← All frameworks
EU EU · 8 Policy & Process · EU

DORA

Digital Operational Resilience Act (EU) 2022/2554

2022/2554

17 controls · 5 domains
Mandatory for: Mandatory for EU financial entities and critical ICT providers
Start assessment in platform →

About this framework

The Digital Operational Resilience Act is an EU regulation that makes financial firms strengthen their resilience to IT disruption. It covers risk management, incident reporting, resilience testing, and oversight of technology suppliers.

Who needs this

Mandatory for EU banks, insurers, investment firms, and their critical technology providers.

Cross-framework coverage

Controls in DORA also cover:

NIST CSF 9 shared
CIS Controls 9 shared
ISO 27001 9 shared
NCA ECC-2 9 shared
Qatar NIA 9 shared

See how DORA connects to the rest → the Security Universe

Control domains

P1 · ICT Risk Management 7
ART.5
ICT risk-management framework governance
Management body owns and approves the ICT risk-management framework; clear roles and accountability.
NIST CSFCIS ControlsISO 27001GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICSPCI DSS 4.0.1NIS2NCA CCC
ART.6
ICT risk-management framework
Documented framework: strategies, policies, tools and procedures to protect ICT assets.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICSNCA CCC
ART.8
Identification
Identify, classify and document ICT-supported business functions, assets and dependencies.
NIST CSFCIS ControlsISO 27001GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICS
ART.9
Protection and prevention
Security policies, controls and tools to ensure resilience, continuity and availability of ICT systems.
NIST CSFCIS ControlsISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICSPCI DSS 4.0.1SAMA CSF
ART.10
Detection
Mechanisms to promptly detect anomalous activities and ICT-related incidents.
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRISO 27001NIS2HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
ART.11
Response and recovery
ICT business-continuity policy, response and recovery plans, regularly tested.
NIST CSFCIS ControlsISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICSPCI DSS 4.0.1SAMA CSF
ART.13
Learning and evolving
Capabilities to gather information on vulnerabilities and incidents and to learn from them.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSHIPAA Security RuleGDPR (EU)UK GDPR
P2 · ICT Incident Management & Reporting 3
ART.17
ICT-related incident management process
Process to detect, manage and notify ICT-related incidents and log all incidents.
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRISO 27001NIS2HIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
ART.18
Classification of incidents
Classify incidents and cyber threats by criteria (clients affected, duration, data losses, criticality).
NIST CSFCIS ControlsISO 27001GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICSPCI DSS 4.0.1NIS2NCA CCCSAMA CSF
ART.19
Reporting of major incidents
Report major ICT-related incidents to the competent authority within defined timeframes.
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
P3 · Digital Operational Resilience Testing 3
ART.24
Resilience testing programme
Establish a sound, comprehensive, risk-based digital operational resilience testing programme.
NIST CSFCIS ControlsISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICSPCI DSS 4.0.1SAMA CSF
ART.25
Testing of ICT tools and systems
Tests such as vulnerability assessments, scans, gap analyses and penetration tests, at least yearly.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
ART.26
Threat-led penetration testing (TLPT)
Advanced TLPT for significant entities at least every three years.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
P4 · ICT Third-Party Risk 3
ART.28
General principles — third-party risk
Manage ICT third-party risk as an integral part of the ICT risk-management framework.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
ART.29
Concentration risk
Assess ICT concentration risk when contracting critical or important functions.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
ART.30
Key contractual provisions
Contracts with ICT providers contain mandatory key provisions (access, audit, exit, sub-outsourcing).
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
P5 · Information Sharing 1
ART.45
Cyber-threat information-sharing arrangements
Exchange cyber-threat information and intelligence within trusted communities, protecting confidentiality.

Ready to assess against DORA?

Start free trial →