DORA
Digital Operational Resilience Act
The Digital Operational Resilience Act establishes a comprehensive regulatory framework for ICT risk management across the European Unionfinancial sector. Effective since January 2025, DORA imposes prescriptive requirements on financial entities and their critical ICT service providers for how operational resilience is governed, tested, and reported.
Regulation Overview
The Digital Operational Resilience Act (Regulation (EU) 2022/2554), adopted 14 December 2022 and applicable from 17 January 2025, establishes uniform requirements for network and information system security across financial entities. As an EU Regulation, DORA applies directly across all Member States, creating a harmonised digital operational resilience framework.
DORA's scope encompasses virtually all regulated financial entities: credit institutions, payment and electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues, AIFMs, management companies, insurance undertakings, credit rating agencies, and crowdfunding providers. Critically, DORA also establishes an oversight framework for ICT third-party service providers designated as critical by the European Supervisory Authorities.
For Private Equity firms operating in financial services and Family Offices with structures regulated under AIFMD or MiFID II, DORA creates direct compliance obligations. Even outside DORA's direct scope, portfolio companies providing ICT services to financial entities may become subject to its third-party risk management requirements, creating indirect exposure warranting proactive assessment.
Five Key Pillars
ICT Risk Management
Chapter II requires financial entities to maintain an ICT risk management framework incorporating identification, protection, detection, response and recovery, and learning components. Management bodies bear ultimate responsibility for defining, approving, and overseeing the framework's implementation.
ICT-Related Incident Management
Chapter III requires entities to establish an incident response management process. Incidents must be classified by client impact, data losses, geographic spread, duration, and service criticality. Major incidents must be reported to the competent authority via standardised templates within prescribed timelines.
Digital Operational Resilience Testing
Chapter IV mandates a comprehensive testing programme proportionate to entity size and risk profile, encompassing vulnerability assessments, network security assessments, gap analyses, source code reviews, scenario-based testing, and penetration testing. Significant entities must conduct threat-led penetration testing (TLPT) at least every three years.
ICT Third-Party Risk Management
Chapter V requires entities to manage ICT third-party risk as integral to their risk framework. This includes maintaining a register of all ICT service contractual arrangements, pre-contractual provider assessment, mandatory contractual provisions covering service levels, data sovereignty location, audit rights, and exit strategies, plus ongoing supply chain monitoring.
Information Sharing
Chapter VI enables financial entities to exchange cyber threat intelligence, indicators of compromise, tactics, techniques, and configuration tools within trusted communities. This promotes collective defence and faster identification of emerging threats across the financial sector.
Relationship with NIS2
DORA and NIS2 share common objectives but differ in scope and specificity. NIS2 establishes baseline cybersecurity requirements across 18 sectors, while DORA provides a more prescriptive framework exclusively for financial services. Under lex specialis, DORA takes precedence for entities within both frameworks — financial entities subject to DORA are deemed to comply with corresponding NIS2 requirements.
However, NIS2 may impose obligations beyond DORA's scope, particularly in supply chain security across non-ICT suppliers. For Private Equity firms with mixed portfolios, understanding the interplay is essential for efficient, non-duplicative compliance. Intarmour maps the precise boundaries of each framework across the portfolio, eliminating redundant effort while ensuring complete regulatory coverage.
The convergence also creates opportunities for shared compliance infrastructure. Incident reporting, risk management, supply chain governance, and testing programmes designed for DORA can, with adaptation, serve as the foundation for NIS2 compliance across non-financial portfolio entities.
Penalties and Enforcement
DORA empowers competent authorities to impose administrative penalties and remedial measures. While the regulation does not prescribe specific fine amounts — leaving this to Member State implementation — authorities may require entities to cease non-compliant conduct, take remedial action, issue public statements, and impose penalties under national law.
For critical ICT third-party service providers, the Lead Overseer may impose periodic penalty payments of up to 1% of average daily worldwide turnover per day of non-compliance, for a maximum of six months — creating significant exposure for technology providers serving the financial sector.
Beyond direct penalties, DORA non-compliance creates additional risks: reputational damage, increased supervisory scrutiny, potential activity restrictions, and contractual consequences with clients requiring DORA-compliant providers. For Private Equity-backed financial entities, these cascading consequences can materially impact business value and exit prospects.
Advisory Approach
Intarmour delivers DORA compliance programmes addressing all five pillars through a methodology calibrated to entity size, complexity, and risk profile. We begin with comprehensive gap analysis mapping current practices against DORA requirements, then design an implementation roadmap sequenced for maximum efficiency.
For PE funds with financial sector portfolio companies, we provide portfolio-level assessment and implementation, leveraging shared frameworks where possible while respecting entity-specific regulatory relationships. Our practice encompasses ICT risk management framework design, incident management, resilience testing programme development, third-party risk governance, and information-sharing facilitation.
Where clients also require NIS2 or GDPR compliance, we design integrated programmes addressing all frameworks through unified control implementations, eliminating redundant effort — particularly valuable for mixed portfolios under different regulatory regimes.
Ready for institutional-grade
cybersecurity?
Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.