Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

Digital Operational Resilience Act (DORA)

DORA is a significant leap in EU regulation that embeds operational resilience as a compliance expectation, not an optional security benefit — setting an enforceable high bar for ICT risk management, incident reporting, resilience testing, and third-party oversight.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Common Controls Framework™

The SCF is the Common Controls Framework™ (CCF™) — a Living Control Set (LCS) with 1,400+ controls across 33 domains, mapped to 200+ laws, regulations, and frameworks including DORA. Free under Creative Commons. Importable into GRC platforms via .csv or NIST OSCAL JSON. Validated using NIST IR 8477 STRM set theory.

Law Overview

Digital Operational Resilience Act (DORA)

The EU Digital Operational Resilience Act (DORA) sets out comprehensive rules for ensuring that financial institutions can withstand, respond to, and recover from ICT disruptions and cyberattacks.

Officially enacted as Regulation (EU) 2022/2554, DORA entered into force in January 2023 and became fully enforceable on January 17, 2025. It creates a unified cybersecurity and operational resilience framework across the EU financial sector, reducing fragmentation and increasing digital resilience for the European financial system as a whole.

This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Name

Digital Operational Resilience Act (DORA)

Type

Statutory (Law)

Authoritative
Source

EU Regulation 2022/2554

Entered Into
Force

January 2023

Fully
Enforceable

January 17, 2025

Enforced By

European Supervisory Authorities (ESAs) & national regulators

Applies To

EU financial entities and critical ICT third-party providers

Certification
Available

No official certification. SCF CAP can demonstrate conformity.

TL / DR — Too Long / Didn’t Read

The Digital Operational Resilience Act (DORA) is a significant leap in EU regulation that embeds operational resilience as a compliance expectation, not an optional security benefit. For financial entities and Information and Communication Technology (ICT) providers, it sets a high bar that is enforceable, with costly non-compliance ramifications. Organizations are expected to align their ICT risk management, incident reporting, resilience testing and third-party oversight practices to DORA.

DORA’s broad scope covers tens of thousands of financial entities and their ICT vendors operating in or serving the EU, applying to nearly all entities regulated under EU financial services law — including banks, insurers, payment institutions, crypto-asset service providers, financial market infrastructure, and critical ICT third-party providers.

Though enforcement under DORA had not yet materialized at its outset, the penalty framework is severe and regulators across EU member states have already signaled readiness to act aggressively — with fines up to 2% of annual worldwide turnover for financial entities and daily fines for up to six months until compliance is restored.

GRC-Focused Overview

DORA — Origins and Purpose

Before DORA, EU financial regulation around digital and ICT risk was fragmented — banks, insurers, payment services and asset managers operated under different national or sectoral rules. DORA harmonizes these requirements into a single enforceable framework for the entire European financial sector.

In September 2020, the European Commission launched the initiative for DORA as part of its Digital Finance Package. In November 2022, the Parliament and Council approved Regulation (EU) 2022/2554, which entered into force in January 2023. A two-year transition followed, with full application required from January 17, 2025. DORA’s scope includes approximately 20 categories of financial entities and ICT third-party providers.

ICT Risk Management

Entities must implement a comprehensive ICT risk management framework covering governance, policies, asset mapping, threat monitoring and controls integration with business continuity.

ICT Incident Reporting

Organizations must deploy detection, classification and timely reporting processes for ICT incidents, including categorization and workflows for notification to competent authorities.

Digital Operational Resilience Testing

Entities are required to carry out regular ICT resilience testing, including threat-led penetration tests and scenario-based continuity exercises.

ICT Third-Party Risk Management

DORA mandates robust oversight for outsourced ICT, including pre-contract due diligence, ongoing monitoring, contractual safeguards and escalation protocols, especially for critical third-party providers.

Information Sharing

While voluntary, DORA encourages threat intelligence and incident data sharing among peers and authorities to enhance collective resilience. ESAs have developed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) covering aspects from reporting templates to penetration testing protocols.

Enforcement

Ramifications of Non-Compliance with DORA

Though enforcement under DORA had not yet materialized, the penalty framework is severe and regulators across EU member states have already signaled readiness to act aggressively.

DORA empowers European Supervisory Authorities (ESAs) and national regulators to impose significant penalties:

Financial Entity Fines

Fines up to 2% of annual worldwide turnover or €10 million, whichever is higher. Senior individuals may face penalties up to €1 million.

Critical ICT Provider Penalties

Fines up to €5 million or 1% of average daily turnover; individuals up to €500,000. Authorities may issue daily fines for up to six months until compliance is restored.

Operational and Reputational Consequences

Regulators can also enact administrative warnings, require remediation, or suspend operational licenses under repeated or severe non-compliance. Failure to report ICT incidents in line with DORA timelines or inadequate resilience testing can trigger reputational harm and compensatory liabilities to clients or third parties.

Compliance Strategy

Common Methods to Achieve and Maintain DORA Compliance

Achieving compliance under DORA requires a cross-functional and risk-based approach:

Governance and Organizational Buy-In

Form a cross-disciplinary resilience team spanning IT, risk, compliance and business; establish executive oversight, board-level alignment and defined risk tolerances.

ICT Asset and Risk Inventory

Catalog critical systems and classify ICT assets for operational importance and third-party dependencies.

Incident Detection, Classification and Reporting

Use standardized criteria for incident severity and reporting thresholds, supported by the ESAs’ RTS/ITS.

Resilience Testing Regimen

Implement a maturity-aligned testing program: regular vulnerability scans, threat-led testing and tabletop simulations.

Third-Party Risk Controls

Index and assess suppliers; embed resilience clauses in contracts; conduct ongoing audits, especially for critical ICT providers.

Intelligence Sharing

Participate in secure forums for sharing cyber threat data and operational lessons.

Documentation and Evidence Gathering

ICT risk management plans, incident response logs, testing records, third-party assessments, governance records and framework mapping documentation all demonstrate that compliance is operational rather than asserted.

Documentation Value

Understanding The Value of Quality Cybersecurity Documentation in DORA Success

At the intersection of cyber resilience and regulation, documentation is the keystone of both preparedness and regulatory trust.

Audit Evidence

Demonstrates that risk management, incident handling, testing and third-party controls are not theoretical but operational.

Root Cause Analysis

Incident post-mortems trace failures and build institutional learning. Documentation of these analyses demonstrates to regulators that corrective actions were taken and controls were improved.

Assurance to Supervisors

Clear, versioned policies show leaders and authorities that governance is intentional and reviewed. Boilerplate policies or ad-hoc procedures increase risk. DORA demands living, role-assigned and outcomes-backed documentation — not checkbox artifacts.

Maturity Roadmap

Documentation supports benchmarking improvements over time and provides evidence that the organization’s resilience posture is continuously improving — a key expectation under DORA’s ongoing compliance obligations.

Get Started

See DORA Mapped in the SCF

DORA — and 200+ more laws, regulations, and frameworks — is mapped to specific SCF controls in the free SCF download. One unified control set, endless compliance coverage.

Go to the SCF Download PageIncluded Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap