DORA COMPLIANCE
Meet the EU’s Digital Operational Resilience Act (DORA) with confidence. Meroi Security helps financial entities and their ICT providers implement governance, incident reporting, resilience testing, and third-party risk requirements under Regulation (EU) 2022/2554.
Understanding the EU Digital Operational Resilience Act (DORA)
DORA—Regulation (EU) 2022/2554—creates a single EU framework for ICT risk management, incident reporting, resilience testing, and oversight of critical ICT third-party service providers for financial services. It applies from 17 January 2025 and is complemented by the Amending Directive (EU) 2022/2556, which aligns sectoral laws (e.g., CRD, PSD2, MiFID II). See also the European Commission overview of DORA.

Key requirements of DORA
DORA sets out five pillars across the organisation and its ICT supply chain:
- ICT Risk Management: Governance, identification, protection, detection, response and recovery; business continuity and crisis management (Ch. II of the Regulation).
- ICT-related Incident Management & Reporting: Classification and reporting using common templates and timelines defined by implementing standards (Implementing Regulation (EU) 2024/1773).
- Digital Operational Resilience Testing: Proportional testing, with advanced threat-led penetration testing (TLPT) for significant entities at least every 3 years (Delegated Regulation (EU) 2024/1774).
- ICT Third-Party Risk Management: Contractual controls, registers of information and sub-outsourcing oversight (see Delegated Regulation (EU) 2024/1772).
- Information Sharing: Conditions for voluntary intelligence sharing on cyber threats among financial entities (Ch. V).
Scope of DORA
DORA covers financial entities including: credit institutions, payment and e-money institutions, investment firms and market operators, central securities depositories (CSDs) and central counterparties (CCPs), trade repositories, insurance and reinsurance undertakings, credit rating agencies, administrators of critical benchmarks, crypto-asset service providers (when in scope of EU law), and more (Art. 2 of Regulation (EU) 2022/2554). It also establishes EU-level oversight of critical ICT third-party service providers (Ch. V, Sec. 2).
Incident reporting under DORA
Entities must classify ICT-related incidents and submit initial, intermediate, and final reports to national competent authorities using the common templates and criteria set by the ESAs via Implementing Regulation (EU) 2024/1773. The ESAs’ materials and updates are available on their official portals (e.g., ESAs DORA rules announcement).
Examples of entities in scope
- Banks & Payments: Credit institutions; payment and e-money institutions.
- Markets & Infrastructure: Investment firms, trading venues, CCPs, CSDs, trade repositories, data reporting service providers.
- Insurance: Insurance and reinsurance undertakings; intermediaries where applicable.
- Other regulated firms: Credit rating agencies; benchmark administrators; certain crypto-asset service providers under EU law; and their critical ICT providers under EU oversight.
(See Art. 2 and Annex references of Regulation (EU) 2022/2554.)
Digital operational resilience testing (incl. TLPT)
Proportionate testing is required for all entities. Significant firms must conduct threat-led penetration testing (TLPT) at least every three years, following detailed procedures in Delegated Regulation (EU) 2024/1774 and related ESA materials.
ICT third-party risk & oversight
Firms must maintain a comprehensive register of ICT contracts, ensure contract clauses required by DORA, and manage sub-outsourcing per Delegated Regulation (EU) 2024/1772. Critical ICT third-party providers may be designated and directly overseen at EU level under the Regulation (Ch. V, Sec. 2).
Why choose Meroi Security for DORA compliance
Meroi Security provides:
- Regulation-aligned implementation: Policies, KRIs/KPIs, BCP/DR, and evidence mapped to DORA chapters and RTS/ITS.
- Incident readiness: Playbooks and templates aligned to the ESA reporting package (initial/intermediate/final).
- Testing & TLPT support: Scoping, red/purple team coordination, remediation validation per 2024/1774.
- Third-party governance: Contract clause packs, register design, and critical provider oversight readiness.
How Meroi Security helps you achieve DORA compliance
Our services align with core DORA obligations:
- Gap Analysis: Baseline against Ch. II–V and applicable RTS/ITS.
- Resilience Operations: Incident & crisis workflows, continuity and recovery testing cadence.
- Reporting Package: Processes and forms matching 2024/1773 templates.
- TLPT Readiness: Target state, scenario design, control validation per 2024/1774.
- ICT TPRM: Registers, clause library, sub-outsourcing review per 2024/1772.
- Training: Board and role-based training tailored to DORA.
Contact us today for a free DORA compliance consultation
Build resilient operations and meet supervisory expectations. Contact us at [email protected]
