Skip to main content
DORA Compliance

DORA Regulation: ICT Security Requirements for Financial Services

The Digital Operational Resilience Act requires continuous ICT asset monitoring and weekly vulnerability scanning. SeguriScan automates asset discovery and scanning so your team can focus on running the business.

Start Free Security ScanBook a Demo
EU-Based Platform
Weekly Monitoring
Automated Reports
No Installation Required

What Is the Digital Operational Resilience Act?

The Digital Operational Resilience Act (Regulation EU 2022/2554) is EU law that sets binding ICT security requirements for every financial entity operating in the European Union. It entered full application on 17 January 2025 — with no grace period. If your firm holds an EU licence or serves EU financial institutions as an ICT provider, DORA applies to you right now. DORA covers five pillars: ICT risk management, incident reporting, operational resilience testing, third-party ICT risk, and information sharing. For SMBs the most immediate obligations are continuous asset inventory (Art. 8), automated vulnerability scanning at least weekly for critical systems (Art. 10), and maintaining a Register of Information for all ICT vendor contracts (Art. 28). The good news: you do not need a large security team to comply. The right tooling automates the discovery, scanning, and reporting that DORA mandates — so you have documented evidence ready for your national regulator when they come asking.

Digital Operational Resilience Act (EU 2022/2554)
17 January 2025 — no grace period
European Union (all 27 member states)

Who Must Comply with DORA

Banks and Credit InstitutionsPayment and E-Money InstitutionsInsurance Companies and IntermediariesInvestment FirmsCrypto-Asset Service Providers (MiCA)Crowdfunding Service ProvidersICT Third-Party Providers (designated critical)Credit Rating Agencies

Key DORA Security Requirements

Art. 8 — ICT Asset Management

Continuously identify, classify, and document all ICT assets — hardware, software, data, and supporting infrastructure. Review must occur at least annually, with continuous updates for material changes.

Art. 10 — Vulnerability & Patch Management

Run automated vulnerability scanning across all ICT assets. Assets supporting critical or important functions must be scanned at a minimum weekly. Results must be severity-scored and fed into a remediation process.

Art. 28–44 — Third-Party ICT Risk

Maintain a Register of Information (RoI) documenting all ICT third-party service arrangements. Assess vendor security posture and monitor for material changes throughout the contract lifecycle. (First RoI submission deadline: 4 April 2025.)

Art. 5 & Art. 17–23 — Governance & Incident Reporting

Management body must approve ICT risk policies annually. Major ICT incidents must be reported to the competent authority within 4 hours of classification, with an intermediate report at 72 hours and a final report within 1 month.

How SeguriScan Supports DORA Technical Requirements

1

Discover Your ICT Assets

Point SeguriScan at your domains and it automatically discovers subdomains, IP addresses, cloud services, APIs, certificates, and exposed ports — everything that counts as an ICT asset under Article 8. No agents, no installation, no IT tickets. Your full asset inventory is ready in minutes and stays current automatically.

2

Assess Vulnerabilities Weekly

SeguriScan scans every discovered asset against known CVEs and misconfigurations on a weekly cadence, scores findings by CVSS severity, and maps them to DORA's risk classification tiers. Weekly scanning meets the Article 10 minimum for critical-function assets. You get a prioritised fix list — not a raw list of hundreds of alerts.

3

Generate Resilience Reports

Every scan produces a time-stamped, structured report built for regulatory review. Share the executive summary with your board for the annual ICT risk policy sign-off (Art. 5). Export the detailed findings as evidence for your national regulator — BaFin, CBI, AMF, CNMV, or whoever oversees your firm. No manual report writing required.

Start Your Free Assessment

The Cost of DORA Non-Compliance

Financial Penalties

For serious systemic failures, fines reach 2% of total annual worldwide turnover — with no cap. For specific provision breaches, the penalty is up to 1% of average daily worldwide turnover per day of non-compliance. Standalone fixed fines reach up to €5,000,000. Member states including Germany, France, and Spain may set higher national sanctions above the EU floor.

Operational Restrictions

Regulators can order suspension or withdrawal of your operating authorisation, impose restrictions on specific ICT activities, and publicly disclose violations through ESA supervisory notices. Non-compliant ICT providers can have their contracts terminated by financial entity clients — at the regulator's direct instruction.

Personal Liability

Senior managers and board members face personal fines of up to €1,000,000 for failures in ICT risk governance. DORA's Article 5 places accountability on the management body — not just the CISO. Individuals at designated critical ICT third-party providers face personal fines up to €500,000.

DORA has been in full application since 17 January 2025. National regulators commenced supervisory audits and on-site inspections of financial entities in 2026. There is no grace period remaining.

Check your security — free

No credit card · Results in 60 seconds

DORA Compliance FAQ

What is DORA and who does it apply to?

DORA (Digital Operational Resilience Act, Regulation EU 2022/2554) is EU law that requires financial entities to maintain robust ICT risk management, incident reporting, and resilience testing programmes. It applies to 21 categories of financial entity across the EU — including banks, payment institutions, e-money institutions, investment firms, insurance companies, crypto-asset service providers, and crowdfunding platforms. It also applies to any ICT provider designated 'critical' by the European Supervisory Authorities. If your firm holds an EU financial licence or provides ICT services to EU financial entities, DORA applies to you. Microenterprises (under 10 staff and €2M turnover) benefit from simplified requirements, but are not fully exempt.

What are the penalties for DORA non-compliance?

DORA penalties are tiered by severity. Systemic failures carry fines up to 2% of total annual worldwide turnover. Specific provision breaches are fined at up to 1% of average daily worldwide turnover for each day of non-compliance. Fixed fines for less severe violations reach €5,000,000. Crucially, senior managers face personal liability up to €1,000,000 per individual — so DORA compliance is a board-level matter, not just an IT issue. National regulators (BaFin, CBI, AMF, CNMV, and others) may set higher sanctions above the EU floor, and public naming of violators by the ESAs adds reputational risk on top of financial penalties.

How does attack surface management help with DORA?

DORA directly mandates three things that attack surface management automates: continuous ICT asset inventory (Article 8), automated vulnerability scanning at least weekly for critical systems (Article 10), and ongoing third-party ICT risk monitoring (Articles 28–44). An ASM tool like SeguriScan discovers all your internet-facing assets, maps them to CVE vulnerability data, scores them by severity, and produces the time-stamped scanning evidence that regulators will request during supervisory reviews. Asset inventory and third-party risk registers are the two most common DORA technical challenges — ASM tooling addresses both directly.

What is the DORA compliance deadline?

DORA entered full application on 17 January 2025 with no grace period. All 21 categories of in-scope financial entity became subject to full enforcement from that date. The first Register of Information submissions (documenting ICT vendor contracts) were due 4 April 2025. In November 2025, the ESAs published the first list of 19 Designated Critical Third-Party Providers. National regulators began formal DORA-specific supervisory audits and on-site inspections in 2026. If you have not yet built out your ICT asset inventory and vulnerability scanning programme, you are already operating in breach.

Does DORA apply to small fintech companies?

Yes, with limited exceptions. DORA applies to any financial entity authorised to operate in the EU, regardless of size. Microenterprises (fewer than 10 employees and annual turnover under €2M) qualify for a simplified ICT risk management framework, but still face core obligations including incident reporting and basic risk controls. If your fintech processes payments, issues e-money, provides crypto-asset services, or operates a crowdfunding platform under an EU licence, DORA applies in full. DORA also applies if you are headquartered outside the EU but hold an EU licence — a common structure for fintech companies operating in Ireland, Lithuania, or the Netherlands.

What is DORA's ICT risk management framework?

DORA's ICT risk management framework (Articles 5–16) requires financial entities to maintain a continuous, documented approach to identifying, assessing, and controlling ICT risks. The key obligations are: a board-approved ICT risk strategy reviewed annually (Art. 5); a complete, continuously updated inventory of all ICT assets (Art. 8); continuous monitoring and threat identification across ICT systems (Art. 9); automated vulnerability scanning at least weekly for critical-function assets (Art. 10); and business continuity plans with tested detection and response procedures (Art. 11). The framework is not a one-time audit exercise — DORA requires ongoing, evidenced monitoring that automated ASM tooling is purpose-built to deliver.

Start Your DORA Compliance Assessment Today

See your full ICT attack surface in minutes — the same view your auditor will ask for. No installation, no credit card, no risk.

Start Free ScanBook a Demo

Trusted by financial institutions across Europe · Free scan takes 60 seconds