The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) is the EU regulation that requires banks, insurers, investment firms, crypto-asset service providers, and their critical ICT providers to manage ICT risk, report major incidents, test operational resilience, control third-party risk, and train every employee. It has applied across the EU since January 17, 2025.
That date matters: compliance is now an operating condition, and supervisors can ask for your incident records, resilience test results, and staff training evidence at any time. This guide summarizes what DORA requires, who is in scope, and how to meet the training mandate with security awareness training that satisfies DORA's requirements.
DORA regulation summary
DORA (Digital Operational Resilience Act) is a unified ICT risk management framework for EU financial entities.
It exists so financial entities can withstand, respond to, and recover from ICT-related incidents and operational disruptions.
It mandates the adoption of the following processes:
- ICT risk management: Policies and controls to mitigate risks associated with information and communication technologies.
- Third-party risk management: Rigorous assessments of ICT third-party service providers.
- Incident reporting and response: Timely detection, classification, and reporting of ICT-related incidents.
- Operational resilience testing: Regular stress tests to validate preparedness.
- Information sharing: Collaboration and transparency between entities to share insights on emerging threats.
Resilience here means the financial sector can continue to operate even when attacks get through.
DORA highlights the role of critical third-party providers and cloud service providers, ensuring these entities meet strict resilience standards.
This means that organizations relying on critical assets must continuously assess their risk profile.
The regulation ensures these providers maintain compliance with vulnerability evaluations and contractual clauses for operational continuity.
DORA also considers proportionality: not all financial entities face identical risks or operate on the same scale.
Smaller entities may tailor compliance efforts proportionally, but they still need to prioritize resilience.

DORA compliance deadline
DORA's compliance deadline was January 17, 2025, and the regulation has applied in full across the EU since that date. In 2026 the question is whether your evidence stands up to supervisory review.
Enforcement is under way. On November 18, 2025, the European Supervisory Authorities (EBA, EIOPA and ESMA) designated the first 19 critical ICT third-party providers, including the major cloud providers, and placed them under direct oversight.
For financial entities, national competent authorities can request incident reports, resilience testing results, third-party contract registers, and training records. Gaps in any of these carry potential fines, increased regulatory scrutiny, and reputational risk.
Contractual arrangements with critical ICT third-party providers must also stay aligned with DORA's oversight framework as those designations take effect.
What's the difference between EU directives and regulations?
Understanding the distinction between EU directives and regulations is essential when discussing DORA.
- A directive sets minimum standards that EU member states must implement through their national laws, allowing some flexibility in how the requirements are applied.
- And a regulation, like DORA, applies uniformly across all member states without the need for transposition into national legislation.
DORA’s status as a regulation eliminates the variability seen in directives, ensuring a harmonized approach to operational resilience across the EU.
This uniformity is meant to reduce inconsistencies and strengthen systemic stability throughout the financial services sector.
DORA being a regulation, rather than directive simplifies oversight for competent authorities and ensures the development of consistent technical standards across member states.
And its uniformity also reduces admin burdens and clarifies the role of compliance oversight for financial services institutions.
Why is DORA regulation necessary?
DORA is necessary due to the growing cyber threat landscape and the interconnected nature of the financial sector.
The financial sector is a prime target for cyber attackers because it's where the money is.
A single breach can ripple across the broader supply chain, affecting critical infrastructure and eroding trust in financial systems.
Those ripples are largely human-driven and expensive: the human element is involved in 62% of breaches (Verizon DBIR 2026), and while the global average breach cost eased to $4.44M, the US average hit a record $10.22M (IBM Cost of a Data Breach 2025).
DORA aims to address these vulnerabilities by:
- Establishing a unified framework to manage ICT-related risks.
- Enhancing resilience to ensure financial entities can recover from disruptions.
- Reducing systemic risk through robust ICT third-party risk management and incident response mechanisms.
DORA regulation sets clear expectations for financial firms and reporting service providers, requiring detailed documentation of risk management practices.
Comprehensive business continuity policies must align with DORA’s emphasis on effective incident management approaches.
Requirements such as regular penetration tests and disaster recovery plans ensure you're prepared for ICT-related disruptions.
DORA's emphasis on operational resilience, rather than paperwork alone, reflects how modern attacks actually unfold.
Cybercriminals exploit weak points in supply chains and ICT services, which is why DORA ensures entities are prepared for cascading impacts.
Who is impacted by DORA?
DORA applies to a broad spectrum of financial entities, including but not limited to:
- Banks and credit institutions.
- Insurance companies and reinsurance undertakings.
- Payment institutions and electronic money institutions.
- Investment firms, alternative investment funds, and management companies.
- Third-party ICT providers servicing financial entities.
The regulation also indirectly impacts ICT service providers outside the financial sector if they supply critical ICT-related services to regulated entities.
Emerging sectors like crypto-asset service providers and crowdfunding service providers are also explicitly included under DORA’s scope, as well as entities such as credit rating agencies and ancillary insurance intermediaries.
DORA’s reach extends deep into the supply chain, ensuring systemic resilience across the financial ecosystem.
This also includes entities across borders.
Organizations outside the EU with subsidiaries or business relationships in Europe are not exempt from DORA’s provisions.
If your organization also falls under the EU's broader NIS2 directive, the two regimes overlap on training and incident reporting obligations; start with our NIS2 compliance checklist for executives and boards.
DORA framework metrics you need to measure
To achieve compliance and operational excellence under DORA, financial entities must measure key metrics aligned with its framework:
Incident response metrics
- Time taken to detect, classify, and report ICT-related incidents.
- Volume and severity of ICT-related incidents.
Operational resilience metrics
- Results of operational resilience testing on ICT systems.
- Mean Time to Recover (MTTR) from disruptions.
Third-party risk metrics
- Proportion of critical ICT third-party providers evaluated annually.
- Performance indicators of ICT third-party providers under stress scenarios.
Compliance metrics
- Percentage of processes aligned with DORA requirements.
- Status of cybersecurity maturity assessments.
The ability to measure and act on these metrics will distinguish leaders in the financial sector from those struggling to meet basic compliance requirements.
Metrics also extend to business disruption recovery time and the effectiveness of remedial measures.
Evaluating supply chain attacks and defining materiality thresholds are key to meeting DORA’s comprehensive rules.
These metrics align closely with requirements set by the European Banking Authority.
DORA compliance checklist
DORA's requirements break down into seven workstreams: ICT risk management policies, incident management, third-party risk, resilience testing, information sharing, employee training, and compliance documentation. Use the checklist below to audit where you stand; every item maps to something a supervisor can ask to see.
1. Establish ICT risk management policies
- Document and implement frameworks to manage ICT-related risks effectively. If you already run an ISO/IEC 27001 ISMS, much of that groundwork carries over; see how ISO 27001 compliance and security awareness training fit together.
- Conduct regular audits to identify security gaps.
2. Develop an incident management plan
- Implement tools for ICT-related incident management, detection, classification, and reporting.
- Set up a Security Operations Center (SOC) or Incident Response Team.
- Use standardized templates for incident reporting to relevant authorities and European Supervisory Authorities.
3. Ensure ICT third-party risk management
- Evaluate the cybersecurity posture of all critical ICT third-party service providers.
- Include DORA-compliance clauses in contractual arrangements, ensuring oversight framework requirements are met.
4. Conduct operational resilience testing
- Test critical systems for robustness against cyber attacks and operational disruptions.
- Perform advanced testing techniques, such as threat-led penetration testing.
5. Optional information sharing
- Optionally share insights on significant cyber threats with other financial entities to enhance collective resilience.
6. Train employees on DORA requirements
Training is one of DORA's most explicit mandates. Article 13(6) requires financial entities to build "ICT security awareness programmes and digital operational resilience training" into compulsory staff training, covering all employees and senior management, at a complexity matched to each role.
- Educate staff on ICT-related incident response procedures and cybersecurity protocols.
- Develop ICT security awareness programs and digital operational resilience training tailored to the roles and responsibilities of all employees.
- Provide regular, targeted training for management bodies to ensure they stay up-to-date with ICT risks and their operational impact.
- When evaluating platforms for this requirement, weigh compliance coverage alongside outcomes; our guide to the best cybersecurity solutions for reducing employee risk shows how.
7. Document and monitor compliance
- Maintain detailed records of processes, incidents, and corrective actions.
- Regularly review and update compliance documentation.
How Hoxhunt trains leaders on DORA
What is Hoxhunt?
Achieving compliance is not just about meeting regulatory deadlines; it’s about embedding resilience, ensuring trust, and safeguarding critical operations.
Hoxhunt helps security leaders and employees join forces to prevent data breaches.
Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.
The behavior change is measurable, which matters when a supervisor asks for training evidence: across the Hoxhunt Phishing Trends Report 2026 dataset, employees' real-threat detection climbs from 13% to 71% over the training curve (pp. 37-39). Enterprises on both sides of the Atlantic document the same pattern: Celonis in Germany lifted threat reporting above 60% and cut simulation failure from 12% to under 2%, and Qualcomm in the US achieved a 10x reduction in click rate with targeted training.
Hoxhunt's training is grounded in real-world experience
- Focus on DORA’s Five Pillars: Hoxhunt examines DORA’s five pillars (risk management, incident reporting, resilience testing, third-party risk & information sharing)
- Practical, actionable steps: Each module includes clear, actionable steps for leaders and outlines their oversight role in helping their teams meet compliance and build organizational resilience.
- Leadership oversight: Training equips leaders to oversee cybersecurity processes, ensuring they meet DORA’s compliance standards and promote proactive cybersecurity awareness.
- A practical, customer-tested approach: Hoxhunt partnered with Elisa, a leading Finnish telecommunications company, to ensure the training was grounded in real-world applicability.
- Customer feedback integration: Training was refined based on direct feedback from Elisa and other customers, ensuring the training is practical, actionable, and aligned with the day-to-day challenges faced by leaders.
- Additional tools for CISOs: This collaboration produced a CISO-friendly deck that enables CISOs to confidently deliver the training to their leadership teams.

What to expect from Hoxhunt's DORA training
- Overview of DORA: Leaders are introduced to DORA’s scope, compliance timeline, and the leadership role in aligning organizational strategy with its five pillars.
- Navigating DORA Compliance: Emphasizes maintaining up-to-date cybersecurity skills, fostering operational resilience, and aligning ICT risk management with organizational goals.
- Leadership Cyber Awareness: Personal cybersecurity best practices, such as enabling MFA and recognizing phishing threats, are covered to inspire organization-wide responsibility.
- Pillar 1 - Risk Management: Leaders learn to integrate ICT risks into the organization’s risk framework, approve policies, and oversee policy reviews to address evolving threats.
- Pillar 2 - Incident Response: Essentials of creating a tested incident response plan and ensuring clear communication with stakeholders and regulators.
- Pillar 2 - Incident Reporting: Focuses on timely, accurate reporting of major ICT-related incidents, including root cause analysis.
- Pillar 2 - Post-Incident Learning: Conducting post-incident reviews to identify gaps and integrate lessons into updated policies.
- Pillar 3 - Operational Resilience: Setting resilience goals, overseeing regular resilience testing, and monitoring third-party dependencies.
- Pillar 4 - Third-Party Provider Resilience: Simplifies third-party risk management by maintaining contract registers, conducting risk assessments, and preparing tested exit strategies.
- Pillar 5 - Information Sharing: Guides leaders on secure intelligence sharing and compliance with Information-sharing Arrangements.
- DORA Top Priorities: Recaps top leadership responsibilities and immediate actions for DORA compliance.

DORA regulation FAQ
What is DORA regulation in a nutshell?
DORA, or the Digital Operational Resilience Act, is an EU regulation designed to ensure financial entities can withstand and recover from ICT-related incidents.
It focuses on risk management, incident response, third-party oversight, operational resilience testing, and information sharing.
What are the 5 pillars of DORA regulation?
The five pillars of DORA are:
- ICT Risk Management
- Incident Reporting and Response
- ICT Third-Party Risk Management
- Operational Resilience Testing
- Information Sharing and Intelligence Sharing
Who must comply with DORA?
DORA applies to a wide range of financial entities, including banks, payment service providers, insurance companies, investment firms, and ICT service providers to financial institutions.
Who is exempt from DORA?
Entities outside the financial sector that do not directly service financial institutions are generally exempt.
However, indirect impacts may apply to companies interacting with regulated entities through supply chains.
What are DORA's training requirements?
Article 13(6) makes security awareness and resilience training compulsory for every employee, senior management included, with depth matched to the role. Management bodies also have to keep their own ICT risk knowledge current through regular, specific training. Supervisors can ask for the training records.
Is DORA already being enforced?
Yes. DORA has applied in full since January 17, 2025. In November 2025 the European Supervisory Authorities designated the first 19 critical ICT third-party providers for direct oversight, and national competent authorities supervise financial entities' ongoing compliance, including their training records.
Sources
Digital Operational Resilience Act Overview – European Commission
DORA Compliance Framework – IT Governance
Why DORA Matters for Financial Institutions – Cybersecurity Dive, 2024
Operational Resilience and ICT Risk Management Under DORA – Finextra, January 2024
DORA Regulation and Third-Party Risk Management – Gartner
DORA: Strengthening the EU’s Financial Sector Against Cyber Threats – Bank for International Settlements
DORA Compliance for ICT Providers – CSO Online, February 2024
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt



