Compliance/DORA
EU regulation · financial ICT resilience

DORA

The Digital Operational Resilience Act (Regulation 2022/2554) applies across the EU financial sector and has been in force since January 2025. It is a regulation, so it applies directly, without national transposition.
Book a scoping call All frameworks
Who it applies to
Banks, insurers, investment firms, payment and crypto-asset providers
Critical ICT third-party providers serving the financial sector
In force across the EU since January 2025
What it requires
The obligations, in plain terms.
01
ICT risk management
A documented framework for identifying, protecting, detecting, and recovering from ICT risk.
02
Incident reporting
Classification and reporting of major ICT-related incidents to regulators.
03
Resilience testing
A testing program, including threat-led penetration testing (TLPT) for significant entities.
04
Third-party risk
Oversight of ICT providers, including contractual requirements and concentration risk.
How Raptoric helps
We do the engineering work, not just the paperwork.
Threat-led pen testing
TLPT-style engagements that exercise your defenses the way DORA intends.
ICT risk assessment
We assess and document your ICT risk framework against the regulation.
Resilience testing
Detection and response testing tied to your reporting obligations.
Third-party review
Assessment of the ICT providers that carry your operational risk.
We deliver the testing and the evidence. Your regulator and the European supervisory authorities oversee compliance.
Services that deliver it
Offensive SecurityThreat Detection & ResponseSecurity Program & Risk
FAQ
Questions, answered
Who does DORA apply to?
Banks, insurers, investment firms, payment and crypto-asset providers, and their critical ICT providers across the EU. It is a regulation, so it applies directly without national transposition.
Is DORA already in force?
Yes, since January 2025. If you are in scope and not yet aligned, the gap is a live risk.
What does DORA require around testing?
ICT risk management, incident reporting, and resilience testing, including threat-led penetration testing for significant entities. We run the testing and produce the evidence.
Does DORA cover our third parties?
Yes. ICT third-party risk is a core pillar. We assess the provider exposure DORA expects you to manage.
Need to be ready for DORA?
A senior engineer will scope the work with you on a 30-minute call.
Book a scoping call or email contact@raptoric.com