What is DORA?
DORA (Regulation (EU) 2022/2554) sets uniform requirements for the security of network and information systems of financial entities — banks, insurers, investment firms, crypto-asset providers — and the critical ICT third parties that serve them.
It is built on five pillars and forces firms to identify their Critical or Important Functions (CIFs), map the providers behind them and keep a Register of Information that supervisors can request at any time.
The five pillars of DORA
ICT risk management
Incident management & reporting
Operational resilience testing
ICT third-party risk
DORA with ResiPlan
ResiPlan runs a DORA maturity gap analysis by article, builds your Critical Important Functions catalogue, maps providers and concentration risk, and generates a submission-ready Register of Information.
Cross-mapping reuses your ISO 27001 and NIS2 work so the ICT-risk pillar is largely pre-filled before you start.
Frequently asked questions
Who must comply with DORA?
Almost all EU financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers — plus their critical ICT third-party providers.
What is the Register of Information?
A standardised register of all contractual arrangements for ICT services, which financial entities must maintain and submit to supervisors. ResiPlan generates it from your provider mappings.
What is a Critical or Important Function (CIF)?
A function whose disruption would materially impair the firm's financial performance, soundness or continuity of services. CIFs drive provider mapping and resilience testing scope.
When did DORA apply?
DORA has applied since 17 January 2025. Financial entities are expected to be fully compliant, including their Register of Information.