Digital Operational Resilience Act (EU) 2022/2554
DORA applies to financial entities in the EU and establishes requirements for ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk management.
Key requirements
Digital Operational Resilience Act (EU) 2022/2554
How Acuna helps
Map DORA requirements across your ICT systems and financial entity scope.
Implement ICT risk controls, assign ownership, maintain the ICT asset register.
Run ICT risk assessments, manage third-party ICT providers, track incidents.
Prepare evidence for NCA reporting, manage TLPT findings, corrective actions.
FAQ
DORA applies to credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance companies, and ICT third-party service providers operating in the EU.
Threat-Led Penetration Testing is a mandatory advanced testing requirement for significant financial entities. It simulates real-world attacks against live production systems using intelligence from threat actors.
Acuna's integrated Supplier Shield module manages the full ICT third-party lifecycle from onboarding assessments to continuous monitoring, meeting DORA Chapter V requirements.
Major ICT-related incidents must be reported to the National Competent Authority with an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month.
DORA complements existing regulations (EBA guidelines, EIOPA, ESMA). Acuna's cross-framework mapping allows you to manage DORA alongside ISO 27001 and sector-specific requirements without duplication.
Related answers
The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to financial entities in the EU. It establishes requirements for ICT risk management, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing for significant entities), ICT third-party risk management, and information sharing on cyber threats. DORA became applicable on 17 January 2025. Acuna covers DORA requirements across all four panes: framework mapping in Comply, ICT controls and asset inventory in Implement, incident and third-party management in Operate, and TLPT findings and corrective actions in Assure.
DORA Chapter IV requires financial entities to maintain a digital operational resilience testing programme. This includes vulnerability assessments, network security testing, gap analysis, and software security reviews. Significant entities must also conduct threat-led penetration testing (TLPT) at least every three years, simulating real-world attacks against live production systems using threat intelligence. TLPT must be performed by qualified testers and results reported to the National Competent Authority. Acuna tracks TLPT planning, findings, and corrective actions in the Assure pane.
Get access and our team will walk you through the DORA implementation in Acuna.
Get Access