distinct categories of financial entity. Payment institutions, e-money institutions, insurance and reinsurance undertakings, insurance intermediaries, crypto-asset service providers, credit rating agencies, and trade repositories all fall within scope. So do ICT third-party service providers themselves when designated as critical by the European Supervisory Authorities.

If your organisation provides services to financial entities, you may have DORA obligations even if you are not a regulated financial firm. Cloud providers, software vendors, and data analytics providers that serve in-scope financial firms are subject to oversight under the ICT third-party risk framework. The ESAs designate Critical Third-Party Providers (CTPPs) who then face direct oversight from EU-level supervisors.

UK firms operating within the EU, or providing services to EU financial entities, need to check whether their EU operations or arrangements bring them inside DORA's scope. The UK's own operational resilience framework (the FCA and PRA rules that took effect in March 2022) covers similar ground domestically, but is a separate regime.

Jan 2025
DORA became applicable across all EU member states
20+
categories of financial entity covered by the regulation
3 years
between mandatory threat-led penetration tests for significant entities

The five pillars: what each one demands

DORA organises its requirements into five areas. Understanding what each one demands in practice is different from reading the headline description.

ICT risk management. Firms must maintain an ICT risk management framework that covers identification, protection, detection, response, and recovery. This is not a one-time document. DORA requires it to be reviewed after major incidents, after changes to your ICT environment, and at least annually. The framework must cover all ICT assets, be approved by the management body, and be tested.

Incident management and reporting. Firms must classify ICT-related incidents according to DORA's criteria (covering client impact, duration, geographic spread, and data loss) and report major incidents to competent authorities. Initial notification is required within four hours of classification, with a detailed report within 72 hours. The final report is due within one month. These timelines are separate from, and sometimes stricter than, GDPR breach notification requirements.

Digital operational resilience testing. All in-scope entities must conduct basic testing annually, including vulnerability assessments and network security testing. Significant entities face an additional requirement: Threat-Led Penetration Testing (TLPT) every three years. TLPT is a structured red team exercise conducted against live production systems using real threat intelligence. It is substantially more demanding than a standard penetration test.

ICT third-party risk management. All arrangements with ICT third-party service providers must be documented, with written contracts that meet DORA's contractual requirements. Firms must maintain a Register of Information covering all ICT arrangements, not just the critical ones. This register must be submitted to competent authorities on request.

Information sharing. Firms may share cyber threat intelligence with other financial entities. This is permissive rather than mandatory, but regulators expect engagement with information-sharing communities relevant to your sector.

Third-party ICT risk: where most firms fall short

Pillar four is where the largest compliance gaps sit. Most financial firms have some form of vendor risk management in place, usually covering procurement controls, contractual liability clauses, and periodic questionnaire-based assessments. DORA's requirements go further on all three dimensions.

The Register of Information requirement catches most firms unprepared. DORA requires a complete inventory of all ICT third-party arrangements, including subcontractors used by your direct suppliers for delivering services to you. Most organisations can account for their tier-one vendors. Tracking tier-two and tier-three dependency is harder, and DORA expects it for critical arrangements.

The contractual requirements are specific. DORA Article 30 sets out what ICT contracts must contain: description of services, data locations, incident notification obligations from the provider, participation rights in audits and penetration tests, and provisions covering business continuity. If your existing contracts with cloud providers and software vendors pre-date January 2025, many will need to be renegotiated.

Important

DORA requires that ICT contracts give you the right to audit the provider, or to appoint a third party to do so. Many hyperscaler cloud contracts offer pooled audit rights rather than individual access. Regulators are actively discussing how this interacts with DORA's requirements. If your current cloud contracts do not contain adequate audit rights, your supervisor will ask about it.

Concentration risk is addressed directly. DORA requires firms to identify and address concentration risk arising from reliance on a single ICT provider or a small number of providers across critical functions. If your payment processing, core banking platform, and disaster recovery all sit with the same cloud provider, that is a concentration risk you need to have assessed and documented.

Resilience testing: what TLPT actually involves

Standard annual testing under DORA covers vulnerability assessments, scenario-based analyses, and network security tests. These are table-stakes requirements. TLPT is the more demanding obligation that applies to significant entities, defined as those with significant systemic importance based on size, interconnectedness, or cross-border activity.

TLPT differs from a standard penetration test in three ways. First, it is based on real threat intelligence about the specific techniques and tools used against financial firms in your geography and sector. Second, it tests live production systems, not test environments. Third, it requires advance coordination with your competent authority before the test begins.

The testing must be conducted by certified providers. In the EU, provider certification requirements are set by TIBER-EU, the European framework for threat intelligence-based ethical red-teaming. If your organisation has already participated in TIBER-NL (the Netherlands implementation) or TIBER-GB assessments, those exercises count toward DORA's TLPT requirement, subject to your competent authority's confirmation.

Three things to prioritise now

If your DORA programme is still in progress, these three areas will determine how your next supervisory conversation goes.

1
Complete your Register of Information
The ESAs have published specific templates for what this register must contain. Build it to the template, not to your existing vendor lists. Regulators will request it and the format matters.
2
Audit your ICT contracts against Article 30
Identify which agreements are missing mandatory clauses and prioritise renegotiation for critical services. Concentration risk analysis should accompany this exercise.
3
Determine whether you are a significant entity
If you are, TLPT planning needs to start now. The three-year cycle has already started running. Missing the first test cycle is the kind of gap that attracts supervisory attention.

DORA enforcement sits with national competent authorities (DNB and AFM in the Netherlands, the FCA and PRA in the UK for their equivalent frameworks). DNB published its supervisory priorities for 2025 and 2026 with DORA implementation listed explicitly. Firms that can demonstrate a structured programme with documented evidence are in a materially stronger position than those treating the regulation as primarily a paperwork exercise.

Frequently asked questions

What is DORA and who does it apply to?

DORA (the Digital Operational Resilience Act) is an EU regulation that became applicable on 17 January 2025. It applies to over 20 categories of financial entity, including credit institutions, payment institutions, investment firms, insurance companies, crypto asset service providers, and ICT third-party service providers who serve them. Unlike sector-specific guidelines, DORA creates a binding, harmonised framework across the entire EU financial sector.

What are the five pillars of DORA compliance?

DORA is structured around five pillars: ICT risk management, which requires a documented framework covering identification, protection, detection, response, and recovery; ICT incident reporting, with defined timelines for major incidents to competent authorities; digital operational resilience testing, including basic testing and advanced threat-led penetration testing; ICT third-party risk management, requiring governance, contracts, and monitoring for all critical providers; and information sharing, where entities are encouraged to share cyber threat intelligence within trusted communities.

What does DORA require for third-party ICT providers?

DORA Article 30 sets mandatory contractual requirements for ICT third-party engagements. Contracts must include clear descriptions of services, data locations, security standards, audit rights for both the financial entity and regulators, and termination rights. The regulation also requires a register of all ICT third-party arrangements and regular risk assessments of critical providers. Many existing vendor contracts predate DORA and lack these clauses, making renegotiation or addenda necessary.

What is TLPT and how often is it required under DORA?

Threat-Led Penetration Testing (TLPT) is an advanced testing methodology that simulates real-world attacks using intelligence about current threat actors. Under DORA, significant financial entities must conduct TLPT at least every three years. Tests must cover live production systems and be performed by certified, independent testers. TLPT is designed to assess whether an entity can detect and respond to a targeted, sophisticated attack; it goes well beyond standard penetration testing.

How does DORA interact with GDPR and NIS2?

DORA sits alongside other EU regulations. For ICT incidents that also involve a personal data breach, both DORA and GDPR reporting obligations apply simultaneously: DORA incident reports go to financial regulators, while GDPR breach notifications go to data protection authorities. NIS2 also applies to financial entities that meet the NIS2 scope criteria. A well-designed operational resilience programme can satisfy obligations across all three frameworks with a shared evidence base.

Talk to Cyvra

Need help closing your DORA gaps?

We work with financial firms in the Netherlands and UK to build and evidence DORA-compliant programmes, from gap assessment to register completion and TLPT readiness.

Get in Touch Financial Services