DORA (Digital Operational Resilience Act)

Five pillars of DORA

DORA is structured around five core requirements:

• ICT risk management – financial entities must establish and maintain a comprehensive ICT risk management framework, including identification, protection, detection, response, and recovery capabilities
• ICT-related incident reporting – significant incidents must be reported to the relevant competent authority using standardised templates and timelines
• Digital operational resilience testing – regular testing of ICT systems, including threat-led penetration testing (TLPT) for significant entities, aligned with the TIBER-EU framework
• ICT third-party risk management – contractual and operational oversight of ICT service providers, with specific requirements for critical third-party providers subject to direct EU oversight
• Information sharing – voluntary arrangements for financial entities to exchange cyber threat intelligence within trusted communities

DORA and the UK

The UK is not bound by DORA post-Brexit. However, the FCA and PRA have their own operational resilience requirements (PS21/3 and SS1/21) that share significant common ground with DORA. UK financial institutions are affected where they have subsidiaries or branches operating within the EU, they provide ICT services to EU financial entities, or EU-regulated clients require DORA-aligned assurance from their UK service providers.

The Bank of England’s CBEST framework for threat-led penetration testing aligns closely with DORA’s TLPT requirements and the TIBER-EU methodology it references.

Cyberfort Group and DORA

We support financial services organisations with ICT risk assessments, resilience testing, and third-party risk management aligned with both DORA requirements and UK PRA/FCA operational resilience rules. Our CHECK & CREST-qualified testers deliver the threat-led penetration testing that DORA mandates for significant entities. [Learn more about our cyber security review →](/services/cyber-security-review/)

Related terms

• [NIS2 Directive](/glossary/nis2-directive/) – the EU’s cross-sector cybersecurity legislation, complementary to DORA for financial services
• [Red teaming](/glossary/red-teaming/) – the adversarial simulation methodology underlying DORA’s threat-led penetration testing requirements
• [NCSC CAF](/glossary/ncsc-caf/) – the UK’s Cyber Assessment Framework, used alongside PRA/FCA rules for UK financial sector assessments

External references

• [Wikipedia: Digital Operational Resilience Act](https://en.wikipedia.org/wiki/Digital_Operational_Resilience_Act) – legislative overview
• [EUR-Lex: Regulation (EU) 2022/2554](https://eur-lex.europa.eu/eli/reg/2022/2554) – full legislative text
• [EBA: DORA Implementation](https://www.eba.europa.eu/regulation-and-policy/operational-resilience) – regulatory technical standards
• [Wikidata: Q115407702](https://www.wikidata.org/wiki/Q115407702) – canonical entity identifier

Frequently asked questions