What is the DORA incident reporting deadline?

DORA has the tightest reporting deadline of any EU regulation: an initial report within 4 hours, an intermediate report within 72 hours, and a final report within 1 month.

Does DORA apply to ICT service providers?

Yes, ICT third-party service providers that serve financial entities must comply with DORA contractual requirements (Article 30). Critical ICT providers are subject to direct oversight by European Supervisory Authorities.

DORA

Digital Operational Resilience Act

Q: Who does DORA apply to?

DORA applies to virtually all EU financial entities: banks, insurance companies, investment firms, payment providers, crypto-asset service providers, and critically, their ICT third-party service providers.

When your bank's IT goes down, it's not just inconvenient — it's systemic risk

The Digital Operational Resilience Act (DORA) is the EU's answer to a simple question: what happens when the financial sector's IT breaks? DORA creates a unified framework for ICT risk management, incident reporting, resilience testing, and third-party risk management for the entire EU financial sector. Because when a bank, insurer, or payment provider goes offline, it's not just an IT problem — it's a systemic risk.

Scope

Virtually all EU financial entities: banks, insurance companies, investment firms, payment providers, crypto-asset service providers, and — critically — their ICT third-party service providers. If you provide cloud, software, or data services to the financial sector, DORA applies to you too.

Geographic reach

EU-wide regulation with direct effect. Applies to all financial entities authorised in the EU and their critical ICT service providers, regardless of where the providers are based.

In effect since

17 January 2025

Purpose

To ensure the financial sector can withstand, respond to, and recover from ICT-related disruptions. Think of it as a fitness test for your bank's IT infrastructure — and the trainer is the European Supervisory Authority, so you'd better take it seriously.

Jump to your role:

Financial Entity

You're a regulated financial entity: bank, insurance company, investment firm, payment institution, electronic money institution, central securities depository, credit rating agency, or crypto-asset service provider. If you have a financial licence in the EU, DORA applies to you.

Your obligations

Establish and maintain a comprehensive ICT risk management framework (Art. 5–16)
Classify and report major ICT-related incidents: initial report within 4 hours, intermediate within 72 hours, final within 1 month (Art. 17–23)
Conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT) for significant entities (Art. 24–27)
Manage ICT third-party risk with structured due diligence, contractual requirements, and ongoing monitoring (Art. 28–44)
Participate in information sharing arrangements on cyber threats (Art. 45)
Ensure the management body takes ultimate responsibility for ICT risk — including training (Art. 5.2)
Maintain a register of all ICT third-party arrangements (Art. 28.3)
Map ICT assets, systems, and dependencies — including across group structures (Art. 8)

Key articles

Art. 5–16 — ICT risk management frameworkArt. 17–23 — Incident classification and reportingArt. 24–27 — Digital resilience testingArt. 28–44 — Third-party risk managementArt. 45 — Information sharing

Pro tip

The 4-hour initial report deadline is the tightest in any EU regulation. Build automated incident detection and have pre-drafted templates ready. Also, map your ICT dependencies now — when an incident hits, you need to know which provider is affected and what contracts say about their obligations.

ICT Third-Party Service Provider

You provide ICT services to financial entities: cloud infrastructure, core banking software, payment processing, data analytics, cybersecurity services, or IT outsourcing. If the financial sector depends on your systems, DORA has something to say to you — especially if you're designated as a 'critical' ICT provider by the European Supervisory Authorities.

Your obligations

Support financial entities in their compliance by providing adequate information and assurance (Art. 28–30)
Accept contractual clauses covering: service descriptions, data locations, security measures, incident support, audit rights, and exit strategies (Art. 30)
Report incidents affecting financial entity clients promptly (Art. 30.2e)
If designated as critical: submit to direct oversight by European Supervisory Authorities (Art. 31–44)
If critical: maintain adequate security standards, undergo assessments, and provide risk information to authorities (Art. 33–36)
Ensure subcontracting arrangements don't undermine the financial entity's ability to comply (Art. 30.2a)

Key articles

Art. 28 — General principles for ICT third-party riskArt. 30 — Key contractual provisionsArt. 31–44 — Oversight framework for critical providers

Pro tip

If you serve the financial sector, start reviewing your contracts against DORA's Art. 30 requirements now. Financial entities will be pushing these requirements down to you — be proactive rather than reactive. Having DORA-ready contract templates signals maturity and saves negotiation cycles.

How Euregas can help

Available tools

ICT risk assessments — structured evaluations aligned with DORA Art. 5–16 requirements
Incident management — track ICT incidents with automated 4h/72h deadline reminders
Third-party risk management (Art. 28–44) — assess and monitor ICT service providers

AI-assisted features

Semantic search across DORA articles and recitals
AI-prefilled case steps for DORA-related compliance cases

Note

The DORA module provides manual structured workflows. AI-assisted features (e.g., incident severity classification, automated TLPT scoping) are planned for future releases.

All examples are fictional and for illustrative purposes only.