What is the DORA compliance deadline?

DORA applies from 17 January 2025. Financial entities and relevant ICT third-party providers must be able to demonstrate compliance (policies, controls, governance, testing, and evidence) to competent authorities.

What are RTS and ITS under DORA?

RTS (Regulatory Technical Standards) and ITS (Implementing Technical Standards) are technical rules developed by the European Supervisory Authorities (EBA, EIOPA and ESMA) that specify how to implement key DORA requirements.

DORA Regulation: Digital Operational Resilience for Financial Services

Build demonstrable operational resilience and meet Regulation (EU) 2022/2554. We translate regulatory requirements into a practical security and governance program with audit-ready evidence.

Request a DORA Gap Assessment Learn more

A practical, end-to-end approach for the new era of financial supervision

DORA (Digital Operational Resilience Act) is a major regulatory shift in the EU designed to ensure financial entities can withstand, respond to, and recover from ICT incidents. It’s no longer enough to “be secure” — regulators expect provable operational resilience.

At Hard2bit, we don’t stop at documentation. We combine governance and audit expertise with technical teams (Red Team, Cloud Architecture, SOC) to deliver controls, testing, and evidence across DORA’s core pillars.

Key date

DORA applies from 17 January 2025. Organizations should be able to demonstrate ICT risk governance, testing, third-party oversight, and incident reporting readiness with audit-ready evidence.

ICT Risk Governance & Management

Define the ICT risk management framework, resilience strategy, and continuity policies approved and overseen by the management body.

Incident Reporting Readiness

Set detection processes and materiality criteria to classify major incidents and meet regulatory reporting timelines with defensible evidence.

Digital Resilience Testing (incl. TLPT)

From annual vulnerability assessments to threat-led penetration testing (TLPT) for in-scope entities, aligned to DORA testing expectations.

ICT Third-Party Risk Management

Assess concentration risk, review contracts against DORA requirements, and audit critical ICT providers (including cloud) with actionable remediation.

DORA FAQ

Clear answers to the most common technical and compliance questions.

Which financial entities are in scope for DORA?

DORA covers a broad set of financial entities such as credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, fund managers and insurers, among others. DORA also strengthens requirements around ICT third-party providers used by these entities.

What happens if we are not compliant?

Competent authorities can impose supervisory measures and sanctions. DORA also requires governance accountability at management-body level, and repeated deficiencies can create significant regulatory and reputational impact.

Does DORA replace the EBA outsourcing guidelines?

DORA consolidates and elevates many existing expectations into a harmonised EU regulation and introduces a stricter, more uniform approach to ICT third-party risk, oversight, and evidence of operational resilience.

How can NormAI help with DORA compliance?

NormAI accelerates mapping between DORA requirements (including relevant RTS/ITS) and your existing processes and controls, helping you build traceable evidence and speed up the gap assessment and remediation planning.

Don’t leave DORA to the last minute

DORA requires structural changes in how technology risk is governed, tested, and evidenced. We provide both the compliance roadmap and the technical execution to deliver operational resilience without friction.

Talk to a DORA consultant