DORA COMPLIANCE

Meet the EU’s Digital Operational Resilience Act (DORA) with confidence. Meroi Security helps financial entities and their ICT providers implement governance, incident reporting, resilience testing, and third-party risk requirements under Regulation (EU) 2022/2554.

Understanding the EU Digital Operational Resilience Act (DORA)

DORA—Regulation (EU) 2022/2554—creates a single EU framework for ICT risk management, incident reporting, resilience testing, and oversight of critical ICT third-party service providers for financial services. It applies from 17 January 2025 and is complemented by the Amending Directive (EU) 2022/2556, which aligns sectoral laws (e.g., CRD, PSD2, MiFID II). See also the European Commission overview of DORA.

DORA-logo

Key requirements of DORA

DORA sets out five pillars across the organisation and its ICT supply chain:

  • ICT Risk Management: Governance, identification, protection, detection, response and recovery; business continuity and crisis management (Ch. II of the Regulation).
  • ICT-related Incident Management & Reporting: Classification and reporting using common templates and timelines defined by implementing standards (Implementing Regulation (EU) 2024/1773).
  • Digital Operational Resilience Testing: Proportional testing, with advanced threat-led penetration testing (TLPT) for significant entities at least every 3 years (Delegated Regulation (EU) 2024/1774).
  • ICT Third-Party Risk Management: Contractual controls, registers of information and sub-outsourcing oversight (see Delegated Regulation (EU) 2024/1772).
  • Information Sharing: Conditions for voluntary intelligence sharing on cyber threats among financial entities (Ch. V).

Scope of DORA

DORA covers financial entities including: credit institutions, payment and e-money institutions, investment firms and market operators, central securities depositories (CSDs) and central counterparties (CCPs), trade repositories, insurance and reinsurance undertakings, credit rating agencies, administrators of critical benchmarks, crypto-asset service providers (when in scope of EU law), and more (Art. 2 of Regulation (EU) 2022/2554). It also establishes EU-level oversight of critical ICT third-party service providers (Ch. V, Sec. 2).

Incident reporting under DORA

Entities must classify ICT-related incidents and submit initial, intermediate, and final reports to national competent authorities using the common templates and criteria set by the ESAs via Implementing Regulation (EU) 2024/1773. The ESAs’ materials and updates are available on their official portals (e.g., ESAs DORA rules announcement).

Examples of entities in scope

  • Banks & Payments: Credit institutions; payment and e-money institutions.
  • Markets & Infrastructure: Investment firms, trading venues, CCPs, CSDs, trade repositories, data reporting service providers.
  • Insurance: Insurance and reinsurance undertakings; intermediaries where applicable.
  • Other regulated firms: Credit rating agencies; benchmark administrators; certain crypto-asset service providers under EU law; and their critical ICT providers under EU oversight.

(See Art. 2 and Annex references of Regulation (EU) 2022/2554.)

Digital operational resilience testing (incl. TLPT)

Proportionate testing is required for all entities. Significant firms must conduct threat-led penetration testing (TLPT) at least every three years, following detailed procedures in Delegated Regulation (EU) 2024/1774 and related ESA materials.

ICT third-party risk & oversight

Firms must maintain a comprehensive register of ICT contracts, ensure contract clauses required by DORA, and manage sub-outsourcing per Delegated Regulation (EU) 2024/1772. Critical ICT third-party providers may be designated and directly overseen at EU level under the Regulation (Ch. V, Sec. 2).

Why choose Meroi Security for DORA compliance

Meroi Security provides:

  • Regulation-aligned implementation: Policies, KRIs/KPIs, BCP/DR, and evidence mapped to DORA chapters and RTS/ITS.
  • Incident readiness: Playbooks and templates aligned to the ESA reporting package (initial/intermediate/final).
  • Testing & TLPT support: Scoping, red/purple team coordination, remediation validation per 2024/1774.
  • Third-party governance: Contract clause packs, register design, and critical provider oversight readiness.

How Meroi Security helps you achieve DORA compliance

Our services align with core DORA obligations:

  • Gap Analysis: Baseline against Ch. II–V and applicable RTS/ITS.
  • Resilience Operations: Incident & crisis workflows, continuity and recovery testing cadence.
  • Reporting Package: Processes and forms matching 2024/1773 templates.
  • TLPT Readiness: Target state, scenario design, control validation per 2024/1774.
  • ICT TPRM: Registers, clause library, sub-outsourcing review per 2024/1772.
  • Training: Board and role-based training tailored to DORA.

Contact us today for a free DORA compliance consultation

Build resilient operations and meet supervisory expectations. Contact us at [email protected]

ASSESS YOUR DORA COMPLIANCE

TODAY