DORA Regulation: Scope, ICT Obligations, Reporting Deadlines

Q: When did DORA become applicable?

Regulation (EU) 2022/2554 entered into force on 16 January 2023 and has been directly applicable since 17 January 2025 . In Germany, the Financial Market Digitalisation Act (FinmadiG) of 17 January 2025 accompanies its application by aligning KWG, ZAG, WpHG, VAG and KAGB with DORA. The competent authorities are BaFin and the Deutsche Bundesbank ; the Bundesbank additionally supervises TLPT engagements, building on the established TIBER-DE framework. The three European Supervisory Authorities (EBA, EIOPA, ESMA, the ESAs ) concretise DORA through Regulatory and Implementing Technical Standards, which are being added to on an ongoing basis.

Q: What reporting obligations does DORA impose for ICT-related incidents?

DORA requires in-scope financial entities to classify major ICT-related incidents against the thresholds defined in the Commission Delegated Regulation (based on the ESA RTS) and to report them to the competent authority. The reporting follows a three-stage process : an initial notification once the incident is classified as major, an intermediate report with an updated status, and a final report after the root-cause analysis is complete, all within the deadlines set out in the accompanying Commission Implementing Regulation. Significant cyber threats may additionally be reported on a voluntary basis. The recipient in Germany is, depending on the sector, BaFin or the Deutsche Bundesbank via the established reporting channels.

Q: What is TLPT and who must perform it?

Threat-led penetration tests (TLPT) , governed by Articles 26 and 27 DORA , are intelligence-led penetration tests that target live production systems and require a clear separation between the threat intelligence provider and the red team. TLPT is not mandatory for all DORA addressees. It applies only to financial entities designated by the competent authority based on their size, business model and systemic importance . Designated entities perform TLPT at least every three years , structured along the TIBER-EU framework and, in Germany, concretised through TIBER-DE under the supervision of the Deutsche Bundesbank . Financial entities outside the TLPT addressee circle nevertheless remain subject to regular digital operational resilience testing , ranging from vulnerability analyses through classical penetration tests to scenario-based red team exercises.

Q: What sanctions does DORA provide for?

Sanctions against financial entities follow national supervisory law ; in Germany they may be imposed under KWG, ZAG, WpHG, VAG and KAGB as amended by the FinmadiG; supervisory measures, public announcements and fines are available, with explicit management responsibility. For critical ICT third-party providers (CTPPs) , DORA itself establishes a dedicated sanction regime: under Article 35 DORA , the ESAs may impose periodic penalty payments of up to 1 % of the average daily worldwide turnover in the previous business year, for a period of up to six months. The ESAs may additionally issue recommendations and, as a last-resort measure, order the suspension or termination of contractual arrangements between financial entities and CTPPs that do not cooperate.

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act, Regulation (EU) 2022/2554, is the EU’s first horizontal cybersecurity and resilience framework for the financial sector. It replaces the previous patchwork of national and sector-specific ICT rules (in Germany including BaFin’s BAIT, VAIT, KAIT and ZAIT circulars) with a single EU-wide framework and has been directly applicable since 17 January 2025. DORA requires in-scope financial entities to maintain an ICT risk management framework, to report ICT-related incidents to the competent authority in a structured way, to perform regular digital operational resilience testing (including threat-led penetration testing, TLPT, for designated entities), to operate a systematic ICT third-party risk management programme, and to enable information sharing on cyber threats. Unlike a directive, the DORA Regulation applies directly and did not need to be transposed into national law; in Germany, the Financial Market Digitalisation Act (Finanzmarktdigitalisierungsgesetz, “FinmadiG”) of 17 January 2025 accompanies its application by aligning KWG, ZAG, WpHG, VAG and KAGB with DORA.

DORA in the EU: Scope and Deadlines

Key dates:

Entry into force: 16 January 2023 (together with the accompanying Directive 2022/2556).
Date of application: 17 January 2025. All DORA requirements apply to the financial entities listed in Article 2 and to critical ICT third-party providers.
German alignment: The FinmadiG entered into force on 17 January 2025 and aligns German financial supervisory law with DORA. The competent authorities remain BaFin and the Deutsche Bundesbank; the Bundesbank additionally supervises TLPT engagements, building on the established TIBER-DE framework.
EU authority network: The three European Supervisory Authorities (EBA, EIOPA, ESMA, together the ESAs) have issued supplementary Regulatory and Implementing Technical Standards (RTS / ITS) on ICT risk management, incident classification, reporting and third-party oversight. These concretise DORA’s high-level requirements for practical implementation.

At SCHUTZWERK we understand that DORA implementation requires a holistic approach that combines technical expertise with deep knowledge of financial sector requirements. Our team of security experts provides comprehensive support across the five DORA pillars: ICT risk management, ICT incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. We help financial entities not only meet the DORA requirements but also build genuine operational resilience that protects their business and their customers.

Objective

Support in preparing and implementing DORA requirements through specialized security assessments

Question

How can we effectively meet the requirements of the Digital Operational Resilience Act?

Scope

IT systems and components within the scope of DORA requirements

Comprehensive DORA Framework

The Digital Operational Resilience Act introduces a comprehensive framework based on five core pillars, each aimed at increasing the financial sector’s resilience against digital disruptions. These pillars form an interconnected approach to operational resilience, ensuring that financial institutions can maintain critical services even under severe stress conditions.

ICT Risk Management

Financial institutions must implement a robust ICT risk management framework that encompasses all aspects of their digital operations. This includes systematic risk identification, assessment, and mitigation strategies. We help organizations develop comprehensive risk management processes that align with DORA requirements while supporting business objectives. We assist in creating detailed threat and risk assessments , establishing monitoring mechanisms, and implementing effective control measures.

Incident Reporting and Response

DORA prescribes structured incident reporting and response procedures to ensure that ICT-related as well as operational and payment-related incidents are handled quickly and effectively. We help organizations establish efficient incident management processes , including incident classification systems, reporting templates, and escalation procedures. Our expertise ensures that your incident response capabilities meet both regulatory requirements and operational needs.

Digital Operational Resilience Testing

A key aspect of DORA is the requirement for threat-led penetration testing (TLPT). These tests build upon the established TIBER-DE framework (Threat Intelligence-based Ethical Red Teaming) that has been in place in Germany since 2020. While DORA applies to almost all financial companies, TLPTs are mandatory only for selected institutions identified by BaFin based on specific criteria.

The TLPT process is structured in three main phases:

Preparation Phase: Selection of specialized providers for threat intelligence and red team testing
Testing Phase: 18-week execution with 12 weeks of active attack simulation
Closing Phase: Comprehensive evaluation with replay and purple team workshops

The tests are conducted under the supervision of the Deutsche Bundesbank, which oversees the entire process and attests to its compliant execution. Particularly important is the separation between threat intelligence team and red team to ensure independent and objective assessment.

Third-Party Risk Management

Management of ICT third-party risks is crucial under DORA. We support organizations in developing comprehensive third-party risk management frameworks, including assessment methodologies, monitoring procedures, and contingency planning. Our approach ensures effective oversight of critical service providers while maintaining operational efficiency.

DORA promotes information sharing as a key element in building sector-wide resilience. We help organizations establish effective information sharing mechanisms that comply with regulatory requirements while protecting sensitive data. We use our expertise to support the establishment of suitable communication channels and the development of information classification systems.

Scope: Which Financial Entities DORA Covers

Article 2 DORA sets out the addressees exhaustively. The scope is broad and reaches beyond classical banking and insurance into capital markets, FinTech and ICT third-party providers:

Cluster	In-scope financial entities (selection)
Banking and payments	Credit institutions, investment firms, payment institutions, electronic money institutions, account information service providers (AISPs under PSD2)
Insurance and occupational pensions	Insurance and reinsurance undertakings; insurance, reinsurance and ancillary insurance intermediaries; institutions for occupational retirement provision (IORPs)
Capital market infrastructure	Trading venues, central counterparties (CCPs), central securities depositories (CSDs), trade repositories, alternative investment fund managers (AIFMs), UCITS management companies, data reporting service providers
New entrants	Crypto-asset service providers (CASPs) and issuers of asset-referenced tokens under MiCAR, crowdfunding service providers
Cross-cutting / market integrity	Credit rating agencies, administrators of critical benchmarks, securitisation repositories, critical ICT third-party providers (CTPPs, covered separately through the ESA-led Oversight Framework)

The proportionality principle in Article 4 allows DORA to be applied “in accordance with the size and overall risk profile as well as the nature, scale and complexity” of the entity. For clearly defined groups, Article 16 provides a simplified ICT risk management framework, typically for small and non-interconnected investment firms, certain payment and e-money institutions below defined thresholds, insurance and reinsurance intermediaries that qualify as micro-, small- or medium-sized enterprises, and IORPs with fewer than 100 members. Where an entity qualifies as a microenterprise (under 10 employees and turnover or balance sheet total of at most €2 million), additional alleviations apply, e.g. for the resilience testing programme.

TLPT (threat-led penetration testing under Articles 26-27) is not mandatory for all DORA addressees. It applies only to financial entities designated by the competent authority based on their size, business and risk profile, and systemic importance. Designated entities perform TLPT at least every three years; in Germany, supervision sits with the Deutsche Bundesbank, building on the TIBER-DE framework.

Legal Opinion on DORA Scope by a Specialised Lawyer

If you need a formal legal assessment beyond the technical classification (for example to delineate within the proportionality regime (Article 4) and the question of the simplified ICT risk management framework (Article 16), to determine whether an intra-group ICT provider qualifies as an ICT third-party service provider within the meaning of DORA, or to present to your management board, supervisory board, BaFin or the Deutsche Bundesbank), we can include, on request, a legal opinion on DORA scope by a lawyer specialised in IT and financial supervisory law.

Background: in Germany, the Rechtsdienstleistungsgesetz (RDG) reserves the provision of legal advice for admitted lawyers. In practice, a well-founded DORA scope determination requires both technical analysis (ICT inventory, third-party mapping, classification of ICT services) and legal evaluation (interpretation of the FinmadiG, the ESA RTS/ITS, and the relevant BaFin and Bundesbank publications). The usual setup (your technical consultant going back and forth with your external lawyer, often with you as an intermediary) is slow and lossy.

Our model: we work with a law firm specialised in regulatory and IT law whose lawyer can act directly as part of our project team and, on request, be billed through SCHUTZWERK, with no additional vendor needing to be set up or onboarded on your side. The legal advice itself is delivered in an RDG-compliant manner on the basis of a client mandate agreement (“Mandatsvereinbarung”) between you and the law firm directly, so the opinion is clearly documented and cleanly embedded in your SCHUTZWERK engagement. Outcome: a single consolidated technical-legal DORA scope opinion from one point of contact. No whisper-down-the-lane between consultants.

Frequently Asked Questions About the DORA Regulation

Who is in scope of DORA?

DORA applies directly to the financial entities exhaustively listed in Article 2, including credit institutions, investment firms, payment institutions and electronic money institutions, insurance and reinsurance undertakings and their intermediaries, institutions for occupational retirement provision (IORPs), trading venues, central counterparties (CCPs), central securities depositories (CSDs), AIFMs and UCITS management companies, crypto-asset service providers (CASPs) and crowdfunding service providers, as well as credit rating agencies, administrators of critical benchmarks and securitisation repositories. In addition, DORA establishes a dedicated EU-level Oversight Framework for critical ICT third-party providers (CTPPs), cloud and ICT providers designated by the ESAs as critical to the financial sector. Article 4 allows proportional application, and Article 16 provides a simplified ICT risk management framework for clearly defined groups, such as small and non-interconnected investment firms and IORPs with fewer than 100 members.

When did DORA become applicable?

Regulation (EU) 2022/2554 entered into force on 16 January 2023 and has been directly applicable since 17 January 2025. In Germany, the Financial Market Digitalisation Act (FinmadiG) of 17 January 2025 accompanies its application by aligning KWG, ZAG, WpHG, VAG and KAGB with DORA. The competent authorities are BaFin and the Deutsche Bundesbank; the Bundesbank additionally supervises TLPT engagements, building on the established TIBER-DE framework. The three European Supervisory Authorities (EBA, EIOPA, ESMA, the ESAs) concretise DORA through Regulatory and Implementing Technical Standards, which are being added to on an ongoing basis.

What reporting obligations does DORA impose for ICT-related incidents?

DORA requires in-scope financial entities to classify major ICT-related incidents against the thresholds defined in the Commission Delegated Regulation (based on the ESA RTS) and to report them to the competent authority. The reporting follows a three-stage process: an initial notification once the incident is classified as major, an intermediate report with an updated status, and a final report after the root-cause analysis is complete, all within the deadlines set out in the accompanying Commission Implementing Regulation. Significant cyber threats may additionally be reported on a voluntary basis. The recipient in Germany is, depending on the sector, BaFin or the Deutsche Bundesbank via the established reporting channels.

What is TLPT and who must perform it?

Threat-led penetration tests (TLPT), governed by Articles 26 and 27 DORA, are intelligence-led penetration tests that target live production systems and require a clear separation between the threat intelligence provider and the red team. TLPT is not mandatory for all DORA addressees. It applies only to financial entities designated by the competent authority based on their size, business model and systemic importance. Designated entities perform TLPT at least every three years, structured along the TIBER-EU framework and, in Germany, concretised through TIBER-DE under the supervision of the Deutsche Bundesbank. Financial entities outside the TLPT addressee circle nevertheless remain subject to regular digital operational resilience testing, ranging from vulnerability analyses through classical penetration tests to scenario-based red team exercises.

What sanctions does DORA provide for?

Sanctions against financial entities follow national supervisory law; in Germany they may be imposed under KWG, ZAG, WpHG, VAG and KAGB as amended by the FinmadiG; supervisory measures, public announcements and fines are available, with explicit management responsibility. For critical ICT third-party providers (CTPPs), DORA itself establishes a dedicated sanction regime: under Article 35 DORA, the ESAs may impose periodic penalty payments of up to 1 % of the average daily worldwide turnover in the previous business year, for a period of up to six months. The ESAs may additionally issue recommendations and, as a last-resort measure, order the suspension or termination of contractual arrangements between financial entities and CTPPs that do not cooperate.

From Scope to Implementation: DORA Support by SCHUTZWERK

DORA itself does not prescribe a specific ICT risk management methodology; the requirements of Chapter II (ICT risk management framework) and the supplementing ESA RTS can in practice be aligned cleanly with established standards. In the DORA engagements we accompany, the most useful reference frameworks are ISO/IEC 27001 (information security management system as the carrier structure), ISO/IEC 27005 ( IT risk management ), and for the testing / red-teaming pillar the TIBER-EU / TIBER-DE framework. SCHUTZWERK supports DORA addressees along these standards with certified ISO 27001 Lead Auditors, dedicated red-teaming specialists and long-standing experience in regulated environments.

A typical DORA package consists of four building blocks that build on each other and can be commissioned individually or as a single engagement:

Scope and proportionality assessment: placement in the Article 2 addressee scope and clarification of whether the simplified ICT risk management framework under Article 16 is available; for TLPT-relevant institutions, additional preparation for the designation dialogue with BaFin and the Deutsche Bundesbank. Optionally extended with a formal legal opinion via our specialised law firm partner (see section above).
Position assessment: maturity analysis of the ICT risk management framework against DORA Chapter II and the relevant ESA RTS, typically connecting to an existing or planned ISO/IEC 27001 ISMS and to IT risk management under ISO/IEC 27005 .
Technical assessment: focused penetration tests and red-teaming exercises to validate ICT resilience; for designated institutions, structured TLPT under the TIBER-EU/TIBER-DE framework with a clear separation between the threat-intelligence and red-team roles and with the Bundesbank as the accompanying supervisory body.
Implementation support and ongoing operations: setup and operation of the DORA-relevant processes: ICT incident reporting ( incident response ), ICT third-party risk management (register, contractual requirements under Art. 28-30), the lessons-learned loop after tests, and ongoing adaptation to newly adopted ESA RTS.

Which building blocks are required and in what depth depends on size, business model, existing ISMS maturity and any prospective TLPT designation of your organisation.

Our Services

Penetration Testing and Red Teaming

DORA mandates Threat-Led Penetration Testing (TLPT) for critical ICT systems. This advanced form of penetration testing is based on real threat scenarios and combines traditional security testing with Red Teaming methodologies . Our specialized teams simulate targeted attacks to assess the resilience of your systems and the effectiveness of your detection and response capabilities.

Risk Management

We help you develop and implement a robust risk management process that meets DORA requirements.

Incident Response

We help you develop and implement effective incident response processes that meet DORA requirements.

Implementation Approach

Our approach to DORA implementation combines technical expertise with practical experience in the financial sector. We work closely with your team to:

Assess your current operational resilience capabilities against DORA requirements
Develop a tailored implementation roadmap
Support the implementation of required measures and controls
Provide ongoing guidance and support for maintaining compliance

Benefits of Working with SCHUTZWERK

When partnering with SCHUTZWERK for DORA compliance, you benefit from:

Deep understanding of both technical security requirements and financial sector regulations
Practical experience in implementing resilience measures in financial institutions
Comprehensive testing and assessment capabilities
Ongoing support and guidance throughout your compliance journey
Independent and objective security expertise

Our goal is to help you not only achieve DORA compliance but also build lasting operational resilience that supports your business objectives and protects your stakeholders.

DORA