Framework · Banking & financial entities

DORA — the Digital Operational Resilience Act, decoded.

Regulation (EU) 2022/2554. In force from 17 January 2025 across the 27 EU member states. Applies to ~22,000 financial entities — banks, insurers, investment firms, crypto-asset service providers, central counterparties, trade repositories — plus the ICT third-party providers that serve them.

Who's in scope

Twenty financial-entity categories listed in Article 2(1), from credit institutions to electronic-money institutions to alternative investment fund managers. The Article 4 proportionality principle means the requirements apply, but how rigorously is calibrated to the entity's size, risk profile, and systemic relevance. Microenterprises get a lighter regime under Article 16.

Critical ICT third-party service providers — designated by the European Supervisory Authorities under Article 31 — fall under direct EU oversight. The first list of CTPPs is expected mid-2026; once designated, a CTPP can be examined, fined, or required to amend contract terms by a lead overseer (ECB, EBA, EIOPA, or ESMA depending on the financial sector).

The five pillars

DORA is structured as five interlocking workstreams:

1. ICT risk management — Articles 5-16. A single integrated ICT risk-management framework, board-approved, reviewed at least annually. Identification, protection, detection, response and recovery, learning. Builds on but goes deeper than EBA Guidelines on ICT and security risk management.
2. ICT-related incident reporting — Articles 17-23. Classification by criteria in Commission Delegated Regulation (EU) 2024/1772; major-incident reporting to the competent authority on a three-stage timeline (initial, intermediate, final). Significant cyber threats reported on a voluntary basis.
3. Digital operational resilience testing — Articles 24-27. Annual basic testing of all ICT systems supporting critical or important functions. Threat-led penetration testing (TLPT), aligned with the TIBER-EU framework, every three years for entities meeting Article 26(8) thresholds.
4. ICT third-party risk — Articles 28-44. Strategy, register of information, contractual provisions (Article 30), exit strategies, concentration-risk monitoring. Direct oversight of CTPPs.
5. Information sharing — Article 45. Voluntary cyber-threat intelligence sharing among financial entities, governed by data-protection and confidentiality safeguards.

The RTS / ITS landscape

The level-1 regulation is supplemented by a dense layer of RTS, ITS, and Joint Guidelines from the ESAs. The ones most projects spend time on:

• Commission Delegated Regulation (EU) 2024/1774 — RTS specifying ICT risk-management tools, methods, processes, and policies (Article 15).
• Commission Delegated Regulation (EU) 2024/1772 — RTS on the criteria for classifying ICT-related incidents.
• Commission Implementing Regulation (EU) 2024/2956 — ITS on standardised templates for the register of information (Article 28(9)).
• Commission Delegated Regulation (EU) 2024/1773 — RTS on the policy on ICT services performed by ICT third-party service providers supporting critical or important functions.

Most failed first-pass audits trace back to the register-of-information template — the field-level mapping between contracts and the ITS schema is where teams discover the policy library doesn't actually have the required information in a structured form.

The DORA gap analysis, compressed

The traditional approach — line-by-line policy review against each DORA article and RTS — runs eight to fourteen weeks for a Tier-1 bank or large insurer. Sia RegAI compresses that into days with a six-phase pipeline:

1. Scope & entity classification — proportionality bracket, scoped functions, applicable RTS/ITS.
2. Obligation extraction — every Article and Recital parsed into atomic, citable obligations.
3. Applicability triage — obligations filtered by the entity's scope, materiality, and existing scope of authorisation.
4. Gap analysis — semantic mapping of every applicable obligation to the existing policy library.
5. Control drafting — AI-drafted control language, in your tone of voice, for every gap.
6. Evidence pack — audit-ready bundle: obligation, mapped clause, control, evidence, and citation graph.

Common findings (from real engagements)

• Article 28 register of information — most policy libraries describe outsourcing relationships qualitatively; the ITS schema requires quantitative fields (criticality, sub-contracting chain, country of data processing) that need to be back-filled.
• Article 30(2) and (3) contractual provisions — pre-DORA contracts rarely include the full Article 30 list; remediation requires a contract amendment campaign, not just a policy update.
• Article 26 TLPT scoping — entities under thresholds often discover they meet the criteria once consolidated assets and trading volumes are recalculated to the DORA definitions.
• Article 17 incident classification — internal incident taxonomies don't map cleanly to the seven RTS criteria; needs a translation layer before three-stage reporting can run.

Where Sia RegAI fits

Sia RegAI ingests the level-1 regulation, every RTS / ITS / Joint Guideline, and any national-competent-authority guidance you point it at. It produces a single, navigable obligation tree with paragraph-level traceback. From there it maps to your policy library, scores gaps, drafts controls, and assembles the evidence pack — every output carrying its citation graph so internal audit can defend it.

Related guides

• Automating DORA gap analysis — a practical guide
• GRC vs regulatory intelligence — why they're not the same tool
• Regulatory change management software — a buyer's guide
• Citation graphs for compliance — why every AI output needs receipts

Industry pages

• Sia RegAI for banking — DORA alongside MAS, HKMA, OCC, FCA, Basel.
• Sia RegAI for insurance — DORA in scope for insurers under Solvency II.