DORA (Regulation 2022/2554) is the EU's Digital Operational Resilience Act. It establishes a uniform framework for managing ICT risks in the financial sector. Unlike directives, DORA is directly applicable in all EU member states without national transposition.

When did DORA take effect?

DORA entered into force on January 16, 2023 and applies since January 17, 2025. All financial entities in scope must now comply with its requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management.

Who must comply with DORA?

DORA applies to 21 types of financial entities including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and fund managers. It also applies to critical ICT third-party service providers (cloud, SaaS, data analytics) serving the financial sector.

What are the penalties for DORA non-compliance?

Financial entities face administrative fines up to 2% of total annual worldwide turnover. For critical ICT third-party providers, fines can reach up to 5 million euros or 1% of average daily worldwide turnover. National competent authorities can also impose periodic penalty payments.

EU Regulation 2022/2554

DORA is in force.
Is your ICT resilience ready?

Q: How does SiteGuardian help with DORA compliance?

SiteGuardian continuously monitors your ICT security posture (TLS/SSL, headers, DNS, email authentication), detects incidents in real time with 4-hour major incident reporting support, runs automated resilience tests from multiple regions, and provides 5-level supplier risk scoring for ICT third-party risk management under DORA Art. 28.

The Digital Operational Resilience Act requires financial entities to manage ICT risks, report incidents within 4 hours, and test operational resilience — or face fines up to 2% of global turnover.

In force since January 17, 2025

Scan your website now View compliance plans

Does DORA apply to you?

DORA applies to 21 types of financial entities and their critical ICT third-party service providers. If you operate in the EU financial sector, you are very likely in scope.

Banks

Financial Entity

Insurance

Financial Entity

Investment Firms

Financial Entity

Payment Institutions

Financial Entity

Crypto-Asset Providers

Financial Entity

Fund Managers

Financial Entity

Credit Rating Agencies

Financial Entity

ICT Third-Party Providers

Critical Provider

The cost of non-compliance

Financial entities

of total annual worldwide turnover

administrative fines determined by national competent authorities

Critical ICT third-party providers

€5M

or 1% of average daily worldwide turnover

plus periodic penalty payments for continued non-compliance

National competent authorities can also restrict or suspend activities and hold management personally accountable.

DORA's 5 pillars — and what SiteGuardian monitors

DORA establishes five pillars for digital operational resilience. SiteGuardian continuously monitors four of them for your web-facing ICT infrastructure.

Art. 5–15

ICT Risk Management

Monitored

SiteGuardian provides continuous security posture monitoring for your web-facing infrastructure: TLS/SSL validation, certificate lifecycle tracking, vulnerability detection, security header enforcement, DNSSEC verification, and an immutable audit trail to demonstrate risk management governance.

Art. 17–23

ICT Incident Management

Monitored

SiteGuardian detects incidents in real time, classifies them by severity, and supports DORA-compliant reporting workflows — including the 4-hour initial notification for major ICT-related incidents, 72-hour intermediate reports, and 1-month final reports. Pre-filled incident reports for your national competent authority are generated automatically.

Art. 24–27

Digital Operational Resilience Testing

Monitored

SiteGuardian runs automated security scans covering TLS configuration, HTTP security headers, DNS hardening, email authentication (DMARC/SPF/DKIM), and certificate validation from multiple geographic regions — providing continuous baseline resilience testing as required by Art. 25.

Art. 28–30

ICT Third-Party Risk Management

Monitored

SiteGuardian scores supplier security posture across 5 maturity levels, tracks concentration risk for critical ICT providers, monitors third-party TLS and email security, and supports generation of the DORA Information Register (Art. 28(3)) for all contractual arrangements with ICT third-party providers.

Art. 31–44

Oversight of Critical ICT Third-Party Providers

This pillar applies to ICT providers designated as critical by the European Supervisory Authorities (ESAs). The Lead Overseer conducts inspections, issues recommendations, and can impose penalties. SiteGuardian does not cover ESA oversight processes directly.

DORA compliance starts with visibility

Scan your website to assess your ICT security posture. SiteGuardian maps every finding to DORA articles — so you know exactly where you stand.

Free security scan View compliance plans

Free forever for 1 monitor. No credit card required.

Frequently asked questions

What is DORA?

DORA (Regulation 2022/2554) is the EU's Digital Operational Resilience Act. It creates a comprehensive framework for ICT risk management in the financial sector, covering risk governance, incident reporting, resilience testing, third-party risk management, and information sharing. Unlike a directive, DORA is directly applicable in all EU member states.

When did DORA become applicable?

DORA entered into force on January 16, 2023 and has been fully applicable since January 17, 2025. All in-scope financial entities and critical ICT third-party providers must now comply with its requirements.

Does DORA apply to ICT providers?

Yes. DORA applies not only to financial entities but also to their critical ICT third-party service providers — including cloud platforms, SaaS providers, data analytics services, and software vendors. The European Supervisory Authorities (ESAs) designate which providers are considered critical and subject to direct oversight.

What are the incident reporting deadlines under DORA?

For major ICT-related incidents, DORA requires: an initial notification within 4 hours of classification (and no later than 24 hours after detection), an intermediate report within 72 hours, and a final report within 1 month. SiteGuardian tracks these deadlines automatically and generates pre-filled reports.

How does SiteGuardian help with DORA compliance?

SiteGuardian continuously monitors your web-facing ICT infrastructure for security risks (TLS, headers, DNS, email authentication), detects incidents in real time, runs automated resilience tests from multiple regions, and provides 5-level supplier risk scoring. Findings are mapped to DORA articles, and compliance reports are audit-ready.

DORA is in force. Is your ICT resilience ready?

Does DORA apply to you?

The cost of non-compliance

DORA's 5 pillars — and what SiteGuardian monitors

ICT Risk Management

ICT Incident Management

Digital Operational Resilience Testing

ICT Third-Party Risk Management

Oversight of Critical ICT Third-Party Providers

DORA compliance starts with visibility

Frequently asked questions

Are you sure?

DORA is in force.
Is your ICT resilience ready?