DORA (Digital Operational Resilience Act) is the EU regulation that establishes a uniform framework for ICT risk management across financial entities, applicable from January 2025. It applies to banks, insurers, payment institutions, investment firms, and crypto-asset service providers under MiCA.
For security teams, the most consequential articles are:
- Article 24: requires regular ICT risk assessments and a risk-based testing programme.
- Article 25: defines the vulnerability assessment baseline that every in-scope entity must run at least annually on relevant systems.
- Article 26: defines threat-led penetration testing (TLPT) for entities classified as significant. TLPT must be performed every three years and follows a TIBER-EU-aligned methodology.
- Article 27: lists the requirements for TLPT testers (independence, certifications, methodology).
DORA also introduces:
- A single incident reporting framework that supersedes the previous fragmented national rules.
- Third-party ICT risk requirements, with a critical-third-party designation regime for major cloud providers and security firms.
- An information sharing framework for cyber-threat intelligence.
For crypto exchanges and custodians under MiCA, DORA's pentest requirements are the operative compliance bar. Annual vulnerability assessments and (for significant entities) TLPT every three years are not optional.