| name | eu-dora-compliance |
| description | Implement DORA Regulation (2022/2554) digital operational resilience for financial entities โ ICT risk management, incident reporting, resilience testing, third-party risk. |
| version | 1.0.0 |
| last-updated | 2026-04-17 |
| model_tested | claude-sonnet-4-6 |
| category | compliance |
| platforms | ["claude-code","codex","gemini-cli","cursor","copilot","windsurf","cline"] |
| language | en |
| geo_relevance | ["eu"] |
| priority | critical |
| dependencies | {"mcp":[],"skills":["eu-regulatory-router"],"apis":[],"data":[]} |
| update_sources | [{"url":"https://eur-lex.europa.eu/eli/reg/2022/2554/oj","check_frequency":"quarterly","last_checked":"2026-04-17"}] |
| license | MIT |
EU DORA Compliance (Digital Operational Resilience Act)
DISCLAIMER: This skill provides guidance only. It does not constitute legal or financial advice. Always verify with qualified professionals.
When to Use
- Building software for financial institutions in the EU
- Assessing ICT risk management for fintech
- Setting up ICT incident reporting for financial entities
- Designing resilience testing programs
- Managing third-party ICT service provider relationships
Scope โ Who Is Affected?
DORA applies to virtually all EU financial entities:
| Category | Entities |
|---|
| Banking | Credit institutions, payment institutions, e-money institutions |
| Investment | Investment firms, trading venues, central securities depositories |
| Insurance | Insurance/reinsurance undertakings, intermediaries |
| Pension | IORPs (Institutions for Occupational Retirement Provision) |
| Crypto | Crypto-asset service providers (MiCA-regulated) |
| Infrastructure | CCPs, trade repositories, securitization repositories |
| Other | Credit rating agencies, crowdfunding providers, data reporting services |
| ICT providers | Third-party ICT service providers to the above (critical designation) |
5 Pillars of DORA
Pillar 1: ICT Risk Management (Articles 5-16)
Establish an ICT risk management framework:
- Identify all ICT assets, risks, dependencies
- Protect through security policies, access controls, encryption
- Detect anomalies and incidents via continuous monitoring
- Respond with incident response and crisis communication plans
- Recover with backup policies, restoration procedures, lessons learned
Pillar 2: ICT Incident Reporting (Articles 17-23)
Classify and report major ICT-related incidents:
| Criterion | Threshold for Major |
|---|
| Clients affected | > 10% of clients or significant clients |
| Duration | > 2 hours for critical services |
| Geographic spread | > 2 member states |
| Data loss | Integrity, confidentiality, or availability compromised |
| Economic impact | Material financial loss |
| Criticality of services | Core banking, payment processing, trading |
Reporting timeline:
- Initial notification: within 4 hours of classification as major
- Intermediate report: within 72 hours
- Final report: within 1 month
Pillar 3: Digital Operational Resilience Testing (Articles 24-27)
| Test Type | Frequency | Who |
|---|
| Vulnerability assessments | At least annually | All entities |
| Network security testing | At least annually | All entities |
| Scenario-based testing | At least annually | All entities |
| Threat-Led Penetration Testing (TLPT) | At least every 3 years | Significant entities only |
TLPT must be conducted by qualified external testers following the TIBER-EU framework.
Pillar 4: Third-Party ICT Risk (Articles 28-44)
For all ICT third-party service providers:
- Maintain a register of all ICT service agreements
- Conduct pre-contract due diligence
- Include mandatory contractual clauses (audit rights, exit strategies, data location)
- Monitor ongoing compliance
- Have exit plans for critical providers
Critical ICT third-party providers (designated by ESAs) face direct EU oversight.
Pillar 5: Information Sharing (Article 45)
Financial entities may participate in voluntary information-sharing arrangements on:
- Cyber threat intelligence
- Indicators of compromise
- Tactics, techniques, and procedures (TTPs)
- Security alerts and configuration tools
Key Date
- 17 January 2025: DORA fully applicable
What This Skill Does NOT Do
- Does not conduct penetration testing or TLPT
- Does not configure ICT security tools
- Does not manage third-party provider contracts
- Does not replace compliance officer or legal counsel