DORA 2026: A practical guide for financial entities
The Digital Operational Resilience Act (DORA) has been mandatory since January 17, 2025. However, many financial entities are still far from full compliance. This article explains what DORA requires, how it affects each department, and what concrete steps you need to implement.
What is DORA?
DORA is the European regulation that establishes uniform requirements for the digital operational resilience of all EU financial entities. Its goal: to ensure that banks, insurers, fund managers, and payment service providers can withstand, respond to, and recover from severe ICT incidents.
Who does it apply to?
DORA applies to more than 22,000 entities in the EU, including:
- Banks and credit institutions
- Investment firms
- Insurance and reinsurance companies
- Fund managers (UCITS and AIFM)
- Payment and electronic money institutions
- Critical ICT service providers
The 5 pillars of DORA
| Pillar | Articles | Key requirement |
|---|---|---|
| 1. ICT risk management | Art. 5-16 | Governance framework to identify, protect, detect, respond and recover |
| 2. Incident management | Art. 17-23 | Classification, supervisor notification and coordinated response |
| 3. Resilience testing | Art. 24-27 | Periodic testing including TLPT (Threat-Led Penetration Testing) |
| 4. Third-party ICT risk | Art. 28-44 | Oversight of cloud providers and technology outsourcing |
| 5. Information sharing | Art. 45 | Voluntary threat intelligence sharing |
ICT incident classification
DORA introduces a mandatory classification system based on Delegated Regulation (EU) 2024/1772, Article 8:
| Category | Criteria | Notification deadline |
|---|---|---|
| Minor | Limited impact, no client affectation | Internal record |
| Significant | Affects critical services or client data | Initial Report ≤ 4h |
| Major | Systemic impact, data loss, fraud | Initial ≤ 4h → Intermediate ≤ 72h → Final ≤ 1 month |
Compliance checklist by department
🏦 Board / Senior Management
- [ ] Appoint a digital operational resilience officer
- [ ] Approve the ICT risk management framework
- [ ] Review the critical ICT providers registry
- [ ] Approve the annual resilience testing programme
🔒 Security / CISO
- [ ] Implement incident detection and classification system
- [ ] Configure supervisor notification chain (4h / 72h / 1 month)
- [ ] Execute resilience tests (minimum annual)
- [ ] Document incident response procedures
💻 IT / Operations
- [ ] Inventory all ICT assets and their dependencies
- [ ] Implement continuous monitoring with automatic alerts
- [ ] Configure continuity mechanisms (spooling, failover)
- [ ] Document network architecture and data flows
📋 Compliance / Legal
- [ ] Review contracts with ICT providers (DORA clauses)
- [ ] Update risk register with ICT dimension
- [ ] Prepare report templates for the supervisor
- [ ] Coordinate with internal audit function
How BlueUPALM automates DORA compliance
BlueUPALM natively implements DORA requirements in its architecture:
| Requirement | Automation |
|---|---|
| Incident classification | Automatic engine based on DR 2024/1772 Art. 8 |
| Supervisor notification | ITS 2025/302 templates with 4h/72h/1m timers |
| Operational resilience | Local spooling, circuit breaker, autonomous reconnection |
| Monitoring | WARNING (5 min) and CRITICAL (2h) alerts with escalation |
| Audit trail | Immutable cryptographic record of all actions |
📩 Want to assess your DORA compliance level?
We'll show you BlueUPALM configured for your sector with representative data.