← All frameworks
EU EU · 8 Policy & Process · EU

DORA

Digital Operational Resilience Act (EU) 2022/2554

2022/2554

17 controls · 5 domains
Mandatory for: Mandatory for EU financial entities and critical ICT providers
Start assessment in platform →

About this framework

The Digital Operational Resilience Act is an EU regulation that makes financial firms strengthen their resilience to IT disruption. It covers risk management, incident reporting, resilience testing, and oversight of technology suppliers.

Who needs this

Mandatory for EU banks, insurers, investment firms, and their critical technology providers.

Cross-framework coverage

Controls in DORA also cover:

NCA ECC-2 10 shared
NCA OTCC 10 shared
UAE IA 10 shared
CJIS 9 shared
ADHICS 9 shared

See how DORA connects to the rest → the Security Universe

Control domains

P1 · ICT Risk Management 7
ART.5
ICT risk-management framework governance
Management body owns and approves the ICT risk-management framework; clear roles and accountability.
CJISCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRADHICSPCI DSS 4.0.1
ART.6
ICT risk-management framework
Documented framework: strategies, policies, tools and procedures to protect ICT assets.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
ART.8
Identification
Identify, classify and document ICT-supported business functions, assets and dependencies.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
ART.9
Protection and prevention
Security policies, controls and tools to ensure resilience, continuity and availability of ICT systems.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPR
ART.10
Detection
Mechanisms to promptly detect anomalous activities and ICT-related incidents.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
ART.11
Response and recovery
ICT business-continuity policy, response and recovery plans, regularly tested.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
ART.13
Learning and evolving
Capabilities to gather information on vulnerabilities and incidents and to learn from them.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
P2 · ICT Incident Management & Reporting 3
ART.17
ICT-related incident management process
Process to detect, manage and notify ICT-related incidents and log all incidents.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
ART.18
Classification of incidents
Classify incidents and cyber threats by criteria (clients affected, duration, data losses, criticality).
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
ART.19
Reporting of major incidents
Report major ICT-related incidents to the competent authority within defined timeframes.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
P3 · Digital Operational Resilience Testing 3
ART.24
Resilience testing programme
Establish a sound, comprehensive, risk-based digital operational resilience testing programme.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPR
ART.25
Testing of ICT tools and systems
Tests such as vulnerability assessments, scans, gap analyses and penetration tests, at least yearly.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IA
ART.26
Threat-led penetration testing (TLPT)
Advanced TLPT for significant entities at least every three years.
CJISADHICSCIS ControlsCyber EssentialsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IA
P4 · ICT Third-Party Risk 3
ART.28
General principles — third-party risk
Manage ICT third-party risk as an integral part of the ICT risk-management framework.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
ART.29
Concentration risk
Assess ICT concentration risk when contracting critical or important functions.
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
ART.30
Key contractual provisions
Contracts with ICT providers contain mandatory key provisions (access, audit, exit, sub-outsourcing).
CJISADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
P5 · Information Sharing 1
ART.45
Cyber-threat information-sharing arrangements
Exchange cyber-threat information and intelligence within trusted communities, protecting confidentiality.
NCA ECC-2NCA OTCCUAE IA

Ready to assess against DORA?

Start free trial →