Who is subject to DORA?

DORA applies to a wide range of EU financial entities including credit institutions, payment institutions, investment firms, insurance companies, crypto-asset service providers, and data reporting service providers. It also applies to critical ICT third-party service providers that serve these entities, including major cloud providers.

What are the five pillars of DORA?

DORA is structured around five pillars: ICT risk management (Articles 5–16), ICT incident management and reporting (Articles 17–23), digital operational resilience testing (Articles 24–27), ICT third-party risk management (Articles 28–44), and information and intelligence sharing (Article 45). KaitoSec provides dedicated workspaces for each pillar.

What is the major ICT incident reporting timeline under DORA?

DORA requires an initial notification within 4 hours of classifying an incident as major (and no later than 24 hours after becoming aware). An intermediate report follows within 72 hours, and a final report within one month. KaitoSec automates the classification assessment and tracks all three deadlines from the moment an incident is logged.

How does DORA relate to NIS2?

NIS2 covers cybersecurity broadly across critical sectors, while DORA is a sector-specific regulation for financial services that goes into greater depth on ICT resilience, third-party risk, and resilience testing. Where a financial entity falls under both, DORA generally takes precedence for ICT risk matters. KaitoSec maintains a cross-mapping to avoid duplicating compliance work.

What is Threat-Led Penetration Testing (TLPT) under DORA?

TLPT is an advanced, intelligence-led penetration testing methodology required for significant financial entities under DORA Article 26. Unlike standard penetration testing, TLPT simulates the tactics of sophisticated real-world adversaries against your live production systems. It must be conducted every three years using accredited testers and follows the TIBER-EU framework.

KaitoSec

DORA

DORA across all five pillars on one data model

ICT risk management, incident classification, resilience testing, ICT third-party register and information sharing. Same workspace as your BCMS, ISMS and DSMS, so a BC exercise also serves Pillar 3 evidence and an ISMS access policy already counts toward Pillar 1.

Book a Demo Explore Platform

DORA pillars covered

Major incident reporting window

Financial entity types in scope

ICT Risk Framework Automation

DORA requires financial entities to maintain a comprehensive ICT risk management framework under Article 5. KaitoSec provides a pre-built framework template aligned with EBA and ESMA regulatory technical standards, covering identification, protection, detection, response, and recovery.

Third-Party ICT Risk Management

DORA places strict obligations on the management of ICT third-party providers, including mandatory contractual provisions and concentration risk assessment. KaitoSec tracks all ICT providers, their criticality classification, and contract compliance status in one register.

Incident Classification and Reporting

DORA defines specific classification criteria for major ICT incidents and requires tiered reporting to competent authorities. KaitoSec automates the classification decision tree, calculates reporting deadlines, and generates pre-filled notifications for NCA submission.

DORA Pillar Dashboard

Track implementation progress across all five DORA pillars. ICT risk management, incident management, digital operational resilience testing, ICT third-party risk, and information sharing. Each pillar shows completion percentage, open gaps, and upcoming deadlines.

TLPT Orchestration

Threat-Led Penetration Testing (TLPT) is required for significant financial entities on a three-year cycle. KaitoSec manages the TLPT lifecycle, from threat intelligence scoping through test execution coordination and remediation tracking, and maintains the documentation required for supervisory review. Pillar 3 resilience testing requirements are supported through KaitoSec's exercise and test management, plan, execute, and document tests linked to your BC plans and recovery strategies.

ICT Provider Register

Maintain the mandatory register of ICT third-party service providers required under DORA Article 28. KaitoSec tracks provider criticality, contractual provisions, concentration risk, and sub-outsourcing chains, and generates the register in the format required by the European Supervisory Authorities.

Business Continuity & Recovery Planning

DORA requires financial entities to maintain ICT business continuity and recovery plans as part of their ICT risk management framework. KaitoSec connects your DORA obligations with structured BIA workflows, recovery strategy documentation, and testable BC plans. Link recovery targets to critical ICT services, document your strategies, and demonstrate compliance, all in one place.

Built on open catalogs: BSI, MITRE, OWASP, ENISA

ISO 27001

ISO 22301

BSI IT-Grundschutz

NIST CSF

GDPR / DSGVO

SOC 2

NIS2

DORA

FAQ

Related platform features

Risk Management Business Continuity Vendor Management Reporting

DORA across all five pillars on one data model

ICT Risk Framework Automation

Third-Party ICT Risk Management

Incident Classification and Reporting

DORA Pillar Dashboard

TLPT Orchestration

ICT Provider Register

Business Continuity & Recovery Planning

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal

DORA across all five pillars on one data model

ICT Risk Framework Automation

Third-Party ICT Risk Management

Incident Classification and Reporting

DORA Pillar Dashboard

TLPT Orchestration

ICT Provider Register

Business Continuity & Recovery Planning

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal