Everything about DORA

In our cheat sheet, we provide a compact overview of the most important obligations arising from DORA, such as risk management, ICT contracting, incident reporting, and audit requirements. All valuable for executives, compliance and IT teams who want to prepare for the entry into force of DORA.

Download now
Visual voorkant DORA Cheat Sheet

What is DORA?

DORA is a regulation of the European Union ("EU") aimed to strengthening the digital resilience of financial institutions against cyber threats and ICT-related risks. It requires financial institutions to implement measures for risk management, security of ICT systems, and incident reporting. The goal is for all EU countries to follow the same rules, so that the financial system is better protected against digital disruptions.

Which organisations does DORA apply to?

DORA primarily applies to "financial entities". The term "financial entities" is very broad. For example, it includes banks, payment service providers, insurance companies, electronic money institutions, and investment firms.

In addition, DORA applies to providers of ICT services to financial institutions. DORA aims to make both financial institutions and their third-party ICT systems and services more resilient. The regulation can even apply to ICT service providers outside the EU. This is the case when they provide services to financial institutions established in an EU Member State that must comply with DORA.

L1853321

What are the five pillars of DORA?

DORA is divided into five pillars. Each pillar is crucial for creating a secure and reliable digital financial environment:

1. ICT Risk Management: organisations are required to have a robust ICT risk management framework.
2. Incident Management: organisations are required to report serious ICT-related incidents. On a voluntary basis, they can also report significant cyber threats.
3. Resilience testing: organisations are required to regularly test their digital operational resilience.
4. Third-party ICT Risk Management: organisations are required to establish a robust framework for managing risks from (critical) external ICT service providers.
5. Information sharing: organisations are encouraged to share information and knowledge regarding cyber threats and vulnerabilities within trusted financial communities.

DORA sanctions

Non-compliance with DORA can lead to substantial fines and other measures. Supervisory authorities such as DNB (De Nederlandsche Bank) have the power to:

  • Request documents and data, including conducting inspections and investigations

  • Require that violations are ceased (temporarily or permanently)

  • Publicly disclose violations, including the name of the organization

  • Impose fines on financial institutions

  • Request specific data traffic overviews from telecom services

Furthermore, EU Member States may apply criminal penalties in accordance with national legislation.

Critical ICT service providers risk periodic penalty payments of up to 1% of their average daily worldwide turnover. These penalties can be imposed on a daily basis until full compliance is achieved.

General questions about DORA

What is DORA's implementation timeline?
  • 17 January 2023: DORA entered into force.

  • 17 January 2024: First batch of Regulatory Technical Standards published.

  • 17 July 2024: Second and final batch of Regulatory Technical Standards published.

  • 17 January 2025: Full compliance with DORA and Regulatory Technical Standards required.

Which financial entities does DORA apply to?

DORA applies to the following financial entities:

  • Credit institutions

  • Payment institutions

  • Account information service providers

  • Electronic money institutions

  • Investment firms

  • Crypto-asset service providers

  • Central securities depositories

  • Central counterparties

  • Trading venues

  • Trade repositories

  • Alternative investment fund managers

  • Management companies

  • Data reporting service providers

  • Insurance and reinsurance undertakings

  • Insurance, reinsurance and ancillary insurance intermediaries

  • Institutions for occupational retirement provision

  • Credit rating agencies

  • Administrators of critical benchmarks

  • Crowdfunding service providers

  • Securitisation repositories

Is entity size relevant for DORA?

Yes, entity size is relevant for DORA. Certain types of financial institutions are subject to lighter requirements:

  • Micro-enterprises (a financial entity that is not a trading venue, central counterparty, trade repository, or central securities depository, employing fewer than 10 people with an annual turnover and/or balance sheet total not exceeding €2 million);

  • Small enterprises (a financial entity employing 10 to 50 people with an annual turnover and/or balance sheet total between €2 and €10 million); and

  • Medium-sized enterprises (a financial entity with 51 to 250 employees and an annual turnover not exceeding €50 million and/or an annual balance sheet total not exceeding €43 million).

How are DORA and NIS2 related?

DORA must be viewed in conjunction with the NIS2 Directive. NIS2 establishes obligations for cybersecurity risk management and incident reporting. NIS2 replaces the former European Network and Information Security Directive (NIS).

For this reason, there is also an overlap with the NIS2 Directive, as both contain similar obligations. However, the scope of the NIS2 Directive is broader. NIS2 applies to organizations in critical sectors, such as infrastructure, healthcare, digital infrastructure, and banking. The specific organizations that fall under this scope are specified in the annexes of NIS2. The NIS2 Directive also applies to a number of financial institutions. Therefore, the NIS2 Directive and DORA may both apply to your organization. When there is overlap or conflict between these two pieces of legislation, DORA takes prevails.

While DORA is a regulation and therefore directly applicable in all EU member states, the NIS2 Directive still needs to be transposed into national law (the Dutch Cybersecurity Act). Once the Cybersecurity Act is adopted, it will replace the current Network and Information Systems Security Act ("Wbni").

Would you like to receive more information?

Leave your details via the form. One of our legal advisors will contact you to arrange a no-obligation introductory meeting by phone, at our office, or at your location.

Submit your details