DORA is structured around five core ‘pillars’ that relate to ICT and cyber security, which aim to provide a comprehensive digital resiliency framework for financial organisations and their critical ICT service providers.
ICT risk management and governance
This pillar requires you to develop a comprehensive risk management framework. Within this framework, you need to should identify and classify critical ICT assets and their dependencies, and ensure that ICT systems are appropriately resilient. ICT risks need to be proactively monitored to allow for the implementation of preventative and protective measures. The framework you establish must also include measures to detect anomalous activities, business continuity and disaster recovery plans and policies, and procedures to review and learn from external ICT events as well as your organisation’s own ICT incidents.
ICT-related incident reporting
For this pillar, you will need to put processes in place to monitor, document and classify ICT-related incidents. You are also required to ensure incidents are appropriately reported to the relevant authorities using a common template and a harmonised procedure, as defined by the relevant supervisory authority. In addition, initial, intermediate, and final ICT incident reports need to be submitted to your organisation’s users and clients.
Digital operational resilience testing
Here, you are required to periodically test ICT resilience and resolve any issues identified, ensuring that this testing is proportionate to the size, business, and risk profile of your organisation. If you have a high level of risk exposure, periodic threat-led penetration testing is also required.
ICT third-party risk
This pillar requires you to determine which ICT third-party providers are your significant suppliers, and ensure that ICT services delivered by those third parties are managed and monitored in a consistent and comprehensive manner, and assessed for risk, with any risks identified effectively managed. Your relationships with your suppliers must also be governed by appropriately detailed contractual documentation.
Information sharing
Whilst compliance with this pillar is not currently mandatory, DORA encourages collaboration among trusted communities of financial organisations to securely share information. Such collaboration is aimed at improving organisations’ digital operational resilience, raising awareness of ICT risks and threats and minimising the ability of ICT threats to spread, as well as supporting organisations’ cybersecurity strategies and procedures.
Achieve Full DORA Compliance with Confidence
Close your compliance gaps with expert support. We’ll deliver tailored, actionable recommendations to ensure you meet DORA requirements and protect your operations.
Find out more
related BLog
DORA - The Digital Operations Resilience Act
Published on
5 Jun
2025
URM’s blog discusses the EU’s Digital Operation’s Resilience Act (DORA), explaining who it will apply to, its requirements, how it will be enforced, and more.
Read more
"
URM have carried out our PCI DSS assessments for nearly 10 years. During that time they have shown expertise and commitment in helping us reach our goals. Last year we decided to go for Cyber Essentials Plus and had no hesitation in getting URM to assess us for that.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.