DORA Regulation: The Complete Compliance Guide for Financial Institutions (2026)

The DORA regulation (Digital Operational Resilience Act, EU Regulation 2022/2554) has been fully applicable since 17 January 2025. It establishes a harmonised European framework for digital operational resilience in the financial sector, covering a wide range of financial entities listed in Article 2(1) as well as their ICT service providers. For UK and Swiss banks, securities firms, and ICT providers based outside the EU that serve European clients, DORA is not a regulation to observe from a distance: its impact is indirect but concrete, via commercial contracts with EU entities, EU subsidiaries of UK or Swiss groups, and the critical third-party designation regime (Article 36).

This guide covers the full set of requirements: the five pillars, the entities concerned under Article 2, the application timeline, sanctions, governance, and the practical articulation with FINMA Circular 23/01, the UK operational resilience framework, and the NIS 2 directive. It is intended for CISOs, compliance officers, risk managers and executives at financial institutions and ICT providers who need to demonstrate compliance in 2026.

At Abilene Academy, the only PECB Titanium Partner in Switzerland, we have trained more than 2,500 professionals in 120 countries, with a 99% pass rate on PECB exams. The pages that follow reflect what our trainers see in the field: what actually blocks entities exposed to DORA in 2026, and what makes the difference between paper compliance and audit-ready compliance.

What is the DORA regulation?

DORA is European Regulation (EU) 2022/2554 of 14 December 2022 that imposes a harmonised framework for digital operational resilience on the financial sector. Applicable since 17 January 2025, it unifies for the first time ICT risk management requirements across the 27 member states of the European Union.

Before DORA, the digital resilience of financial entities was governed by a patchwork of sectoral texts, such as CRD for banks, Solvency II for insurers, MiFID II for markets, and by heterogeneous national requirements. Each regulator had its own interpretation, each cross-border entity juggled parallel frameworks. DORA closes this fragmentation.

The text is part of the European Union's Digital Finance Package, alongside the MiCA regulation on crypto-assets and the regulation on the DLT pilot regime. It is the cornerstone of the European financial cybersecurity strategy.

One point worth retaining to understand what follows: DORA is a regulation, not a directive. It has the force of law directly in each member state, without transposition. States can add stricter national requirements (gold plating), but they cannot dilute or delay the text.

Who is concerned by the DORA regulation?

DORA applies to financial entities listed in Article 2(1) of the regulation: credit institutions, investment firms, insurers, asset managers, payment institutions, crypto-asset service providers, among others; the regulation also covers their third-party ICT service providers. An ICT provider is only subject to direct EU supervision if it is designated a critical third-party provider (CTPP) by the European authorities; the others remain framed via the contractual relationship with their financial client.

Article 2(1) of the regulation lists the entities concerned under letters (a) to (u). The scope notably includes credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, authorised crypto-asset service providers (MiCA regime), central securities depositories, central counterparties, trading venues, trade repositories, alternative investment fund managers, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and third-party ICT service providers.

The exact wording, including cross-references to associated European texts (CRD, Solvency II, MiFID II, MiCA, AIFMD, UCITS, etc.), is set out in the official text of the regulation; that text is authoritative for determining the status of any given entity. Some letters group several sub-categories together and the precise qualification of an entity calls for a case-by-case analysis.

This last point is decisive. A cloud provider such as AWS, Azure or Google Cloud, a trading software vendor, or a data centre operator can fall within DORA's scope when it provides services to a European financial entity. Two levels of involvement coexist: providers designated as critical (CTPPs) by the European supervisory authorities are subject to direct supervision by a European Lead Overseer; the other providers are framed via the mandatory contractual relationship with their financial client (audit clauses, data location, exit strategies).

Extraterritorial reach: the case of non-EU jurisdictions (Switzerland and the United Kingdom)

Neither Switzerland nor the United Kingdom is a member of the European Union. FINMA and the FCA/PRA do not apply DORA directly. And yet, DORA effectively imposes itself on a significant part of both the Swiss and UK financial sectors, for three reasons.

Article 36 of the regulation: ICT providers established outside the EU that supply critical services to European financial entities can be designated as critical third-party ICT service providers (CTPPs, Critical Third Party Providers) and subject to direct supervision by a European Lead Overseer. A Swiss or UK cloud provider or software vendor serving a German or French bank can find itself under direct European regulation.

EU subsidiaries of UK and Swiss banks: a UK or Swiss bank operating an authorised subsidiary in a member state (Luxembourg, France, Germany, Ireland) must apply DORA to that subsidiary. If ICT services are mutualised from UK or Swiss headquarters, DORA requirements mechanically flow back to the parent.

Contractual requirements imposed by EU clients: European financial entities must integrate DORA's mandatory contractual clauses into their contracts with all of their ICT providers, including UK and Swiss ones. Audit rights, data location, exit strategies, reporting obligations: a non-EU ICT provider that wants to keep its EU clients will have to renegotiate.

The UK operational resilience framework: parallel, not equivalent

The United Kingdom developed its own operational resilience framework before DORA: the PRA Supervisory Statement SS1/21 ("Operational resilience: Impact tolerances for important business services"), the FCA Policy Statement PS21/3, and the Bank of England's complementary framework for financial market infrastructures, all in force since March 2022 with full implementation by 31 March 2025. The conceptual approach is similar to DORA; important business services, impact tolerances, severe but plausible scenarios, third-party dependencies; but the texts are not equivalent.

For a UK group with EU subsidiaries, the two frameworks must be applied in parallel. The internal challenge is to align ICT risk management on a common control baseline, typically ISO 27001, and then layer the specific obligations of each text on top. Read the PRA's framework and DORA together, not as substitutes.

DORA application timeline

DORA was adopted on 14 December 2022, published in the Official Journal of the EU on 27 December 2022, and entered into force on 16 January 2023. The application date for obligations was set at 17 January 2025. Since this date, the full set of requirements of the regulation and the associated technical standards are fully applicable.

By 2026, the preparation phase is over. The competent authorities; ACPR and AMF in France, BaFin in Germany, CSSF in Luxembourg, the Central Bank of Ireland, the Bank of Italy, CNB in the Czech Republic; are checking effective compliance. The first European supervisory review is expected during the year.

The five pillars of the DORA regulation

DORA is structured into 9 chapters and 64 articles, whose operational obligations are organised around five pillars: ICT risk management, incident reporting, resilience testing, ICT third-party risk management, and information sharing on cyber threats. Each pillar imposes a specific set of obligations on financial entities and their providers.

Pillar 1: ICT risk management (Articles 5 to 16)

This is the foundation of the regulation. Financial entities must put in place a complete, documented and regularly updated ICT risk management framework, validated by the management body. This framework must cover five essential functions: identification (mapping ICT assets, critical functions, third-party dependencies; Article 8 requires an annual review); protection (access controls, encryption, patch management, segmentation; requirements clarified by Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024); detection (continuous monitoring, anomaly detection, real-time alerts); response and recovery (incident plans, ICT continuity, disaster recovery); and learning and evolution (systematic post-incident review). An ICT risk management function must be designated, with a sufficient level of independence from operational functions.

Pillar 2: ICT incident reporting (Articles 17 to 23)

Entities must detect, classify and notify their ICT incidents under a harmonised regime. Classification is based on precise criteria defined by the RTS: number of clients affected, duration of the incident, geographic spread, data losses, economic impact, criticality of the services hit. For an incident classified as major, the reporting process is in three stages: initial notification within very short deadlines after classification (typically 4 hours), intermediate notification with consolidated analysis, then final report once the incident is resolved. Entities must also keep a register of all ICT incidents, including non-major ones, available to the competent authority.

Pillar 3: Digital operational resilience testing (Articles 24 to 27)

Two levels of testing coexist. Baseline tests are mandatory for all entities, at least once a year: vulnerability assessments, network security tests, gap analyses, source code reviews, performance tests, scenario-based tests, physical security reviews.

TLPT tests simulate realistic attacks carried out by qualified external testers against the entity's critical functions. The results must be communicated to the competent authority and lead to remediation plans that are tracked through to completion.

Pillar 4: Management of ICT third-party risk (Articles 28 to 44)

This is the most striking innovation of the regulation and the section that, for the first time, extends European regulatory supervision beyond financial entities themselves to their technology providers. Two frameworks coexist.

ICT third-party risk management framework (applicable to all entities): risk assessment before any outsourcing, integration of mandatory contractual clauses in ICT contracts (on-site audit rights, data location, exit strategies, continuity guarantees), and maintenance of a register of contractual arrangements transmitted regularly to the competent authority. Specialised platforms such as Supplier Shield industrialise the maintenance of this register, criticality mapping, and continuous monitoring of DORA clauses in ICT contracts.

Direct supervision framework for critical ICT providers (CTPPs): the Lead Overseer can carry out on-site inspections, formulate recommendations, and, as a last resort, require financial entities to suspend or terminate their contractual relationships with a non-compliant provider. For entities already using the Supplier Shield platform for their third-party risk management, DORA makes the mapping, criticality and contract review requirements opposable, and therefore auditable.

Pillar 5: Information sharing on cyber threats (Article 45)

Fifth pillar, lighter on the obligations side: entities are encouraged to share intelligence and information on cyber threats among themselves, within trusted communities, in compliance with GDPR and competition rules. Sharing is voluntary, but the regulation provides a clear legal framework for the exchanges.

DORA vs FINMA Circulars 23/01 and 18/03: what changes for Swiss banks

FINMA Circular 2023/1 "Operational risks and resilience – banks" (FINMA 23/01), in force since 1 January 2024, partly covers the same ground as DORA, but with a distinct scope and modalities. FINMA Circular 2018/3 on outsourcing (FINMA 18/03) completes the Swiss framework. In practice, Swiss financial institutions active in the EU must comply with both frameworks in parallel.

The comparison below is a practical reading aimed at Swiss compliance officers exposed to both frameworks. It does not constitute a legal opinion and does not replace a case-by-case analysis: the FINMA circulars and the DORA regulation remain distinct texts whose precise articulation depends on the entity's status, the services provided, and the interpretation of the authorities.

For a Swiss bank with purely domestic activities, Circular 23/01 is sufficient. For a Swiss bank with an authorised EU subsidiary, or for a Swiss ICT provider serving European clients, dual FINMA + DORA compliance is the norm in 2026. The same logic applies to UK firms with EU subsidiaries: PRA SS1/21 covers UK operations, DORA covers EU operations.

DORA vs NIS 2: the lex specialis principle

For financial entities falling under both the DORA regulation and the NIS 2 directive, DORA prevails under the lex specialis principle: the special law overrides the general law. A bank or insurer applying DORA does not have to apply NIS 2 in the areas covered by DORA, but NIS 2 may remain relevant for aspects not covered by DORA (broader supply chain security, certain data security obligations).

The two texts deal with cybersecurity and resilience, and their scopes partially overlap. The European legislator anticipated the conflict and resolved it: for financial entities, DORA is the sectoral legislation of reference. NIS 2 obligations that would be redundant with DORA are replaced by DORA.

In practice, this means:

• For a bank: DORA applies, not NIS 2, on ICT risks, incident management, resilience testing, ICT third-party management.
• For a non-financial ICT provider: NIS 2 applies if it meets the directive's criteria (size, essential or important sector).
• For an ICT provider serving an EU bank: potentially both frameworks apply, with different obligations depending on the end client.

DORA sanctions and periodic penalty payments

The DORA regulation leaves it to member states to define their sanctions regime applicable to financial entities, but imposes principles: sanctions must be effective, proportionate and dissuasive. For critical ICT providers (CTPPs), the European Lead Overseer can impose periodic penalty payments of up to 1% of the average daily worldwide turnover, for a maximum of six months (Article 35).

Sanctions available to national competent authorities (ACPR, AMF, BaFin, CSSF, Bank of Italy, Central Bank of Ireland, etc.):

• Compliance orders: formal order to correct a breach within a given time.
• Administrative fines: amounts defined by each member state.
• Daily periodic penalty payments: to compel compliance.
• Withdrawal or suspension of authorisation: in the most serious cases, equivalent to a cessation of activity.
• Public statements: the authority can publicly disclose the identity of the responsible person and the nature of the breach (Article 50(4)).
• Criminal sanctions: member states can provide for them in case of violation.

For critical ICT providers, Article 35 provides for a specific regime: the European Lead Overseer can impose daily periodic penalty payments of up to 1% of the average daily worldwide turnover of the provider, for a maximum duration of six months, to compel compliance.

For comparison with other European texts: the NIS 2 directive provides for essential entities administrative fines of up to 10 million euros or 2% of total annual worldwide turnover, depending on national transposition. DORA adopts a different logic, made of graduated sanctions, periodic penalties and prudential measures, and leaves it to member states to set the fine ceilings for financial entities on their territory. The applicable regime in a given situation therefore depends on the member state, the type of entity concerned, and the nature of the breach.

DORA governance: the management body's responsibility

DORA assigns responsibility for digital operational resilience to the management body of the financial entity. This responsibility is direct, personal, and cannot be delegated to the compliance function or the IT department. The management body must define, approve, supervise and periodically review the ICT risk management framework, allocate sufficient budget, and train regularly on digital risks.

The specific obligations of the management body (or equivalent body):

• Define and approve the digital operational resilience strategy
• Approve the ICT risk management framework and oversee its implementation
• Approve the ICT business continuity policy and disaster recovery plans
• Approve and periodically review the ICT audit plans
• Allocate sufficient budget to digital operational resilience
• Be trained regularly on ICT risks and their evolution

This is a major cultural shift. In many institutions, cybersecurity historically belonged at an operational level (CIO, CISO). DORA carries it to the strategic level; it becomes a governance issue on the same footing as solvency or liquidity.

The 8 practical steps to DORA compliance

DORA compliance follows a structured eight-step approach, from applicability analysis through to integration into internal control processes. Duration and cost depend heavily on the size of the entity, the complexity of its ICT system and its initial maturity level; complex institutions typically mobilise substantial budgets and timelines.

Market surveys conducted before the January 2025 deadline pointed to heterogeneous preparation levels across the sector. In 2026, the effective supervision phase begins and laggards enter the supervisory perimeter of the competent authorities.

Cross-border scenarios for non-EU entities

A UK or Swiss entity can be impacted by DORA in three main scenarios: it provides critical ICT services to a European financial entity, it operates an authorised subsidiary in a member state, or it itself uses ICT providers that depend on DORA. In each case, exposure analysis and contractual renegotiation are immediate priorities.

Scenario 1: UK or Swiss ICT provider for a European bank. A UK or Swiss firm provides core banking software, a cloud service, or a data analytics service to a German or French bank. If these services are qualified as critical by the bank client, the provider will have to accept the integration of DORA contractual clauses (audit rights, data location, exit strategy, reporting obligations). If its systemic importance justifies it, it can be designated CTPP and subject to direct supervision by a European Lead Overseer under Article 36.

Scenario 2: UK or Swiss bank with an authorised EU subsidiary. A UK or Swiss bank operates a subsidiary in Luxembourg, Germany, France or Ireland. The subsidiary is directly subject to DORA. If ICT services are mutualised at group level from UK or Swiss headquarters, DORA requirements mechanically flow back to the parent: coherent ICT risk management framework, consolidated register of contractual arrangements, aligned group governance.

Scenario 3: UK or Swiss financial entity using EU-based ICT providers. Less frequent, but worth watching: if the ICT providers of the UK or Swiss entity are themselves CTPPs under DORA, coordination with the Lead Overseer can affect service continuity. In some extreme cases, a Lead Overseer recommendation can force a critical provider to restructure its activity, with cascading impact on its UK and Swiss clients.

Actions to take in 2026 for an exposed UK or Swiss entity:

• Inventory all contracts with EU entities and all contracts where the provider is potentially CTPP.
• Qualify the criticality of services provided or received.
• Anticipate contractual renegotiation: audit clauses, SLAs, exit strategies.
• Align the internal resilience framework on DORA, FINMA 23/01 and the UK PRA framework as applicable, to avoid duplicating efforts.
• Train the compliance, risk and IT teams on DORA-specific requirements. For complex projects, rely on Abilene Advisors, the GRC consulting arm of the Abilene group, which intervenes across the full DORA cycle: exposure analysis, CTPP mapping, contractual renegotiation, alignment of ISO 27001 / FINMA 23/01 / NIS 2.

PECB DORA Lead Manager training and certification

The PECB DORA Lead Manager certification is the reference path for professionals piloting DORA compliance within a financial institution or an ICT provider. It attests to mastery of the regulation's five pillars, the ability to implement an ICT risk management framework, and the skills required to lead the entire compliance project. The training runs over five days, with the exam on the final day.

Target audience:

• CISOs, CIOs, IT security managers at European, UK and Swiss financial institutions
• Compliance officers, risk managers, internal auditors in the banking, insurance and asset management sectors
• Business continuity managers and operational resilience leads
• GRC consultants specialising in the financial sector
• Executives and audit committee members who must oversee DORA governance

What the training covers:

• European regulatory landscape and articulation with other texts (NIS 2, GDPR, MiCA, Solvency II)
• The five pillars of the regulation and their respective articles
• Practical implementation of an ICT risk management framework
• Third-party provider management, register of contractual arrangements, mandatory clauses
• Resilience testing and TLPT methodology
• Governance, roles and responsibilities of the management body
• Preparation for the certification exam

Prerequisites: fundamental understanding of information security and cybersecurity concepts, familiarity with ICT risk management principles. A grounding in ISO 27001 is a major asset; professionals certified ISO 27001 Lead Implementer reach DORA compliance faster thanks to the alignment of control frameworks.

For UK and Swiss-based professionals, DORA Lead Manager training takes its full meaning combined with a fine-grained understanding of either the UK operational resilience framework (PRA SS1/21, FCA PS21/3) or FINMA Circular 23/01 and the Swiss prudential framework. Abilene Academy is the only PECB Titanium Partner in Switzerland, with a 99% pass rate on PECB exams and more than 2,500 professionals trained in 120 countries. The training is available in English, French and Spanish, with several formats: classroom, virtual classroom, eLearning, or self-study. Other languages are available on request.

Recommended path for a starting professional: ISO 27001 Lead Implementer → PECB DORA Lead Manager → ongoing training on the 2026-2027 evolutions of the regulation. For a profile more focused on operational resilience and business continuity, the PECB Lead Operational Resilience Manager certification is a natural complement.

To situate DORA in the broader Swiss GRC ecosystem, see also our complete guide to ISO 27001 certification training in Switzerland (2026) and, for the FinTech-specific FINMA reading, ISO 27001 for Swiss FinTechs: the FINMA reality guide (2026).

Complementary technical standards (RTS and ITS)

The DORA regulation is complemented by a set of regulatory technical standards (RTS) and implementing technical standards (ITS) adopted by the European supervisory authorities (EBA, EIOPA, ESMA). These standards specify the operational modalities of the regulation: ICT risk management framework, incident classification, TLPT methodology, register of contractual arrangements format, criteria for designating CTPPs.

The main delegated and implementing texts published to date:

• Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024: specifies ICT risk management requirements, particularly access control to ICT assets.
• Technical standards on incident classification: materiality thresholds, notification templates.
• Technical standards on the register of contractual arrangements: format and content of the register to be transmitted to authorities.
• Technical standards on TLPTs: methodology, tester qualifications, test perimeters.
• Technical standards on CTPP supervision: designation criteria, Lead Overseer powers.

These technical standards constitute the level of detail indispensable for concrete implementation of the regulation. Tracking them is a permanent task for the ICT risk management function.

In summary

DORA is no longer a project to prepare for. Since 17 January 2025, it has been an applicable, controllable and sanctionable framework. For European financial institutions, 2026 is the year when paper compliance meets real supervision. For UK and Swiss actors; banks with EU subsidiaries, ICT providers serving European clients, cross-border financial groups; DORA imposes a parallel reading with FINMA Circular 23/01 or the UK operational resilience framework, and systematic contractual renegotiation.

The success factor most often cited by teams that have already advanced: consistency between frameworks. Do not treat DORA, FINMA 23/01, the UK operational resilience framework and NIS 2 as separate silos, but align the control framework on a common baseline, typically ISO 27001, and plug the specific requirements of each text on top.

Sources and references

• Regulation (EU) 2022/2554: DORA (EUR-Lex, European Parliament and Council, 14 December 2022).
• Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 (EUR-Lex, European Commission): ICT risk management and access control.
• FINMA Circular 2023/1: Operational risks and resilience – banks (FINMA, in force since 1 January 2024).
• FINMA Circular 2018/3: Outsourcing – banks and insurers (FINMA, in force since 1 April 2018, revised).
• PRA Supervisory Statement SS1/21: Operational resilience (Bank of England Prudential Regulation Authority, in force since 31 March 2022, full implementation by 31 March 2025).
• TIBER-EU framework: Threat Intelligence-based Ethical Red Teaming (European Central Bank, reference for TLPT methodology).
• Digital Finance Package (European Commission): European strategy on digital finance, the framework within which DORA fits.
• PECB DORA Lead Manager: certification fact sheet (PECB, official certification reference).